Luth: Composing and Parallelizing Midpoint Inspection Devices

The race for innovation is driving Internet evolution. Internet software developers have to create more complex systems while enduring the pressuring time to market. Therefore, end-host software have bugs, vulnerabilities and cannot be trusted. That´s why, among others, network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), firewall or other network devices monitor such software to prevent unexpected behaviors. However, their functionalities are limited by design, because they can only handle a configuration of predefined monolithic protocol layerings. In this paper we present Luth, a midpoint inspection device that relies on the composition and parallelization of predefined midpoint inspectors (MI). We present the main functionalities offered by its configuration language and interpreter. Finally, we benchmark a prototype implemented in OCaml. This prototype runs in the user space of a GNU/Linux operating system, by means of the libnet filter_queue library. We show how it efficiently inspects and filters DNS hidden-channels encapsulated into 20 GRE tunnels.