Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data

TitleSpicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data
Publication TypeTechnical Report
Year of Publication2015
AuthorsSommer, R., Amann J., & Hall S.
Published inICSI Technical Report
PublisherICSI
Place PublishedBerkeley, CA, USA
Report NumberTR-15-004
Other Numbers3820
Abstract

Deep packet inspection systems (DPI) process wire format network data from untrustedsources, collecting semantic information from a variety of protocols and file formats as theywork their way upwards through the network stack. However, implementing correspondingdissectors for the potpourri of formats that today's networks carry, remains time-consumingand cumbersome, and also poses fundamental security challenges. We introduce a novelframework, Spicy, for dissecting wire format data that consists of (i) a format specificationlanguage that tightly integrates syntax and semantics; (ii) a compiler toolchain that generatesefficient and robust native dissector code from these specifications just-in-time; and (iii) anextensive API for DPI applications to drive the process and leverage results. Furthermore, Spicycan reverse the process as well, assembling wire format from the high-level specifications. Wepursue a number of case studies that show-case dissectors for network protocols and fileformats – individually, as well as chained into a dynamic stack that processes raw packets up toapplication-layer content. We also demonstrate a number of example host applications, from ageneric driver program to integration into Wireshark and Bro. Overall, this work provides a newcapability for developing powerful, robust, and reusable dissectors for DPI applications. Wepublish Spicy as open-source under BSD license.

Acknowledgment

This work was partially supported by funding provided to ICSI through National Science Foundation grantgrants CNS-0831535, CNS-0915667, and CNS-1228792. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.

URLhttps://www.icsi.berkeley.edu/pubs/techreports/TR-15-004.pdf
Bibliographic Notes

ICSI Technical Report TR-15-004

Abbreviated Authors

R. Sommer, J. Amann, and S. Hall

ICSI Research Group

Networking and Security

ICSI Publication Type

Technical Report