network event recognition for packet-mode - cis home page

Network Event Recognition

for Packet-Mode Surveillance

Karthikeyan Bhargavan

University of Pennsylvania

[email protected]

Carl A. Gunter

University of Pennsylvania

[email protected]

March 2002

Abstract

Surveillance of packet-mode communications candraw on ideas from �rewalls and network intrusiondetection systems but has features that raise distinctsoftware engineering challenges. We propose an ar-chitecture, CSF, for composable separation functionsthat can enhance privacy, clarity of speci�cations,and assurance. We introduce a language, NERL, fornetwork event recognition and use it to build an open-source surveillance system, OpenWarrants, based onCSF. We demonstrate how NERL can be used as abasis for formally analyzing privacy protections andhow CSF can be used to provide new capabilitieswithin formally-speci�ed privacy policies.

1 Introduction

Use of packet-mode communication technologies ispervasive and rising quickly. Increasing amounts ofinformation, including much of what was once deliv-ered by telephone voice communication, is now pass-ing over packet-mode networks, particularly the In-ternet. Law Enforcement Agencies (LEAs) have usedsurveillance based on information from telephone cir-cuit voice communications to gather evidence for awide range of suspected criminal activities. There is adesire to extend these means of evidence-gathering topacket-mode communications. This has raised a va-riety of legal and privacy concerns, but it also entailsa variety of serious software engineering challenges.The aim of this paper is to present an architec-

ture, which we call the Composable Selection Func-tion (CSF) architecture, for addressing some of thesesoftware engineering challenges in the context of theTCP/IP protocol suite used on the Internet. To doso, we exploit ideas from Network Event Recogni-tion (NER), a technique for passive analysis of IPpacket streams. In particular, we propose a formal

language, the Network Event Recognition Language(NERL), that can be used to precisely de�ne and an-alyze general multi-layer �lters capable of eÆcientlyextracting speci�c data from packet streams. NERLis derived from the authors' experience with analyz-ing routing protocol simulation traces [2] and trans-port layer monitoring in�delities [1]. The CSF archi-tecture is based on four aspects of processing: aggre-gation (of packets associated with a speci�ed proto-col), identi�cation (of the `owner' of these packets),abstraction (of information to protect privacy), anddelivery (of the abstracted information to an LEA orother monitoring party). An additional element ofour architecture is a concept of escrowed data, whichis held in storage without being abstracted or deliv-ered, but can later be used for further �ltering.We demonstrate NERL and CSF by using them

to address one of the more controversial aspects ofwarrants for packet-mode communications, namelythe generalization to packet-mode surveillance of thepen register and trap and trace devices for circuit-switched networks. Such devices are used to col-lect the numbers called (pen register) or calling (trapand trace) a given suspect telephone number. Accessto such information can be obtained with fewer ap-provals than access to the content of the phone callsfor the suspect number. Generalizing this conceptto packet-mode communications based on IP overthe Internet is subtle since analogies between Inter-net packet streams and circuit-based telephone callsare diÆcult to make. (We use the term pen modefor pen register and trap and trace for packet datafrom here on.) To illustrate the diÆculty, consideran email message from a suspect person to a corre-spondent. What is the analogy to the phone num-ber of the suspect? Is an IP address, a Network Ac-cess Identi�er (NAI), an email address, a Public KeyCerti�cate (PKC), a Ethernet address, or somethingelse? Assuming it is an email address, what infor-mation should be delivered as part of a pen-mode

1

surveillance order? Should it be the headers of theIP packets used in the email, the header of the email,or something else? The answer is surely `somethingelse'. We will describe protocols later, but, to see theproblem, the header of an email TO �eld may not bethe recipient of the message since the destination ofan email is determined by the Simple Mail TransferProtocol (SMTP), not by the email header. Thus aclient with a custom Mail Transfer Agent (MTA) cansend messages in which the message header is highlymisleading.We do not attempt to address legal issues in any

depth in this paper, but instead focus on software en-gineering challenges. A few brief comments are worthnoting, however. Privacy can be enhanced by ad-vances in the software engineering of monitoring sys-tems. Current challenges include the desire to avoidsending large amounts of data to LEAs and trustingthem to sort out the data to which they are enti-tled. Dually, LEAs are concerned about obtaining toomuch data because cases can be compromised by ex-clusion of evidence based on a `fruit of the poison tree'argument. (There are indications [12] that a problemwith mis-collection did lead to diÆculties for an inves-tigation using an early version of an FBI packet-modemonitoring system.) More advanced monitoring ar-chitectures can allow judges to grant �ner-tuned war-rants to better protect privacy while expediting jus-ti�ed investigations. Recent law also drives betteranalysis of monitoring architectures. In particular,the USA Patriot Act (passed in October 2001 afterthe destruction of the World Trade Centers) speci�-cally calls1 for procedures to deploy and audit pen-mode monitors. The question of how to de�ne andcarry out this kind of surveillance is still not fullydetermined.2

In this paper we address the following questions.

1. How does one precisely specify the contents of asurveillance order that covers `abstracted' infor-mation like pen mode?

2. How can a monitoring architecture be made ex-tensible enough to deal with changing require-ments and modular enough to be used in con-junction with other monitoring systems and de-livery requirements?

3. How can a suitable architecture be used to en-

1Uniting and Strengthening America by Providing Appro-priate Tools Required to Intercept and Obstruct Terrorism(USA Patriot Act) Act, Pub. L. 107-56, 115 Stat. 272 (2001),at 115.

2There are also some questions about the constitutional-ity of the new laws; see www.research.att.com/~smb/talks/

Wiretaps/index.htm for example.

hance privacy protections, accountability, and ef-fectiveness by exploiting improved semantic clar-ity, extensibility, and composability?

4. Is it possible to build an eÆcient, open-sourcesystem to meet legal and other requirements forpacket-mode surveillance?

Our discussion is given in six sections. In the sec-ond section we provide background on the historyof packet-mode surveillance, enumerate some of thechallenges involved, and describe the FBI Carnivoresystem. In the third section we describe the conceptof a bu�ering �rewall as a hybrid of stateful �ltering�rewalls and Network Intrusion Detection Systems(NIDSs). We then describe the CSF architecture.In the fourth section we describe NERL. In the �fthsection we describe our OpenWarrants implementa-tion of a email surveillance system with pen modeand escrow capabilities. We also describe how weused SPIN to derive privacy protection de�cienciesin existing NIDSs (viewed as surveillance monitors)and prove that these errors do not arise in Open-Warrants. The sixth section provides conclusions.We have included three appendices, one for readersunfamiliar with the Internet email protocol, SMTP,and the other for readers wanting more details aboutNERL, including examples of most of the languageconstructs, and a third for readers who want to seedetails of the recognizers. The paper can be under-stood without the appendices.

2 Background

2.1 A Little History

In 1994 the US federal government passed a billknown as CALEA3 calling for public telecommuni-cations carriers to provide LEAs with the ability tocarry out certain forms of surveillance. The Telecom-munications Industry Associate (TIA) coordinatedthe creation of a technical standard to be used by themore than 1000 carriers a�ected by CALEA. Thisstandard, known as J-STD-025 [19] was created inits �rst version by 1998, but did not fully satisfy theFederal Communication Commission (FCC), whichindicated the following concern about privacy pro-tections:

We �nd that the approach taken with regardto packet-mode communications in J-STD-025 raises signi�cant technical and privacyconcerns. Under this standard, LEAs would

3Communications Assistance for Law Enforcement Act,Pub. L. No. 103-414, 108 Stat. 4279 (1994).

