Architecture of a Proactive Security Tool

1
Architecture of a Proactive Security Tool

• Vivek Ramachandran

2
What does a proactive tool do?

• Tool makes dynamic decisions at runtime based on
  information collected from the network.
• Sniff decide Inject
• The tool logically is divided into 3 parts
• The sniffer logic
• The injection logic
• The decision logic
• These three communicate via some IPC mechanism
  e.g. pipes, message queues, shared memory
• This is as cool a tool can get ! D

3
Architecture of a Proactive Security Tool
Ethernet Interface
Decide Action
(5)
(6)
Inject packets
Send output of decision
Sniff packets
(3)
Send inputs
(4)
Injector
Sniffer
Create Sniffer thread
Create Injector thread
Main()
(1)
(2)
4
Architecture of a Proactive Security Tool

• Create sniffer thread
• Create injector thread
• Sniff packets from the network
• Send inputs to the decision module
• Send output of decision to injector
• Inject packets
• Goto step 3

5
Architecture of a Proactive Security Tool
Multi threaded programming

• Create sniffer thread
• Create injector thread
• Sniff packets from the network
• Send inputs to the decision module
• Send output of decision to injector
• Inject packets
• Goto step 3

6
Architecture of a Proactive Security Tool
Raw Sockets

• Create sniffer thread
• Create injector thread
• Sniff packets from the network
• Send inputs to the decision module
• Send output of decision to injector
• Inject packets
• Goto step 3

7
Architecture of a Proactive Security Tool
IPC message queues

• Create sniffer thread
• Create injector thread
• Sniff packets from the network
• Send inputs to the decision module
• Send output of decision to injector
• Inject packets
• Goto step 3

8
Multithreading basics

• Threads are light-weight processes
• only local variables in a function are copied
  (e.g. each thread has its own stack)
• most other data is shared between threads (e.g.
  global variables the heap)
• runs in parallel with the main thread
• pthreads is the POSIX threads standard
• pthread_create() is used to create a thread
• Takes a function to execute as input
• Takes an argument to pass to that function
• pthread_join() is used by the parent to wait for
  daughter threads to finish execution
• Visit http//www.llnl.gov/computing/tutorials/pthr
  eads/ for a comprehensive tutorial

9
IPC Message Queue basics

• Message Queues are linked lists of messages
  maintained by the kernel
• Processes are allowed to read and write messages
  from and to a message queue if they have
  requisite permissions
• Allows for an asynchronous form of communication
• For a comprehensive yet easy to understand
  tutorial visit http//beej.us/guide/ipc/mq.html

10
IPC Message Queue basics

• msgget() to create a message queue
• Need to use ftok() to create the key
• msgsnd() to send message into a queue
• Message should be of format struct
  message long mtype // Mandatory char
  data1
• msgrcv() to receive a message from the queue

11
What tools will we make?

• GenericTool.c A tool which articulates the
  architecture discussed in this ppt
• GenericTool-1.c A modified version of the above
  to illustrate message transmission using message
  queues
• ArpDos A tool to illustrate the working of the
  above architecture. It does a denial of service
  on the network by replying to every Arp request
  it sees on the network

12
Let the games begin !!