• No results found

Linux Network Scripting with Lua

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Linux Network Scripting with Lua"

Copied!
24
0
0

Loading.... (view fulltext now)

Download now ( 24 Page )

Full text

(1)

Linux Network Scripting with Lua

Lourival Vieira Neto, Victor Nogueira, Ana Lúcia de Moura and Roberto Ierusalimschy

Ring-0 Networks and Departamento de Informática, PUC-Rio Netdev 0x14

(2)

Lunatik

Kernel Scripting advocates that common OS kernels can be dynamically extended by using a high-level scripting language.

Lunatik is a Lua-based kernel-scripting framework for Linux • Supports kernel developers for making subsystems scriptable • Allows users to dynamically load and run scripts in the kernel

Why Lua?

• Small (250 KB) and fast scripting language

• Widely used for scripting network monitoring and security tools

• e.g., Wireshark, Nmap, Snort

(3)

Sandboxing Kernel Scripts

Kernel scripts shouldnotintroduce malfunctioning to the system, e.g.: • Crash or corrupt the system

• Run indefinitely or block an execution flow • Corrupt resources owned by other users

(4)

Sandboxing Kernel Scripts

Lua provides dynamic memory management • Scriptscan’taddress memory directly

• Only as Lua data types: strings, tables and userdata • All data objects are allocated internally by the Lua VM

• Garbage Collector • Custom memory allocator

• Cap memory allocation

(5)

Sandboxing Kernel Scripts

Lua provides fully isolated execution states • Lua states are created empty

• Only language operatorsare initially available

• Must explicitly load libraries into the state • e.g.,Luadata, LuaRCU

(6)

Sandboxing Kernel Scripts

Lua provides a single-threaded execution environment

• Luadoesn’tprovide primitives for synchronization mutexes

• Scriptscannotexplicitly lock a kernel flow

• Only collaborative multitasking (coroutines)

• Lua can interrupt a script after running a specific amount of instructions

• Cap instructions executed (lua_sethook)

• Lunatik permits the creation of multiple Lua execution states inside the kernel for multitasking

(7)

Sandboxing Kernel Scripts

NFLua and XDPLua allowonlynetwork administrators • Uses Netlink socket

(8)

NFLua

Netfilter extension for packet filtering using Lua • Layer 7 filtering

• Widely used by network operators for advanced security and network monitoring

• Loadable kernel module

(9)

NFLua

1. User creates a Lua state (waf) and loads a function (checkuseragent)

1 nfluactl create waf

(10)

NFLua

1 function checkuseragent ( pkt )

2 -- extracts User - Agent HTTP header 3 local pattern = " User %- Agent :%s(. -)\r\n" 4 local useragent = string.match(pkt , pattern ) 5

6 return blocklist [ useragent ] 7 end

Figure:Inspecting theUser-Agent HTTP header in Lua

(11)

NFLua

2. User sets an iptables rule to send packets destined to TCP port 80 to NFLua

1 iptables -A INPUT -m TCP --dport 80 -m lua

(12)

NFLua

3. Netfilter receives a packet on TCP port 80

4. Netfilter sends the packet to NFLua; then NFLua calls the function checkuseragent, running in the state waf

5. If a match is found for the packet, Netfilter is instructed to terminate the connection

(13)

XDPLua

• Evolution of NFLua • Extends XDP to use Lua • One Lua state per CPU

• Adds expressiveness and dynamism • eBPF scripting with Lua

(14)

XDPLua

1. User loads Lua function (checkuseragent) into XDPLua 2. User loads the eBPF program into XDP

3. Packet arrives at XDP

4. eBPF program calls the Lua function (checkuseragent) 5. Lua function returns its verdict

(15)

JavaScript Challenge

1. Client sends HTTP request 2. Server generates random cookie 3. Cookie is loaded into XDPLua

(16)

JavaScript Challenge

1 function checkcookie (pkt , saddr )