2

be provided with both call-identifying infor-mation and call content even in cases wherea LEA is authorized only to receive call-identifying information (i.e., under a penregister). ... We believe that further e�ortscan be made to �nd ways to better protectprivacy by providing law enforcement onlywith the information to which it is lawfullyentitled.4

The FCC nevertheless accepted the J-STD-025 ap-proach on a tentative basis and invited TIA tostudy the issue of packet-mode communications andCALEA further and provide a report. The TIA re-port [18] was completed in September of 2000 aftera pair of Joint Experts Meetings (JEMs) convenedby TIA. The TIA JEM report raised a number ofquestions about the feasibility of packet-mode surveil-lance; we review some of these issues shortly. The sec-ond TIA JEM meeting was the forum in which theFBI gave the �rst public demonstration of its packet-mode surveillance system, Carnivore. This systemreceived considerable public attention, including callsfor the release of the system for public review. TheFBI allowed the system (including its source code)to be reviewed by the Illinois Institute of TechnologyResearch Institute (IITRI) and Chicago-Kent Collegeof Law. A draft IITRI report was released in Novem-ber 2000. A number of comments were written onthis draft report from legal and technical perspec-tives.5 The �nal version of the IITRI report [17] wasreleased in December 2000. The current version ofthe TIA standard, J-STD-025-A [20], was completedprior to the JEM report and does not include tech-nical standards for functionality addressing the con-cerns of the FCC as quoted above. The Departmentof Justice recently released a guide [6] for CALEA-conformance on packet-mode communication indicat-ing that packet-mode surveillance capabilities mustbe provided by carriers even in the absence of a tech-nical standard.

2.2 Challenges

It is useful to begin with some of the context ofpacket-mode surveillance. To monitor a phone con-versation roughly involves creating a conference callthat adds the LEA to a suspect call. This is illus-trated in Figure 1. This is known legally as an inter-

4FCC 99-230, CC Docket No. 97-213, Third Report andOrder, at 26-27

5The Center for Democracy and Technology (CDT) hasa useful reference page at www.cdt.org/security/carnivore

with links to many of these reports as well as news reports onCarnivore.

1 2 3

4 5 6

7 8 9

* 8 #

1 2 3

4 5 6

7 8 9

* 8 #

Suspect

Monitoring Organization

Telephone Network

CircuitSwitches

Voice

Circuit

Storage

Figure 1: Telephone Wiretaps

ception and requires a warrant from a judge. A penregister is the lawful acquisition of certain outgoingdialing or signaling information. A trap and trace isthe lawful acquisition of the originating number ofany wire or electronic communication. Authority forpen registers and trap and trace are given in 18 USC3123 and 50 USC 1842. Access to this information isbased on a lower standard than interception. The ap-plication of these concepts to packets is controversial,especially when it is interpreted to mean access to thesender and the recipient(s) of an Internet email mes-sage. For this paper we will put aside the legal ques-tions about whether the sender and recipient(s) of anemail, for instance, are really covered by these laws.We focus on the technical feasibility of building a sys-tem that treats them as such. There are at least sixproblems in monitoring of packet data: �delity andvantage point, identi�cation and abstraction, stan-dardization and maintenance, eÆciency, and encryp-tion.Fidelity and Vantage Point. Packet-mode commu-

nication breaks a transmission into a collection ofpackets that are routed independently to their des-tination. In the Internet, these packets can proceedalong di�erent paths and may be dropped, re-ordered,duplicated, or even corrupted. Hence the sequence ofpackets seen by a monitor may be di�erent form thesequence seen by either of the communicating par-ties. This is the �delity problem. A closely relatedproblem is that of vantage point. Since the packetsmay travel on di�erent paths, �delity problems maybe exacerbated by missed packets.Fidelity is a problem more for unreliable protocols

than reliable ones. In reliable protocols like TCPa packet is resent if it is not acknowledged. Thus

3

a monitor with a vantage point on a bottleneck inthe physical or logical network topology between thesender and the receiver can see any acknowledgedpacket and therefore reconstruct the entire TCP ses-sion. However, in�delities can be introduced deliber-ately too [15]. For instance a trick to confuse moni-tors is to send a packet with a limit (IP Time To Livebound) that ensures it will be received by the mon-itor but not the apparent destination and then sendanother packet with the same sequence number butdi�erent contents and adequate resource bound. Amonitor not prepared for this trick is likely to recordthe �rst packet and discard the second.Identi�cation and Abstraction. IP packets have

source and destination addresses, but these can bemisleading about the actual `owner' of the packetas well as the actual (high level) source and desti-nation. Thus it is a problem to identify the ownerand abstract the source and destination. Protocolslike DHCP assign IP numbers dynamically to sourcesand Network Address Translators (NATs) hide actualsource addresses behind proxy addresses. Protocolslike IP email do not typically send messages directlyfrom the email sender machine to the email recipi-ent machine but rather through a sequence of emailrelay machines. Thus the destination IP address inthe original email dispatch is typically not that ofthe ultimate recipient, and the IP source address inthe �nal email delivery is typically not that of theinitial sender. Moreover, many aspects of IP can beforged or made misleading. We mentioned alreadythe problem that there is some subtlety in de�ningto whom an email is addressed. A key issue here isthat the identity associated with the packet is diÆ-cult to determine from any one level of analysis. IPprotocols are layered, and this layering is representedby encapsulated packet headers. Thus informationabout the identity associated with a packet may notbe represented at the IP (network) layer but insteadat any of several application layers that are meaning-ful to the endpoints but not necessarily the network.To carry out whatever identi�cation is possible re-quires a system that can analyze these layers. Thischallenge was considered at the TIA JEM and the fol-lowing options were considered: send nothing or allof the packet; send headers or the whole packet; or`Peel the onion' on a packet to examine multiple lay-ers. Given the protocol layering, `peeling the onion'is necessary to determine which packets contain theproper data. For example, to determine the partiesto whom the suspect sent email, it is useless to lookonly at the IP headers.Standardization and Maintenance. A signi�cant

problem with any complex speci�cation of informa-

tion to be collected is the need to manage these speci-�cations in the implementations in hundreds of sites.If an error is detected or a new capability must beadded, a tedious standards process followed by anexpensive upgrade process may be necessary. More-over, the TCP/IP protocols are organized to placesigni�cant amounts of processing on hosts rather thannetwork elements (`intelligence at the edge'). For ex-ample, end-to-end reliability is handled by endpointswith routers performing `best e�ort' transmission ofpackets. If the endpoints of a communication are us-ing a protocol that is unfamiliar to a monitor thanit will be unable to interpret high-level features ofthe protocol to carry out steps like identi�cation andabstraction. It is therefore essential to have an ex-tensible and modular monitor platform that allowschanges to be added incrementally with as little fussas possible.EÆciency. Routers are designed to do a compara-

tively simple task very quickly. A surveillance mon-itor that must `peel the onion' must perform a farmore computationally complex task. It is essentiallyimpossible for a monitor to keep up with the fastestrouters. Fortunately monitors can be often be placednear the edge of the network where performance de-mands are less stringent. Also, as we will discusslater, the technology for surveillance monitors cantrack advances in �rewalls and intrusion detectionsystems, which have many of the same performancechallenges.Encryption. `Peeling the onion' is diÆcult or im-

possible if encryption is used. In most cases a mon-itoring system can only log packets that containencrypted data. Email encryption like PGP andS/MIME is done at application layer so the senderand recipients of the email can be determined with-out decryption. However, if a client accesses emailover a transport layer tunnel (viz. SSL), then noth-ing will be visible beyond the TCP header. Encryp-tion at network layer using IPSEC ESP in transportmode will leave nothing but the IP header exposed toexamination, and in tunnel mode even the (original)IP header is encrypted. Link layer encryption is pre-sumably not a problem since the monitor is assumedto have access to the link layer or a network elementused by it.

