diary/2024-02-01

実家から横浜にある銀行まで毎朝出社しないといけなくて車か電車で行く必要があり面倒かつしんどいと思っていた夢

camel toe

314 words

Application firewalls can monitor traffic on users' PCs and block unwanted communications by investigating the content while providing features for interactively editing rules.
Because conventional application firewalls are not capable of handling encrypted packets, they are not effective for encrypted communications, though nowadays there are many services offered on the Internet where the coonections between them are encrypted.

This paper describes an implementation method of an application firewall which can decrypt payloads using virtualization technologies.
The proposed method creates a virtual environment for each application and monitors network traffic with an packet filter attached to a bridge interface.
The virtual environment is provided by a virtual machine monitor (VMM).
A program which runs in userspace interacts with a user and allows the user to edit firewall rules through a terminal user interface (TUI).
The program obtains cleartexts from encrypted traffic with shared keys acquired from the virtual environment, and also coordinates the packet filter by maintaining the rule table on demand.

Based on the proposed method, we developed an application firewall which handles the decryption of encrypted traffic to filter those that involve unwanted contents.
The firewall mainly consists of three parts; Docker as the VMM, an eBPF program as the packet filter, and a program which runs in userspace.
The two programs are written in Rust and are expected to work in Linux environments where they support attaching eBPF program as classifiers of Traffic Control(TC) to network interfaces.
Each instances of the eBPF program handles one packet captured on a network interface corresponding to an application and decides whether to accept it or not.
The packets which have no corresponding rules and the rules for the packet filter are shared via BPF maps.

Experimental results show that the proposed method realized the monitorization of encrypted traffic without significant performance loss, thus is feasible in current environments involving PCs and connectivities to the Internet.