Bringing L7 firewalls to kernel space
In recent years, attacks like the HTTP/2 Rapid Reset have become more common. Unlike a SYN flood, these attacks operate at the application layer. To defend against them, a firewall has to parse the application layer headers and payload to identify potential threads. In literature, this is called deep packet inspection.
Deep packet inspection is typically deployed in userspace, as the example of ModSecurity or Coraza shows. However, deploying an L7 firewall in kernel space could have considerable benefits. First, from a security point of view, it’s safer to drop potentially dangerous packets as soon as possible. Second, it’s more performant to drop packets in the kernel space, especially in the context of a coordinated attack.
But the deployment of an L7 firewall in kernel space is not an easy feat. More specifically, it’s difficult to maintain kernel modules without risking system failures. That’s where eBPF comes in! It’s a new, C-based programming model that makes it possible to extend the kernel with custom functionality in a safe way.
To sum it up: this project explores the feasibility of L7 firewalls in the kernel. It studies the minimal requirements of such a firewall to be effective, the limitations imposed by the kernel as well as the potential benefits.
Milestones
- Get familiar with L7 firewalls and Seclang (a language typically used to configure L7 firewalls)
- Prototype of an eBPF program that transforms HTTP requests to SQL queries
- Performance analysis of the new request scheme
Requirements
- Programming languages: Rust or Go, and basic knowledge in C (for eBPF)
- Experience with low-level programming or network programming
- Critical and independent thinking
Supervisors