2.3 Carnivore

Carnivore is a system implemented on behalf of theFBI for the surveillance of packet-mode communica-tions over Ethernet. The description here is basedon the IITRI Report, which considered version 1.3.4.A Carnivore-like monitoring system is illustrated in

4

EthernetThe Internet

Monitor

RemoteStation

Tap

EthernetSwitch

Hub

Networked Terminals

Gateway

TelephoneLink

Monitored Network

Monitoring Organization

Correspondent

Suspect

Correspondent

EthernetSwitch

Storage

Storage

Figure 2: Carnivore-Like Monitoring System

Figure 2. Packets from one or more networked ter-minals including the one being used by the suspectare routed over an Ethernet link toward other partsof the Internet. A tap is placed in an Ethernet linkthat may bear some or all of the suspect's packets.All packets on this link are copied through a hub to amonitor machine. The hub is con�gured so that pack-ets can ow only from the network into the monitor;the monitor cannot a�ect traÆc on the monitoredlink. The monitor is connected to a remote stationby a modem link; remote terminal software is used tocontrol the monitor. The monitor copies packets intolocal storage. Data of interest is collected from themonitor and stored on the remote station where itcan be viewed through a user interface and processedwith software for parsing and statistical analysis.In order to protect privacy and manage the amount

of data collected, Carnivore carries out two `mini-mizations' (abstractions). First, packets that are notintended for surveillance, such as those sent by partiesother than the suspect, are dropped. Second, only alimited view of the data is allowed at the remote sta-tion. Certain personnel protocols are followed to helpensure that the data abstraction is not threatened.For instance, a Technically Trained Agent (TTA) whosets up the monitor is not allowed to view the data.Carnivore provides a variety of modes for data col-

lection, including data from FTP, SMTP (email),HTTP (web) protocols identi�ed as belonging to the

suspect by �xed IP address, an address dynamicallyassigned by Radius or DHCP, and Ethernet MACaddress. For each of TCP, UDP, and ICMP thereis an option for pen mode collection. For example,if email is collected in pen mode using SMTP (TCPport 25) and POP3 (TCP port 110), then Carnivorewas tested to collect only addresses appearing in theFROM and TO �elds. The IITRI report indicates thatCarnivore collects the SMTP RCPT-TO �elds. Find-ing ways to specify these details is a central part ofour e�ort in this work. When pen mode is used forHTTP (TCP port 80) Carnivore collects the sourceand destination IP addresses not the URL or its con-tents.

3 Architecture

3.1 Bu�ering Firewalls

Despite the daunting list of problems with packet-mode surveillance, much of the technology neededto do parts of it already exists in products for saleto the public and even open source systems. TheIITRI report reviews EtherPeek, a popular monitor-ing (`sni�er') system from Wild Packets, Inc. Ether-Peek is able to collect Ethernet frames from a spe-ci�c IP address, for example. After the IITRI re-port, NetworkICE, a vendor of intrusion detectionsystems, released an open source system called Alti-

5

vore with most of the features of Carnivore. Altivorewas built by cutting and pasting functionality fromexisting code. A number of parties have suggestedthat the FBI provide an open source version of Car-nivore. The FBI declined to do this for a variety ofreasons we will not review here.Firewalls are network elements that act something

like a perimeter defense and are deployed at topolog-ical choke points on IP internetworks [3]. They aregenerally classi�ed according to the level at whichthey process packets: �ltering �rewalls (networklayer), circuit �rewalls (transport layer), and applica-tion �rewalls (application layer). A �ltering �rewalluses a set of rules for which packet patterns to forwardor discard. Firewalls are also classi�ed as stateless orstateful depending on whether or not they collect in-formation from packets that creates state in uencingthe processing of future packets. A salient feature of�rewalls is that they forward or block screened pack-ets. A stateful �ltering �rewall does this by examin-ing packet patterns in the context of state created byprior packets. Network Intrusion Detection Systems(NIDSs) monitor network traÆc for unusual patternsor signatures [7]. They typically create logs and raisealarms if observed traÆc triggers rules that aim toidentify an attack. These alarms can sometimes beused to stop an attack, perhaps by enlisting the aidof a �rewall. NIDSs typically can be con�gured withrule sets based on patterns associated with commonmeans of attack. A salient feature of NIDSs is thatthey observe and create logs of packets as they passand raise alarms if they see undesirable patterns.A surveillance system like Carnivore is a hybrid of

a �rewall and a NIDS. It observes and logs traÆc likea NIDS, but �lters the observed traÆc like a �rewallto prevent too much information from reaching theLEA or other monitoring organization. The systemwe describe in this paper is therefore like a new kindof �rewall, a bu�ering �rewall, in which packets arepassively collected as if for analysis and logging, andthen forwarded (or not) depending on collection pol-icy.

3.2 CSF Architecture

The TIA JEM report refers to the FBI Carnivore sys-tem as a `Separation Function'. This is distinguishedfrom the Collection Function in J-STD-025 in the wayit prunes information to obtain only authorized con-tent. In order to satisfy the FCC request it might bepossible to develop composable separation functionsthat would allow carriers to �lter surveillance databefore handing them over to the LEA. The challengesdescribed earlier remain daunting, but we would like

to push forward the study of this direction by intro-ducing the Composable Separation Function (CSF)architecture. It is illustrated in Figure 3. Filtering

Aggregation Identification Abstraction Delivery

Source Sink

Escrow

Figure 3: Composable Separation Function Architec-ture

is conceived as consisting of four conceptual steps ofprocessing. In the �rst step, aggregation, data are col-lected according to the protocol of which they are apart. A typical aggregation will be packets in a TCPsession, but other aggregations like audio transmis-sions based on a UDP stream or application layerentities like an email message are also likely. In thesecond step, identi�cation, an aggregation is associ-ated with an identity, which may be de�ned in a num-ber of ways, many of them protocol-speci�c. In thethird step, abstraction, an abstraction is performedto remove data that should not be forwarded. In thefourth and �nal step, delivery, the data are renderedin a form that allows it to be passed along to a similarCSF module.This sequence is conceptual and implementations

would not typically consist of four separate modules.For example, it may be highly desirable to carry outidenti�cation at the same time as aggregation sincean aggregate that does not belong to the monitoreddata can be recognized before they are fully collected.The composition assumption could enable a carrier torun a separation function `in front of' a system likeCarnivore or could simply aid the modular construc-tion of surveillance systems. In particular, compos-ability enables a simple concept of escrow (see Fig-ure 3) in which data are with-held from immediatedelivery but may be delivered later under a new �l-ter.A particular illustration of CSF based on a stream

of packets is given in Figure 4. In the �rst columnare all packets from the packet stream Source. Inthe second column are the packets that have passedthe aggregation and identi�cation steps, here calledthe warranted packets. In this case it is all pack-ets of Alice. In the third column are packets thatare directed to escrow. In the fourth column are the

