Our DSL uses security assertions to express properties that packets must have to be allowed through the network (e.g., “IMAP packet contains no executable attachment” or “SQL reply contains only explicitly permitted columns”), along with remedies that either reject or rewrite undesirable packets. We present the first declarative language for application-level network filtering, developed at Advenica AB. Existing application-level filters express their filtering rules in general-purpose languages, which limits the correctness guarantees available for them.
Application-level packet filtering is a technique for network access control in which an “application-level gateway” intercepts network packets at the application level (e.g., HTTP, FTP), scans them for security concerns and optionally logs, rewrites or discards them.
0 kommentar(er)
