cujo - safe browsing with lua · safe browsing configuration # cat nf_{threat,safebro,http,ssl}.lua...
TRANSCRIPT
![Page 1: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/1.jpg)
CUJO - Safe Browsing with LuaLourival Vieira Neto <[email protected]>
![Page 2: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/2.jpg)
Introduction➔ CUJO
◆ Smart Firewall◆ Safe Browsing◆ Parental Controls
![Page 3: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/3.jpg)
Introduction➔ CUJO Firmware Team
◆ Gabriel Ligneul◆ Iruatã Souza◆ Katia Fernandes◆ Linas Nenorta◆ Lourival Vieira Neto◆ Marcel Moura◆ Savio Barbosa◆ Tadeu Bastos◆ Pedro Tammela
![Page 4: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/4.jpg)
Introduction➔ Lunatik
◆ Lua in the Linux Kernel◆ "Scriptable Operating Systems with Lua"
● Vieira Neto, L., Ierusalimschy, R., de Moura, A.L. and Balmer, M.
➔ Luadata◆ “Zero-copy”
➔ NFLua◆ Netfilter Binding
![Page 5: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/5.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Components
![Page 6: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/6.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Configuration
safebro.json
![Page 7: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/7.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Configuration
safebro.json
Lua c
hunk
![Page 8: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/8.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Configuration
safebro.json
Lua c
hunk
Load config
![Page 9: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/9.jpg)
Safe Browsing➔ Configuration
# cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua
# iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \
-m lua --function nf_http -j DROP
# iptables -A FORWARD -p tcp --dport 443 --tcp-flags PSH PSH \
-m lua --function nf_ssl -j REJECT --reject-with tcp-reset
![Page 10: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/10.jpg)
Safe Browsing➔ Configuration
threatd.lua
![Page 11: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/11.jpg)
Safe Browsing➔ Configuration
xt_lua.c
![Page 12: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/12.jpg)
Safe Browsing➔ Configuration
nf_safebro.lua
![Page 13: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/13.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Filter
Cached?NoTC
P PS
H
nflua_match
![Page 14: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/14.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Filter
Cached?NoTC
P PS
H
Hot drop
Lookup
nflua_match
![Page 15: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/15.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Filter
Cached?NoTC
P PS
H
Hot drop
Lookup
Lookup
Reputation/
Category
Cloud Decision
nflua_match
![Page 16: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/16.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Filter
Cached?NoTC
P PS
H
Hot drop
Add to ca
che
Lookup
Lookup
nflua_match
Reputation/
Category
Cloud Decision
![Page 17: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/17.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Filter
TCP
retr
ansm
issi
on
nflua_match
Cached?Yes
![Page 18: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/18.jpg)
Iptables
NICDriver
NetfilterNFLua
Luadata(zero copy)
Kernel
User space
Cloud
Luajson
Lunatik
Safe Browsing
Agent
threatd
nf.lua
nf_http.lua
nf_ssl.lua
nf_threat.lua
nf_safebro.lua
➔ Filter
TCP
retr
ansm
issi
on
nflua_match
Accept /
Block page
Cached?Yes
TCP reply
![Page 19: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/19.jpg)
Safe Browsing➔ Filter
xt_lua.c
![Page 20: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/20.jpg)
Safe Browsing➔ Filter
xt_lua.c
![Page 21: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/21.jpg)
Safe Browsing➔ Filter
nf_http.lua
![Page 22: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/22.jpg)
Safe Browsing➔ Filter
nf.lua
![Page 23: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/23.jpg)
Safe Browsing➔ Filter
nf_ssl.lua
![Page 24: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/24.jpg)
Safe Browsing➔ Filter
nf_ssl.lua
![Page 25: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/25.jpg)
Safe Browsing➔ Filter
nf_http.lua
![Page 26: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/26.jpg)
Safe Browsing➔ Filter
Block page
![Page 27: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/27.jpg)
Why Lua?➔ Extensible Extension Language
◆ Embeddable and Extensible
◆ C Library
➔ Almost Freestanding
➔ Small Footprint
◆ ~250 KB
➔ Fast
➔ MIT License
![Page 28: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/28.jpg)
Why Lua?➔ Ease of Development
➔ High-level Language
➔ Dynamically Typed
➔ Domain-specific API
![Page 29: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/29.jpg)
Why Lua?➔ Safety
➔ Automatic Memory Management
➔ Protected Call
➔ Fully Isolated States
➔ Cap the Number of Executed Instructions
➔ Test Suite
![Page 30: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/30.jpg)
Why Lua?➔ Security
● A single vulnerability disclosed since 1993
![Page 31: CUJO - Safe Browsing with Lua · Safe Browsing Configuration # cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \](https://reader034.vdocuments.net/reader034/viewer/2022043010/5fa23db21f667a6a431c83a1/html5/thumbnails/31.jpg)
Benchmarks➔ Tinyproxy
◆ ~150 Mbps◆ CPU Bound
➔ NFLua◆ Slow Path: ~500 Mbps◆ Fast Path: ~750 Mbps◆ Not CPU Bound
➔ Bypass◆ ~890 Mbps
➔ Online Units: ~5.5 k