6

�

1 HTTP Alice

2 SMTP Bob

3 SMTP Alice

4 FTP Alice

5 FTP Alice

6 HTTP Eve

7 SMTP Alice

8 SMTP Bob

9 HTTP Alice

10 FTP Alice

11 HTTP Alice

��

��

��

�

�

All PacketsWarranted

PacketsEscrowPackets

DeliveredPackets

1 HTTP Alice

3 SMTP Alice

4 FTP Alice

5 FTP Alice

7 SMTP Alice

9 HTTP Alice

10 FTP Alice

11 HTTP Alice

3 SMTP Alice

4 FTP Alice

5 FTP Alice

7 SMTP Alice

10 FTP Alice

1 HTTP Alice

3 SMTP Alice

7 SMTP Alice

9 HTTP Alice

11 HTTP Alice

��Data Viewed

Data Hidden

Figure 4: First Stage Packet Processing

packets that are delivered to the Sink. These packetshave been modi�ed so that some data are removed.This may consist of simply not delivering pieces orby otherwise `blanking out' those portions. The re-cipient may choose to apply its own abstraction andonly view portions of the delivered packets.At a later point, if it is requested that all of the

SMTP (aggregate) / Alice (identity) traÆc be sup-plied, then all of the escrow data can be routed backthrough the �lters as illustrated in Figure 5.

All PacketsWarranted

PacketsEscrowPackets

DeliveredPackets

3 SMTP Alice

4 FTP Alice

5 FTP Alice

7 SMTP Alice

10 FTP Alice

3 SMTP Alice

7 SMTP Alice

3 SMTP Alice

7 SMTP Alice

Figure 5: Packet Processing from Escrow

4 NERL

NERL is a language for programming network proto-col monitors. Network protocols involve interactionsbetween two (or more) entities that exchange data ina pre-arranged format. A protocol monitor has threetasks: it collects the data exchanged between entities,parses the data to identify the protocol events that

they represent, and follows the protocol state ma-chines at the two ends to reconstruct the stage andresult of the interchange. For instance, SMTP [14, 10]is a protocol for transferring email messages from aclient to a server. The data transferred in an SMTPsession consists of client commands and server re-sponses, encoded as specially formatted strings. Amonitor must collect these strings, parse them intocommands and responses, and follow the client andserver state machines to �nd out which emails andwhich recipients have been accepted by the server.Collecting data exchanged by a protocol is not triv-

ial, because network protocols are layered. For in-stance, SMTP uses a TCP stream to transfer its for-matted strings reliably across the network. TCP inturn splits each string into datagrams, which are de-livered by IP. To collect SMTP data, we must recog-nize IP packets, and then TCP streams. Therefore arealistic monitoring setup must have a stack of mon-itors, one for each protocol layer, up to the protocolof interest.Parsing protocol data is a simple but tedious and

error-prone task. For instance, packet formats haveto deal with endian-ness issues of storing 32-bit val-ues, which causes a lot of errors. We advocate us-ing languages such as PacketTypes [11] that can beused for automatically generating parsers from packetspeci�cations. However, for string formatted data,such as the commands used in SMTP, it is most eÆ-cient to write the parser in C using string matchinglibraries. Such parsers are typically short functions,but they must still be inspected carefully for errors.The bulk of the protocol monitoring e�ort is in re-

constructing the state at the protocol participants,in order to extract meaningful information from thecaptured protocol data. NERL programs consist ofrecognizer modules that carry out this analysis. Eachprotocol event recognizer takes input events that trig-ger a state machine. When a high-level event is rec-ognized, it is triggered as an output event. A NERLprogram composes several layers of recognizers, feed-ing outputs of one layer to the inputs of the one aboveit. In addition to recognizer modules, it may includeparser modules that impart additional structure tocaptured events.The SMTP recognizer takes as input several com-

mand events, such as Hello and MailFrom, and re-sponse events such as ResponseOk and ResponseErr.(See Figure 10 in Appendix A for the full SMTPstate machine.) State variables store the sender andrecipients' email addresses, and the email messagedata sent to the server. A typical SMTP sessionmay have up to 10 intermediate states; the currentstate is stored in an integer variable (state). When

7

a sender and recipient are accepted by the server,a high-level event EnvelopeAccepted is generated.Similarly, when an email is successfully sent, the high-level event MailAccepted is generated. This is rep-resented in NERL by the following event de�nition:

event MailAccepted = ResponseOk OccurredWhen

(state == DATAEND)

WithAttributes {

MailAccepted.envelope.from = sender;

MailAccepted.envelope.to = receiver;

MailAccepted.message = data

}

Here, the OccurredWhen construct serves to re-strict the response event based on the current state.The WithAttributes construct attaches attributevalues to the MailAccepted event. Input events suchas client commands trigger state transitions. Forinstance, the MailFrom event triggers the followingstate transition.

MailFrom -> { state = MAIL;

sender = MailFrom.address }

An overview of NERL with other examples appearsin Appendix B.The NERL language suite comes with a compiler

that translates NERL recognizers into a hierarchy ofC monitoring functions. These functions are com-posed with protocol parsers, and executed on packettraces to recognize high-level protocol events. TheNERL language suite contains a base library of rec-ognizer code (derived from open source software) forthe more commonly used protocols, such as IP andTCP. New protocol recognizers can be built on topof these and added to the base library.It is important to check that recognizers are cor-

rect, especially when we compose a long stack ofthem. The NERL suite provides a number of toolsand strategies to ensure that recognizers have the in-tended semantics. For one, the NERL syntax makesit simple to generate a recognizer from a protocolstandard speci�cation. In addition, NERL is stronglytyped. The type-checker looks for simple errorssuch as undeclared variables, arithmetic operationson non-integers, and array indexing violations.NERL recognizers can also be translated to

Promela [8] and model-checked by SPIN [9]. SPINis a powerful veri�cation tool and can be used tocheck that the recognizer behaves correctly for a widerange of inputs. For instance, we can check that theSMTP recognizer, when composed with an SMTPclient and server, correctly captures all emails sentbetween them, for all possible client-server interac-tions.

In addition, we are in the process of developingtransformation tools for NERL that incorporate thealgorithms in [1] to address �delity and vantage pointissues.

5 OpenWarrants

In this section, we describe OpenWarrants, our re-alization of a composable separation function forpacket-mode surveillance. Given a speci�cation ofdata that is to be collected, called a warrant, theOpenWarrants system uses NERL recognizers to �l-ter a packet stream and deliver exactly the warranteddata. OpenWarrants currently handles email war-rants.OpenWarrants sits on a box between the monitored

network (the source) and the monitoring party (thesink) and acts like a bu�ering �rewall: it stores pack-ets, analyzes them, and lets them through only whenthey are determined to be covered by a warrant. Theoperational setup is shown in Figure 6. Packets are

libpcap

OpenWarrants

Filter

libnet

IP Packet DeliveryIP Packet Capture

From Source To Sink

IP Packet Buffer

CSF Execution

Figure 6: OpenWarrants Setup

captured using the libpcap (tcpdump.org) libraryand stored in a packet bu�er. The OpenWarrantsmodule analyzes this bu�er and informs the �lter tolet through packets covered by the warrant. Thelibnet (libnet.sourceforge.net) library is usedto deliver the packets to the network on the otherside. Escrow is handled by another �lter, also man-aged by the OpenWarrants analysis module, and isplaced into a �le. We do not implement any capabil-ity for hiding parts of packets.To execute OpenWarrants, the user must specify

an email warrant that consists of several pieces ofinformation.

