We present a domain-specific language (DSL) capable to describe ad-hoc defined protocols like TCP/IP. Additionally we developed other libraries, like a flow graph for packet processing and a layering mechanism for protocol stacking, to get a complete TCP/IP stack. The security industry is in a paradox situation: many security appliances and analysis tools, be it IDS systems, virus scanners, firewalls or others, suffer from the same weaknesses as the systems they try to protect. What makes them vulnerable is the vast amount of structured data they need to understand to do their job, and the bugs that invariably manifest in parsers for complex protocols if written in unsafe programming languages. We present the design and implementation of a domain-specific language (DSL) for description of structured byte-oriented protocols that addresses this problem. The DSL is applicable to a wide range of problems, such as network communication or file formats, and allows the programmer to write an abstract definition of some packet format, from which parsers and generators are then created automatically. That mechanism saves the programmer from tedious manual work for supporting new protocols, and at the same time prevents him from introducing vulnerabilities into the parsing process. Our DSL is implemented on top of Dylan, a dynamically typed, object-oriented programming language. It makes heavy use of the Dylan macro facility to extend the language for the domain of packet format description, without sacrificing performance in the process. Beyond the safety gained by automating the parser creation process, Dylan provides additional security by its strong typing, mandatory bounds checking and automated memory management. We also show the implementation of a userland TCP/IP stack, which uses the packetizer DSL for description of network packet formats, as well as a packet flow graph framework for packet processing and a layering mechanism for protocol handling.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.