Early filter catches the worm

Abstract

Most of today’s computing systems are connected to the network and they constantly communicate with each other using standardized protocols. The protocols’ detailed specifications are open to the public, and many applications based on those protocols are open-sourced, like the OpenSSL project. Unfortunately, there have been continuous attempts to find and exploit vulnerabilities in such applications and Heartbleed is a striking example. Heartbleed shows open protocol standards and their applications are under the risk of a zero-day vulnerability, and that addresses the necessity of defense mechanisms. We propose to use protocol dialect to address the problem. Protocol dialect is a revised version of the existing protocol to encode additional information in the protocol using pre-established secrets. The goal of protocol dialect is to reject communication attempts made by unauthorized users who do not speak our dialect. The protocol dialect should be located at the earliest stage possible of a connection to reduce the risk surface. We define two techniques to convert a protocol into dialect: nonce encoding and order shuffle. Also, we propose two network protocol dialect prototypes. Then we present DialectFilter, a system that uses the proposed protocol dialects to filter out unauthorized packets. We protected the pre-established secrets used in protocol dialects with Intel Software Guard Extensions (SGX). We show that DialectFilter provides security measures against possible zero-day vulnerability.