� Aggregation Level: High-level events of interest,such as SMTP messages, or Internet MessageHeaders, and NERL modules to recognize them.

8

� Identi�cation: A NERL recognizer that identi�esemails covered by the warrant.

� Abstraction: A NERL recognizer that describesthe portions of emails that must be sent throughto the sink.

� Escrow: Whether identi�ed emails should besaved for later analysis.

Specifying two levels of aggregation results in fourNERL recognizers as illustrated in Figure 7. In therest of this section, we describe each of these compo-nents one by one.

IdentMail AbsMail

IMH

SMTP

Identification

Aggregation

Abstraction

To Escrow To Filter

Figure 7: OpenWarrants Components

5.1 Aggregation

To aggregate SMTP data, or Internet Message Head-ers [5, 16], we write NERL recognizers for these proto-cols. Because of the layered nature of network proto-cols, we need to identify protocol events at each layeras shown in Figure 10. Large IP packets in the Inter-

IP IPIP

TCP TCP

SMTP SMTP

IMH IMH

IP Packet Buffer

IP Fragment Reassembly

TCP Stream Reassembly

SMTP Mail Recognition

Mail Header Recognition

Figure 8: Aggregation: Recognizing Emails

net are sometimes broken down into fragments, whichare reassembled at the destination. An accurate IPmonitor must therefore implement a state machinethat collects and reassembles IP fragments, to gen-erate an IP packet event. TCP monitors must simi-larly keep track of sequence numbers and acknowledg-ments to reconstruct the TCP data sent. The NERL

suite already contains recognizer code for the IP andTCP protocols.For OpenWarrants, we need to add recognizer

modules for SMTP and Internet Message Head-ers (IMH). The SMTP recognizer collects SMTPcommands sent across a TCP session, recon-structs the SMTP dialogue, and recognizes success-ful email transmissions. It then produces high-levelevents such as EnvelopeSent, EnvelopeAccepted,MailSent, and MailAccepted, indicating di�erentevents in the SMTP dialogue. The IMH mod-ules parse Internet message headers, producingIMHMessage events that contain header �elds as at-tributes.

5.2 Identi�cation

The NERL identi�cation module IdentMail speci-�es which email events are covered by the war-rant. IdentMail takes as input the events producedby the SMTP and IMH recognizers, and producesthe IdentEnvelope, IdentHeader, and IdentMail

events when the corresponding input event is coveredby the warrant. For instance, the IdentMail eventmay identify [email protected]'s email by looking at themessage header �elds and the SMTP envelope. Thefollowing rule accepts messages where [email protected]

sends or receives the message or appears in TO, CC, orFROM header �elds.

event IdentMail = (MailAccepted &

IMHMessage) OccurredWhen

(MailAccepted.envelope.from ==

"[email protected]") ||

(MailAccepted.envelope.to == "[email protected]") ||

(IMHMessage.header.to == "[email protected]") ||

(IMHMessage.header.cc == "[email protected]") ||

(IMHMessage.header.from == "[email protected]")

The user is responsible for con�guring the identi�-cation module based on the intent and range of thedesired warrant. To simplify matters this code couldbe produced automatically from a high-level GUI orspeci�cation language where it would be describedby a rule like `email for [email protected]'. NERL helpsa technical person determine what this really means.

5.3 Abstraction

We write the Abstraction module as another NERLrecognizer that takes IdentMail, IdentEnvelope

and IdentHeader events from the identi�cation mod-ule and removes information not covered by the war-rant. For instance, if the warrant only covers theTO and FROM �elds in message headers, the AbsMail

event is de�ned as follows.

9

event AbsMail = IdentHeader

WithAttributes {

Absmail.to = IdentHeader.to;

Absmail.from = IdentHeader.from

}

5.4 Implementation details

Finally, the AbsMail event needs to be connectedto the Filter module to deliver the packets coveredby the warrant. OpenWarrants links every high-levelevent at run-time with the packet events that causedit. As events propagate along the NERL recognizersgenerating higher-layer events, this packet informa-tion is carried along. Eventually the packets linkedto the AbsMail event are communicated to the �l-ter, which sends them through for delivery. All otherpackets are dropped. If the warrant requires Escrow,then the packets linked to the IdentMail event aresaved into a �le. Escrow data is sensitive and mustbe protected by encryption.The NERL recognizers described in this section for

aggregation, identi�cation, and abstraction are com-posed and translated to a C monitoring program bythe NERL compiler. When this program is executedon SMTP packet traces it collects warranted packets.

5.5 Design and Analysis of Recogniz-

ers

Designing recognizer modules is the subtle part ofthis kind of surveillance monitor. To study our abil-ity to do this correctly in OpenWarrants we lookedfor open source information about SMTP recognizersin NIDSs. We were unable to �nd rules for recon-structing SMTP messages in Snort (snort.org), themost popular open source NIDS. As mentioned be-fore, Altivore provides �lter rules written in C andclaims to imitate Carnivore. We also tried to con-jecture the kind of rule used in a NIDS like Blac-kICE, based on survey reports [7] and online docu-mentation. We coded these in NERL and they ap-pear in Appendix C. Recognizer A is a transcrip-tion of the rule from Altivore for capturing completeemails with no recognition of message headers. Rec-ognizer N is a more sophisticated stateful analysis likea NIDS might use. Recognizer O is the correspondingmodule from OpenWarrants. Each recognizer ana-lyzes SMTP message events and attempts to identifyemails associated with a suspect.We translated these three NERL recognizers to

Promela and analyzed them using the SPIN model-checker. The SPIN model has three processes: anSMTP client, an SMTP server, and the translated

recognizer. There are two users in the system: thesuspect S and another user U . The client attemptsto deliver a number of emails to the server. Eachemail can be addressed from S or U to one or bothof S and U . The recognizer attempts to captureemails that are sent to or from S. The Linear Tem-poral Logic (LTL) property we checked asserted that,for all client-server interactions in SPIN, the recog-nizer module never captures emails from U to U .Recognizer A fails and SPIN produces a counter-example: A does not correctly handle the case whentwo MailFrom commands are issued by the client. Itcaptures the second email even if it is from U to U .A message sequence chart produced by SPIN for thiscounter-example appears in Figure 11 in Appendix C.To �nd this error, SPIN analyzed 871 states and3135 transitions to produce a counter-example with12 message exchanges. This represents the least num-ber of messages necessary to demonstrate a viola-tion of the LTL property. We then attempted thesame proof for recognizer N. Again SPIN provides acounter-example: when a Data command results inan error response from the server, N fails to noticethis event and captures the next message sent, evenif it is from U to U . A message sequence chart for thiscounter-example appears in Figure 12 in Appendix C.The SPIN counter-example has 16 messages and wasfound after analyzing 1610 states and 9897 transi-tions. Again, this represents the least number ofmessages necessary to demonstrate a violation. Thisdoes not mean that the NIDS rule is incorrect since itwas designed to protect the server not the privacy ofusers. Finally, we checked the property for the Open-Warrants recognizer O. SPIN model-checked this rec-ognizer and found no errors; it analyzed 2330 statesand 18,689 transitions to reach this conclusion.

