CUJO - Safe Browsing with Lua Lourival Vieira Neto - - PowerPoint PPT Presentation

cujo safe browsing with lua
SMART_READER_LITE
LIVE PREVIEW

CUJO - Safe Browsing with Lua Lourival Vieira Neto - - PowerPoint PPT Presentation

Nov 26, 2023 278 likes •603 views

CUJO - Safe Browsing with Lua Lourival Vieira Neto <lourival.neto@getcujo.com> Introduction CUJO Smart Firewall Safe Browsing Parental Controls Introduction CUJO Firmware Team Gabriel Ligneul Iruat

slide-1
SLIDE 1

CUJO - Safe Browsing with Lua

Lourival Vieira Neto <lourival.neto@getcujo.com>

slide-2
SLIDE 2

Introduction

➔ CUJO ◆ Smart Firewall ◆ Safe Browsing ◆ Parental Controls

slide-3
SLIDE 3

Introduction

➔ CUJO Firmware Team ◆ Gabriel Ligneul ◆ Iruatã Souza ◆ Katia Fernandes ◆ Linas Nenorta ◆ Lourival Vieira Neto ◆ Marcel Moura ◆ Savio Barbosa ◆ Tadeu Bastos ◆ Pedro Tammela

slide-4
SLIDE 4

Introduction

➔ Lunatik ◆ Lua in the Linux Kernel

"Scriptable Operating Systems with Lua"

  • Vieira Neto, L., Ierusalimschy, R., de Moura, A.L. and Balmer, M.

➔ Luadata ◆ “Zero-copy” ➔ NFLua ◆ Netfilter Binding

slide-5
SLIDE 5

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Components

slide-6
SLIDE 6

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Configuration

safebro.json

slide-7
SLIDE 7

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Configuration

safebro.json Lua chunk

slide-8
SLIDE 8

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Configuration

safebro.json Lua chunk Load config

slide-9
SLIDE 9

Safe Browsing

➔ Configuration

# cat nf_{threat,safebro,http,ssl}.lua > /proc/nf_lua # iptables -A FORWARD -p tcp --dport 80 --tcp-flags PSH PSH \

  • m lua --function nf_http -j DROP

# iptables -A FORWARD -p tcp --dport 443 --tcp-flags PSH PSH \

  • m lua --function nf_ssl -j REJECT --reject-with tcp-reset
slide-10
SLIDE 10

Safe Browsing

➔ Configuration

threatd.lua

slide-11
SLIDE 11

Safe Browsing

➔ Configuration

xt_lua.c

slide-12
SLIDE 12

Safe Browsing

➔ Configuration

nf_safebro.lua

slide-13
SLIDE 13

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Filter

Cached? No

TCP PSH n f l u a _ m a t c h

slide-14
SLIDE 14

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Filter

Cached? No

TCP PSH Hot drop L

  • k

u p n f l u a _ m a t c h

slide-15
SLIDE 15

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Filter

Cached? No

TCP PSH Hot drop L

  • k

u p Lookup Reputation/ Category Cloud Decision n f l u a _ m a t c h

slide-16
SLIDE 16

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Filter

Cached? No

TCP PSH Hot drop A d d t

  • c

a c h e L

  • k

u p Lookup n f l u a _ m a t c h Reputation/ Category Cloud Decision

slide-17
SLIDE 17

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Filter

TCP retransmission nflua_match

Cached? Yes

slide-18
SLIDE 18

Iptables

NIC Driver Netfilter NFLua

Luadata

(zero copy)

Kernel User space

Cloud Luajson Lunatik

Safe Browsing

Agent

threatd

nf.lua nf_http.lua nf_ssl.lua nf_threat.lua nf_safebro.lua

➔ Filter

TCP retransmission nflua_match A c c e p t / B l

  • c

k p a g e

Cached? Yes

TCP reply

slide-19
SLIDE 19

Safe Browsing

➔ Filter

xt_lua.c

slide-20
SLIDE 20

Safe Browsing

➔ Filter

xt_lua.c

slide-21
SLIDE 21

Safe Browsing

➔ Filter

nf_http.lua

slide-22
SLIDE 22

Safe Browsing

➔ Filter

nf.lua

slide-23
SLIDE 23

Safe Browsing

➔ Filter

nf_ssl.lua

slide-24
SLIDE 24

Safe Browsing

➔ Filter

nf_ssl.lua

slide-25
SLIDE 25

Safe Browsing

➔ Filter

nf_http.lua

slide-26
SLIDE 26

Safe Browsing

➔ Filter

Block page

slide-27
SLIDE 27

Why Lua?

➔ Extensible Extension Language ◆ Embeddable and Extensible ◆ C Library ➔ Almost Freestanding ➔ Small Footprint ◆ ~250 KB ➔ Fast ➔ MIT License

slide-28
SLIDE 28

Why Lua?

➔ Ease of Development

➔ High-level Language ➔ Dynamically Typed ➔ Domain-specific API

slide-29
SLIDE 29

Why Lua?

➔ Safety

➔ Automatic Memory Management ➔ Protected Call ➔ Fully Isolated States ➔ Cap the Number of Executed Instructions ➔ Test Suite

slide-30
SLIDE 30

Why Lua?

➔ Security

  • A single vulnerability disclosed since 1993
slide-31
SLIDE 31

Benchmarks

➔ Tinyproxy ◆ ~150 Mbps ◆ CPU Bound ➔ NFLua ◆ Slow Path: ~500 Mbps ◆ Fast Path: ~750 Mbps ◆ Not CPU Bound ➔ Bypass ◆ ~890 Mbps ➔ Online Units: ~5.5 k