Presentation is loading. Please wait.

Presentation is loading. Please wait.

An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.

Published bySarah Charles Modified over 9 years ago

Similar presentations

Presentation on theme: "An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos."— Presentation transcript:

1 An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos Vrije Universiteit Amsterdam herbertb _AT_ cs.vu.nl http://www.ist-lobster.org/

2 An IST Projecthttp://www.ist-lobster.org/ 2 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Privacy a shared monitoring infrastructure?  what about privacy?! Before talking about privacy ask the following: would you share information?

3 An IST Projecthttp://www.ist-lobster.org/ 3 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Responses vary… –No, absolutely not. I will not reveal any information I will not reveal even the load of my network –Maybe I can share some general statistics what traffic goes in and out of my network –I am willing to share the headers of the packets IP addresses anonymized, payload stripped just like NLANR does today –I would like to share all information with my local administrators some information with associated researchers anonymized information with the rest of the world –Yes – share everything! information wants to be free! Lobster can provide all of the above

4 An IST Projecthttp://www.ist-lobster.org/ 4 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb 2. anonymization policy enforcement making sure parties only get properly anonymized traces determines who gets access to what How does it work? 1.applying anonymisation functions functionality to strip/hash payloads, zero addresses, etc.  library of possible anonymisation functions framework to apply these functions on traffic

5 An IST Projecthttp://www.ist-lobster.org/ 5 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb How does it work? 1.applying anonymisation functions functionality to strip/hash payloads, zero addresses, etc.  library of possible anonymisation functions framework to apply these functions on traffic 2. anonymization policy enforcement making sure parties only get properly anonymized traces determines who gets access to what UNCHANGED MAP TO INTEGER MAP ACCORDING TO DISTRIBUTION STRIP RANDOM FILENAME RANDOM HASH PATTERN FILL ZERO REPLACE PREFIX PRESERVING REGEXP CHECKSUM ADJUST SUBFIELD

6 An IST Projecthttp://www.ist-lobster.org/ 6 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb How does it work? 1.applying anonymisation functions functionality to strip/hash payloads, zero addresses, etc.  library of possible anonymisation functions framework to apply these functions on traffic 2. anonymization policy enforcement making sure parties only get properly anonymized traces determines who gets access to what Ruler: special-purpose, high-level language for packet rewriting in general and anonymization in particular What is so nice about it? easy to specify needs fast, efficient translates to low-level HW

7 An IST Projecthttp://www.ist-lobster.org/ 7 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb different policies different anonymization rules for different users credentials determine what sort of access is allowed

8 An IST Projecthttp://www.ist-lobster.org/ 8 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Ruler a simple rule-based language –Generic sanitization –Efficient (DFA-based) implementation –Strive to make implementation in HW possible –Design to allow for (future) formal reasoning –Understand common network protocols –Extensible

9 An IST Projecthttp://www.ist-lobster.org/ 9 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Ruler Patterns and filters consisting of rules pattern: pattern udpHeader: ( source: byte #2 dest: byte #2 len: byte #2 checksum: byte #2 ) filter: include layouts.rli filter simple eh:Ethernet_header iph:IPv4_header * => eh iph with [src=0, dest=0];

10 An IST Projecthttp://www.ist-lobster.org/ 10 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Matching language Fixed number of bytes, fixed value 42#1 5 0x800#2 “url” Fixed number of bytes, arbitrary value byte#2 byte#1 byte Arbitrary number of bytes and value *

11 An IST Projecthttp://www.ist-lobster.org/ 11 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Matching language: bit patterns Surrounded by {} Fixed number of bits, fixed value 42#7 0 0x800#16 Fixed number of bits, arbitrary value bit#2 bit#1 bit

12 An IST Projecthttp://www.ist-lobster.org/ 12 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Matching language: labels Patterns can be labeled source: byte #6 dest: byte #6 payload: * Patterns can be grouped with brackets ether: (s:byte#6 d:byte#6 p:byte#2) Note the nested labels: ether refers to 14 bytes, ether.s refers to 6 bytes

13 An IST Projecthttp://www.ist-lobster.org/ 13 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Matching language: patterns Patterns can be defined and named separately pattern ether: ( s:byte#6 d:byte#6 p:byte#2 ) Allows re-use of common patterns

14 An IST Projecthttp://www.ist-lobster.org/ 14 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb include files Definitions can be included from another file include “layouts.rli” Normally used for pattern definitions, but can be used for filters too layouts.rli defines many common header layouts: ethernet, IP, TCP, UDP, etc.