6 Conclusions

We have introduced a new architecture for packet-mode surveillance and developed a prototype basedon this architecture for monitoring SMTP. Our sys-tem uses a new language that is capable of precise de-scriptions of packets to be monitored. Our architec-ture and implementation provide improved modular-ity and a novel escrow feature that exploits this mod-ularity. We have also demonstrated the value of moreformal treatment of surveillance �lters to improve as-surance of privacy protections. Our work partiallyaddresses concerns with identi�cation, standardiza-tion, and maintenance as described in 2.2. Althoughwe were not able to complete performance experi-ments for OpenWarrants in time for the deadline for

10

this paper, we have tested the performance of NERLon the analysis of some complex routing protocol con-ditions. Monitors derived from the NERL speci�ca-tions could process 10,000 packets per second whilemaintaining state for 50 routing tables. This can becompared to the rates sustained by common packetcapture modules, which have been measured to oper-ate at around 50,000 packets per second [1].Our analysis techniques can complement system-

level checks like those run by IITRI on Carnivore.We were able to exhaustively cover thousands of casesfor the email content monitoring scenario, comparedto couple of tests in the IITRI report that found noerrors. While system-level tests are indispensable,formal analysis can add assurance guarantees to whatthey are likely to establish.

References

[1] Karthikeyan Bhargavan, Satish Chandra, Peter J.McCann, and Carl A. Gunter. What packets maycome: Automata for network monitoring. InProceedings of the Symposium on Principles ofProgramming Languages (POPL'01), pages206{219. ACM Press, January 2001.

[2] Karthikeyan Bhargavan, Carl A. Gunter, MoonjooKim, Insup Lee, Davor Obradovic, Oleg Sokolsky,and Mahesh Viswanathan. Verisim: Formalanalysis of network simulations. IEEE Transactionson Software Engineering, 28(2):129{145, February2002.

[3] William R. Cheswick and Steven M. Bellovin.Firewalls and Internet Security. Addison-Wesley,1994.

[4] M. Crispin. Internet Message Access Protocol -Version 4rev1. Technical Report RFC 2060, IETF,1996.

[5] D. Crocker. Standard for the Format of ARPAInternet Text Messages. Technical Report RFC822, IETF, 1982.

[6] Department of Justice Federal Bureau ofInvestigation CALEA Implementation Section.Flexible Deployment Assistance Guide SecondEdition Packet-Mode Communications, August2001.

[7] NSS Group. Intrusion detection systems - grouptest, December 2001.

[8] Gerard J. Holzmann. Design and Validation ofComputer Protocols. Prentice Hall, 1991.

[9] Gerard J. Holzmann. The Spin Model Checker.IEEE Trans. on Software Engineering,23(5):279{295, May 1997.

[10] J. Klensin. Simple Mail Transfer Protocol.Technical Report RFC 2821, IETF, 2001.

[11] Peter McCann and Satish Chandra. PacketTypes:Abstract Speci�cation of Network Protocolmessages. In ACM Conference of Special InterestGroup on Data Communications (SIGCOMM),August 2000.

[12] MSNBC. FBI's Carnivore hunts in a pack, October2000.http://zdnet.com/com/2100-11-124798.html.

[13] J. Myers and M. Rose. Post OÆce Protocol -Version 3. Technical Report RFC 1939, IETF, 1996.

[14] Jonathan B. Postel. Simple Mail Transfer Protocol.Technical Report RFC 821, IETF, 1982.

[15] Thomas H. Ptacek and Timothy N. Newsham.Insertion, evasion and denial of service: Eludingnetwork intrusion detection. Technical report,Secure Networks, Inc., 1998.

[16] P. Resnick. Internet Message Format. TechnicalReport RFC 2822, IETF, 2001.

[17] Stephen P. Smith, J. Allen Crider, Jr. Henry Perrit,Mengfen Shyong, Harold Krent, Larry L. Reynolds,and Stephen Mencik. Independent review of thecarnivore system - �nal report. Technical report,IIT Research Institute, December 2000.

[18] TIA TR45. Report to the Federal CommunicationsCommission on Surveillance of Packet-ModeTechnologies, September 2000.

[19] TIA/EIA/IS-J-STD-025. Lawfully AuthorizedElectronic Surveillance, December 1997.

[20] TIA/EIA/IS-J-STD-025-A. Lawfully AuthorizedElectronic Surveillance, May 2000.

11

A Internet Mail

Email has for many years been one of the most preva-lent services on the Internet. As a result, the InternetMail Architecture has been closely studied and quiteheavily engineered. To use email, a sender writesa message, addresses it to a recipient, and hands itover to a Mail Transport Agent (MTA) such as Send-mail. Once an email has thus entered the mail sys-tem, the system becomes responsible for deliveringthe message to the recipient or returning an errormessage (via email) to the sender. Senders and re-cipients are users (or administrators) of mail servers,and are often represented by email addresses of theform user@domain, where domainmay be a mail serveranywhere in the Internet.The actual transfer of email across the Internet

is carried out by the MTAs. An MTA is given amessage, and an envelope that contains the senderand recipient email addresses,6 say S@domainA andR@domainB. The MTA then attempts to deliver themessage to the MTA at domainB. If there is no directway to contact the MTA at domainB, the messagemay be delivered to an intermediate relay server thatwould later forward the email to its destination.The protocol that runs between MTAs in order to

carry out the transfer of email is called the SimpleMail Transport Protocol (SMTP) [14, 10]. SMTPuses a TCP session between two MTAs to delivermultiple emails between them. After the TCP ses-sion is established, the SMTP dialogue begins whenthe sender MTA (the client) sends the HELO commandto the recipient MTA (the server), which then sendseither an Ok or an Error response. The client canthen send the next command, and wait for the nextresponse and so on.A typical SMTP session that delivers an email is

given in Figure 9 where C: indicates client commands,and S: indicates server responses. Here, the MTA atdomainA is talking to the MTA at domainB, and inthe �rst 3 lines the two MTAs identify their domains.The client then initiates an email delivery by namingthe sender (S) in a MAIL FROM command, and thennaming the recipient (R) in an RCPT TO command.The client can name multiple recipients for an email,but only one sender. The server can reject the senderor a recipient by sending an error message (line 9).After sending the envelope information, data deliverybegins after the DATA command in Line 10 is acceptedby the server. Lines 12 to 21 contain the message sent

6Envelopes typically contain the complete path that themessage should take to the recipient, or an error messageshould take back to the sender. This path includes the emailaddresses of the sender and receiver.

by the client. Data delivery ends at Line 22 with aspecial line that just has a full stop in it. The clientcan then send another email or close the session witha QUIT.An SMTP client can also issue a RSET command at

any time during a transaction to reinitialize the ses-sion. Similarly, HELO and MAIL commands can alsobe issued at any time to reinitialize the session. Thecomplete SMTP client state machine for these com-mands is shown in Figure 10. In the diagram, tran-

RSET! orHELO! orMAIL!



