A Domain-Specific Language for Filtering in Application-Level Gateways
Application-level packet filtering is a technique for network access control in which an “application-level gateway” intercepts network packages at the application level (e.g., HTTP, FTP), scans them for security cooncerns and optionally logs, rewrites or discards them. Existing application-level filters express their filtering rules in general-purpose languages, which limits the correctness guarantees available for them.
We present the first declarative language for application-level network filtering, developed at Advenica AB. Our DSL uses security assertions to express properties that packets must have to be allowed through the network (e.g., “IMAP packet contains no executable attachment” or “SQL reply contains only explicitly permitted columns”), along with remedies that either reject or rewrite undesirable packets.
We have designed the language around the needs of network filter developers, with a focus on correctness: our language can statically verify several properties of filter programs, such as well-formedness of the outcome, confluence, and termination, with the help of an off-the-shelf SMT solver.
Our initial results show that the language is sufficiently expressive for a variety of network protocols, closely maps to the application domain, is usable by network filter engineers, and provides strong correctness guarantees.