2 -- checks if challenge is not set yet ( first request ) 3 if not cookies [ saddr ] then

4 return true

5 end

6

7 -- extracts __xdp cookie

8 local pattern = " Cookie :%s*= __xdp =(% d+)%s*"

9 local cookieval = string.match(tostring( pkt ), pattern ) 10

11 -- checks cookie 's value

12 return cookies [ saddr ] == cookieval 13 end

Figure:JavaScript Challenge’s Lua function

(17)
(18)

JavaScript Challenge

(19)

Access Control

1. User loads blocklist into XDPLua

2. User loads Lua function (checksni) into XDPLua 3. User loads the eBPF program into a XDP 4. Packet arrives at XDP

(20)

Benchmarks

• Implemented Access Control for XDP (eBPF), XDPLua and NFLua

• XDPLua and NFLua shares the same Lua script implementation • Used Trafgen on the client to sendTLS client hello packets • Measureddrop rate and CPU usage on the server

• Fully virtualized environment

• CPU with 8 cores and running at 3.00 GHz, 32 GB of RAM

• 10 Gbps Virtio Network Interface

(21)
(22)

Results

(23)

Final Remarks

• NFLua is currently present in around 20 million home routers to protect and monitor over 500 million devices

• Used by network operators for implementing advanced cybersecurity and network monitoring

• XDPLua is the evolution of NFLua, applying lessons learnt from NFLua’s development

• XDPLua was designed to use Lua cooperatively with eBPF

• Expressiveness and ease of use of Lua

• Performance of eBPF

• XDPLua is currently used in theRing-0 Firewall running in PoPs with

10 Gbps bandwidth

• Peaks of around 5.3 Gbps, only up to 4% of CPU

• XDPdoesn’tsupport extensions as LKM

• An out-of-tree binding is considerably harder to implement and maintain • We apply sandboxing techniques

(24)

1 local contacts = { 2 " lourival.neto@ring -0 .io ", 3 " victor.nogueira@ring -0 .io " 4 } 5 6 -- Questions ? 7 if further then

8 for _, c in ipairs( contacts ) do 9 mailto (c)

10 end

11 end 12

References

Download now ( PDF - 24 Page - 406.11 KB )

Related documents

ON SOME NEW Pδ-TRANSFORMS OF KUMMER'S CONFLUENT HYPERGEOMETRIC FUNCTIONS

hypergeometric functions by employing the generalized Gauss’s second summation the- orem, Bailey’s summation theorem and Kummer’s summation theorem obtained earlier by Lavoie,

Essays on the production and commercialization of new scientific knowledge

Quality: We measure quality (Q in our formal model) by observing the average number of citations received by a scientist for all the papers he or she published in a given

Laborions - A Day at the Department of Commerce

Newby indicated that he had no problem with the Department’s proposed language change.. O’Malley indicated that the language reflects the Department’s policy for a number

Devi Ahilya Vishwavidyalaya, Indore School of Computer Science & IT

All the figures and tables should be labeled (Times New Roman 11) and included in list of figures and list of tables respectively.

Medicine Shelf Stuff

○ If BP elevated, think primary aldosteronism, Cushing’s, renal artery stenosis, ○ If BP normal, think hypomagnesemia, severe hypoK, Bartter’s, NaHCO3,

Classification of medical data using Restricted Boltzmann Machines

This multi-layer approach has been justified by showing that with enough hidden units and correct initialization, increasing the number of layers improves the lower bound of the

Best Practices for Energy Cost Savings In New York State Schools. Prepared for New York Power Authority by: Optimal Energy, Inc.

Furthermore, across New York State, the Energy Services for Schools Program has identified and installed numerous photovoltaic solar panel sites as an education tool

The effect of type and method of mordant towards cotton fabric dyeing quality using jengkol (Archidendron jiringa) pod waste

In terms of mordant type and method, the use of CaO mordant with post and combined methods generated the best light fastness to light with a value of 4-5 (good