ERR?

ERR?

ERR?

OK?

RCPT!

mesg!

OK? or ERR?

RCPT!

MAIL!

OK?

HELO!

ERR?

OK? or ERR?

OK?

OK?

OK?

DATA!

DATAEND!

Figure 10: SMTP Client State Machine

sitions are labeled by actions. A! indicates that Ais sent from client to server. B? indicates that B isreceived at client from server. Each OK and ERR re-sponse may span several lines and must be suitablyparsed. The server state machine is symmetric, withthe inputs swapped with the outputs.

1. S: 220 domainB Simple Mail Transfer Service Ready

2. C: HELO domainA

3. S: 250 domainB greets domainA

4. C: MAIL FROM:<S@domainA>

5. S: 250 OK

6. C: RCPT TO:<R@domainB>

7. S: 250 OK

8. C: RCPT TO:<Rsec@domainB>

9. S: 550 No such user here

10. C: DATA

11. S: 354 Start mail input; end with <CRLF>.<CRLF>

12. C: To: "Rob R Roy" <R@domainB>

13. C: From: Sam S Smith <S@domainA>

14. C: Reply-To: "Smith:Personal" <[email protected]>

15. C: Cc: "Roy's Secretary" <Rsec@domainB>,

16. C: "Smith's Secretary" <Ssec@domainA>

17. C: Subject: Saying Hello

18. C: Date: Fri, 21 Nov 1997 11:00:00 -0600

19. C: Message-ID: <[email protected]>

20. C:

21. C: This is a message just to say hello.

22. C: .

23. S: 250 OK

24. C: QUIT

25. S: 221 domainB Service closing transmission channel

Figure 9: Sample SMTP Session

In addition to these commands, SMTP allows theVRFY, EXPN, and HELP commands at any time, to ex-tract information from a server. Newer versions ofSMTP also allow service extensions to the standardprotocol. We do not consider these commands andextensions here since they do not a�ect standard mes-sage delivery.SMTP transfers emails between mail servers.

When an email is delivered to the MTA at the re-cipient domain, it is stored in a mailbox owned bythe recipient on the mail server. The recipient canthen log in to the mail server to check his mailbox.Many users, however, like to read their email on desk-top computers that are not powerful enough to act asmail servers. Protocols such as the Post OÆce Proto-col [13], and the Internet Message Access Protocol [4]enable users to access their mailboxes remotely, withfacilities to download message headers and bodies,and delete them from the mail server. These proto-cols work well for incoming email. In order to sendemail, however, the desktop computer must still useSMTP as a client to hand over messages to the MTAat a mail server.We have described the Internet mail architecture

and the SMTP protocol that delivers email betweenthe MTAs at two mail servers. Internet users, how-ever, never need to be aware of SMTP or even the

MTA at their own server. This is because most mailusers use Mail User Agents (MUAs), such as Lotusor Outlook, that help them to compose, send, andreceive email messages.MUAs give the user a lot more exibility in de-

scribing the attributes of a message. For instance,the sender S can de�ne who the email is From as wellas who the recipient should Reply-to. S can choosewho to address the email To, and who should get acopy (Cc,Bcc). S can even specify the Subject of theemail. All these attributes are included at the begin-ning of an email according to a standardized InternetMessage Format [5, 16]. Although the complete for-mat is quite involved, and has a number of options,a typical Internet message is as shown in Lines 12 to21 in Figure 9.The attributes at the beginning of the message

comprise the message header, separated from the bodyby an empty line. The MUA is responsible for tak-ing such a message and automatically generating theemail envelope by looking at the addresses in the To,Cc, and From �elds.7 It then hands over the completemessage and envelope to an MTA to carry out the ac-tual delivery. When the MTA at the recipient's mail

7[16] describes a number of other �elds that may containaddressing information as well.

server receives the message, the recipient R looks atthe email through his own MUA, which parses themail headers and cleanly presents them.It is important to note, though, that a mail user

need not go through an MUA in order to generate anInternet message. S can type the message in a texteditor, and directly interact with the MTA to deliverthe typed message, according to a speci�ed envelope.So there is no guarantee that the mail headers haveany relation to the actual senders or recipients of amessage. Moreover, since a user can specify an enve-lope to an MTA, the sender and even the recipient inthe envelope may not exist. Some MTAs will refuseto accept messages if they can determine that thesenders or recipients are unknown, but many MTAsdo not have enough information to make this decisionand will accept the messages anyway.In addition to the message formats described in

this section, further structure can be imposed on themessage body, for instance to describe and includeattachments (using MIME), and to authenticate orencrypt the message (using S/MIME).

B Overview of NERL

NERL monitors are written as a number of recog-nizer modules, one for each layer in the protocolstack up to the protocol of interest. For instance, torecognize SMTP events, recognizers are written forIP, TCP and SMTP. Each recognizer takes eventsrecognized at the lower layer and follows the pro-tocol state machine to recognize high-level protocolevents. For instance, the SMTP state machine is de-scribed in the Appendix A. A TCP recognizer must�rst reconstruct each command and response, andthen an SMTP recognizer follows the state machineto recognize events, such as MailAccepted. Addi-tional NERL recognizers may be used for applicationspeci�c processing, such as �ltering MailAccepted

events to recognize IdentMail events that indicateemails sent by a suspect.Each NERL recognizer describes a state machine.

It �rst contains typed declarations of its input andoutput events, and its local state variables. Variablescan contain integers, doubles, bits, bytes, arrays andrecords. Events have typed attributes: a timestamp

attribute indicates the time of occurrence, and otherattributes, such as IP_SRC for IP packets, provideadditional information. After the declarations, therecognizer consists of several event de�nitions, andstate transitions. For instance, a small NERL recog-nizer for the Ping protocol is shown below.

Recognizer Ping =

/* event declarations */

typedef { time timestamp;int seq } pkt;

input event pkt Ping_Request;

input event pkt Ping_Echo;

output event pkt Ping_Responded;

/* state variables */

int last_req;

/* event definitions */

event Ping_Responded = Ping_Echo OccurredWhen

(Ping_Echo.seq==last_req);

/* state transitions */

Ping_Request -> { last_req = Ping_Request.seq };

EndRecognizer

Event de�nitions describe high-level protocolevents in terms of input events. For instance, whenan SMTP client successfully delivers an email to theserver, we say that a high-level event MailAcceptedhas occurred. NERL o�ers several constructsto help de�ne such events. Events can be �l-tered by the OccurredWhen construct: we say thatEv OccurredWhen B occurs when Ev occurs and theboolean condition in B is true. B expresses a conditionon the current state and the attributes of event Ev.For instance, when a server sends an SMTP Ok inresponse to a complete email message, the responsecode must be 250.

event MailResponseOk = ResponseOk Occurredwhen

(ResponseOk.code == 250)

OccurredWhen also enables state speci�c events, byallowing B to express conditions on state variables.For instance, the MailAccepted event occurs when aresponse is received in the DATAEND state.

event MailAccepted = MailResponseOk OccurredWhen

(state == DATAEND)

