Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data
Title | Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data |
Publication Type | Technical Report |
Year of Publication | 2015 |
Authors | Sommer, R., Amann J., & Hall S. |
Published in | ICSI Technical Report |
Publisher | ICSI |
Place Published | Berkeley, CA, USA |
Report Number | TR-15-004 |
Other Numbers | 3820 |
Abstract | Deep packet inspection systems (DPI) process wire format network data from untrustedsources, collecting semantic information from a variety of protocols and file formats as theywork their way upwards through the network stack. However, implementing correspondingdissectors for the potpourri of formats that today's networks carry, remains time-consumingand cumbersome, and also poses fundamental security challenges. We introduce a novelframework, Spicy, for dissecting wire format data that consists of (i) a format specificationlanguage that tightly integrates syntax and semantics; (ii) a compiler toolchain that generatesefficient and robust native dissector code from these specifications just-in-time; and (iii) anextensive API for DPI applications to drive the process and leverage results. Furthermore, Spicycan reverse the process as well, assembling wire format from the high-level specifications. Wepursue a number of case studies that show-case dissectors for network protocols and fileformats individually, as well as chained into a dynamic stack that processes raw packets up toapplication-layer content. We also demonstrate a number of example host applications, from ageneric driver program to integration into Wireshark and Bro. Overall, this work provides a newcapability for developing powerful, robust, and reusable dissectors for DPI applications. Wepublish Spicy as open-source under BSD license. |
Acknowledgment | This work was partially supported by funding provided to ICSI through National Science Foundation grantgrants CNS-0831535, CNS-0915667, and CNS-1228792. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation. |
URL | https://www.icsi.berkeley.edu/pubs/techreports/TR-15-004.pdf |
Bibliographic Notes | ICSI Technical Report TR-15-004 |
Abbreviated Authors | R. Sommer, J. Amann, and S. Hall |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Technical Report |