15 An IST Projecthttp://www.ist-lobster.org/ 15 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb use of labels Pattern names can now be used instead of the pattern they stand for ether * "warez" * Can be used in rewrite actions: a:byte#2 b:* => b a The trick is to do it fast

16 An IST Projecthttp://www.ist-lobster.org/ 16 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb The with construct The with construct replaces named parts of a pattern with other patterns ether with [p=0x0806#2] Restrictions: replacement pattern may not be longer or shorter than the original. ether with [p=42] // WRONG (1 byte)

17 An IST Projecthttp://www.ist-lobster.org/ 17 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Rule actions Action is one of: –reject –accept, accept 5 –result pattern

18 An IST Projecthttp://www.ist-lobster.org/ 18 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Tagged Deterministic Finite Automata We compile to a Tagged Deterministic Finite Automaton (TDFA) Tagged because we need the position of sub- patterns. States: –stop (we know what action to take) –inspect (look at a byte, branch) –tag (register positions in the input) –jump (skip irrelevant input bytes) –memory inspect (look at previous input)

19 An IST Projecthttp://www.ist-lobster.org/ 19 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb applications besides anonymisation we also applied Ruler to intrusion detection developed a snort2ruler compiler –translates majority of Snort rules automatically –some rules need manual help –some rules cannot be translated as is –implemented in parallel on an Intel IXP2400 network processor

20 An IST Projecthttp://www.ist-lobster.org/ 20 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb extensibility Ruler is extensible: it may call external functions filter zap_url head:(Ethernet_header IPv4_header * "GET ") url:* tail: (0x0D 0x0A *) => head @hash(url) tail ; –allows us to use libraries of previously developed anonymisation functions in Lobster we have integrated Ruler with MAPI –a Ruler program can be applied to packets of arbitrary flows –Ruler may use MAPI’s default anonymisation functions

21 An IST Projecthttp://www.ist-lobster.org/ 21 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Ruler for IDS

22 An IST Projecthttp://www.ist-lobster.org/ 22 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb Preliminary results able to keep up with gigabit scanning (only small number of rules tested) large number of rules: –large number of states –long compilation Gigabit rates: even on IXP with real traffic

23 An IST Projecthttp://www.ist-lobster.org/ 23 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb ruler – the language conclusions useful efficient multiple application domains state space may be the limiting factor fits in FFPF and Lobster

24 An IST Projecthttp://www.ist-lobster.org/ 24 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb EXAMPLES

25 An IST Projecthttp://www.ist-lobster.org/ 25 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb SISAL include layouts.rli filter two_rules eh: Ethernet_header iph: IPv4_header payload:(* “/bin/sh” *) => reject ; eh: Ethernet_header iph: IPv4_header payload:* => eh iph with [src=0, dest=0] ; include layouts.rli filter rewrite eh:Ethernet_header iph:IPv4_header with [ proto=17] udph:udpHeader * => iph.src iph.dest udph.source udph.dest udph.len ; 12

26 An IST Projecthttp://www.ist-lobster.org/ 26 Herbert Bos, VU, http://www.cs.vu.nl/~herbertb SISAL include layouts.rli filter zap_url head:(Ethernet_header IPv4_header * "GET ") url:* tail: (0x0D 0x0A *) => head "XXX" tail; include layouts.rli filter zap_url head:(Ethernet_header IPv4_header * "GET ") url:* tail: (0x0D 0x0A *) => head @hash(url) tail ; 43

Download ppt "An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos."

Similar presentations

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,

Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,
1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.

1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.
Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.

Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
The Assembly Language Level

The Assembly Language Level
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.

Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.

FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu
FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.

FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.

Similar presentations

Ads by Google