Events are correlated by the disjunction (|), conjunc-tion (&), and implication (=>) operators. Note thatNERL does not have event negation, because the ab-sence of an event is not an event; it is a conditionthat can only be indicated by another event such asa timer expiry event. These have the usual meaning:Ev1 | Ev2 occurs when one of the two events occurs,and so on. For instance, an SMTP session must bereinitialized when any of the three input events RSET,HELO, MAIL occur in a transaction:

event SessionReInit = RSET | HELO | MAIL

Finally, we can use the WithAttributes construct toassign attributes to an event. For instance, when a

successful email transfer is detected (MailAccepted),we may want to tag the envelope and message withthe event.

event MailAccepted = MailResponseOk OccurredWhen

(state == DATAEND)

WithAttributes {

MailAccepted.envelope.from = sender;

MailAccepted.envelope.to = receiver;

MailAccepted.message = data

}

State Transitions are triggered by events, and con-sist of updates to state variables. The usual arith-metic and boolean operations can be performed onstate variables. We allow while loops for updatingarrays, and for complex computation. Conditionalsare expressed as if: : :then: : :else expressions. How-ever, most transitions simply consist of assignmentstatements. For instance, the transition triggered bythe SMTP MailFrom command updates the controlstate of the machine, and stores the sender's emailaddress in a state variable.

MailFrom -> { state = MAIL;

sender = MailFrom.address }

NERL is strongly-typed. The NERL type-checkerenforces that arithmetic and boolean operators canonly be applied to expressions of the appropriatetypes. It points out the usage of undeclared variables,event attributes, and record �elds. For safety, ev-ery array indexing operation is guarded by an array-bounds check at run-time. Finally, the type-checkerenforces several scoping rules. For instance, inevent x = Ev WithAttributes S, the statementsin S can only refer to event variables that are men-tioned in Ev. The type-checker is quite useful in �nd-ing simple errors that occur while transcribing longstate machines.

C SMTP Recognizers

C.1 Altivore

Recognizer A

bit state;

#define parsing_envelope 0

#define parsing_message 1

bool do_filter;

emailAddr suspect;

string message;

input event {emailAddr address} MailFrom;

input event {emailAddr address} RcptTo;

input event basic Data;

input event {string line} DataLine;

input event basic DataEnd;

output event {string message} IdentMail;

Init -> {

state = parsing_envelope;

do_filter = false;

message = "";}

MailFrom OccurredWhen

(state == parsing_envelope) &&

(MailFrom.address == suspect) -> {

do_filter = true;}

RcptTo OccurredWhen


(RcptTo.address == suspect) -> {

do_filter = true;}

Data OccurredWhen


(do_filter == true)-> {

state = parsing_message;}

DataLine OccurredWhen

(state == parsing_message) -> {

concat(message,DataLine.line);}

event IdentMail = DataEnd OccurredWhen

(state == parsing_message)

WithAttributes {

IdentMail.message = message}

DataEnd OccurredWhen

(state == parsing_message) -> {

state = parsing_envelope;

do_filter = false;

message = ""}

EndRecognizer

C.2 NIDS

Recognizer N

int state;

#define clear 0

#define mail_done 1

#define rcpt_done 2

#define data_done 3

bool do_filter;

emailAddr suspect;

string message;







event {emailAddr address} MF;

event {emailAddr address} RT;

Init -> {

state = clear;

do_filter = false;

message = "";}

event MF = MailFrom OccurredWhen

(state != data_done);

MF -> {

state = mail_done;

do_filter = false;}

MF OccurredWhen

(MailFrom.address == suspect) -> {

do_filter = true;}

event RT = RcptTo OccurredWhen

(state == mail_done) ||

(state == rcpt_done);

RT -> {state = rcpt_done}

RT OccurredWhen

(RcptTo.address == suspect) -> {

do_filter = true;}

Data OccurredWhen

(state == rcpt_done) &&

(do_filter == true) -> {

state = data_done;}

Data OccurredWhen


(do_filter == false) -> {

state = clear;}


(state == data_done) -> {


event IdentMail = DataEnd OccurredWhen

(state == data_done)

WithAttributes {

IdentMail.message = message }



state = clear;

message = "";

do_filter = false }

EndRecognizer

C.3 OpenWarrant

Recognizer O

int state;

#define clear 0

#define mail_wait 1

#define mail_done 2

#define rcpt_wait 3

#define rcpt_done 4

#define data_wait 5

#define data_done 6

#define dataend_wait 7

bool some_rcpt;

bool sender_matched;

bool recipient_matched;

bool last_recipient_matched;

emailAddr suspect;

string message;







event {emailAddr address} MF;

event {emailAddr address} RT;

Init -> {

state = clear;

sender_matched = false;

recipient_matched = false;

last_recipient_matched = false;

some_rcpt = false;

message = "";}

event MF = MailFrom OccurredWhen

(state != data_done);

MF -> {

state = mail_wait;



last_recipient_matched = false;

message = null;}

MF OccurredWhen

(MF.address == suspect) -> {

sender_matched = true;}

ResponseOk OccurredWhen

(state == mail_wait) -> {

state = mail_done;}

ResponseErr OccurredWhen

(state == mail_wait) -> {

state = clear;

sender_matched = false;}

event RT = RcptTo OccurredWhen

(state == mail_done) ||

(state == rcpt_done);

RT -> {state = rcpt_wait}

RT OccurredWhen

(RT.address == suspect) -> {

last_recipient_matched = true;}


(state == rcpt_wait) -> {

state = rcpt_done;

some_rcpt = true;

recipient_matched = (recipient_matched

|| last_recipient_matched);

last_recipient_matched = false;}


(state == rcpt_wait) -> {

if (some_rcpt = false)

then state = mail_done

else state = rcpt_done;

last_recipient_matched = false;}

Data OccurredWhen


((sender_matched == true) ||

(recipient_matched == true)) -> {

state = data_wait;}

Data OccurredWhen


((sender_matched == false) &&

(recipient_matched == false)) -> {

state = clear;



some_rcpt = false;}


(state == data_wait) -> {

state = data_done;}


(state == data_wait) -> {

state = clear;



some_rcpt = false;}






state = dataend_wait;}

event IdentMail = ResponseOk OccurredWhen

(state == dataend_wait)

WithAttributes {

IdentMail.message = message }

(ResponseOk | ResponseErr) OccurredWhen

(state == dataend_wait) -> {

state = clear;



some_rcpt = false;

message = "";}

EndRecognizer

client:014

monitor:115

1!hello

17

server:218

2!hello

20

213!ack

25

261!mailA

30

312!mailA

35

363!ack

38

391!mailB

43

442!mailB

46

473!ack

49

501!rcptB

52

532!rcptB

55

563!ack

58

591!data

61

622!data

66

673!ack

71

721!bbb

74

752!bbb

81

821!dataend

8383

83

Figure 11: Violation in SMTP Recognizer A

client:014

monitor:115

1!hello

17

server:218

2!hello

20

213!ack

25

261!mailA

30

312!mailA

35

363!ack

38

391!rcptA

41

422!rcptA

46

473!ack

49

501!data

52

532!data

57

583!error

62

631!mailB

67

682!mailB

74

753!ack

77

781!rcptB

80

812!rcptB

87

883!ack

90

911!data

93

942!data

100

1013!ack

105

1061!bbb

108

1092!bbb

115

1161!dataend

117117

117

Figure 12: Violation in SMTP Recognizer B

network event recognition for packet-mode - cis home page

Documents