Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data

Tuesday, November 29, 2016 - 2:30pm
CS 1240

Speaker Name: 

Robin Sommer

Speaker Institution: 

International Computer Science Institute




Deep packet inspection systems must efficiently process large volumes
of wire format network data from untrusted sources. It remains
challenging, however, to implement robust parsers manually for the
potpourri of formats that networks carry today. This talk presents a
novel open-source framework, Spicy, for dissecting a broad range of
wire format data. Spicy offers a custom format specification language
that can express syntax and semantics of both protocols and file
formats; and it comes with a compiler toolchain that generates
efficient and robust native parsing code from these specifications. We
will discuss Spicy's design and implementation, and demonstrate a set
of Spicy-based parsers chained into a dynamic stack processing raw
packets all the way up to application-layer content -- all inside the
system's unified processing model. Overall, this work provides a new
capability for developing powerful, robust, and reusable parsers that
a variety of DPI applications can leverage.

Robin Sommer is a Senior Researcher at the International Computer
Science Institute (ICSI), Berkeley. He is also the CTO of Corelight, a
recent network security startup; and he is a member of the
cyber-security team at Lawrence Berkeley National Laboratory. Robin's
research focuses on network security and privacy, with a particular
emphasis on high-performance network monitoring in operational
settings. At ICSI, Robin is leading the team developing the Bro
open-source network security monitor. At Corelight, he's building
Bro-based security appliances for enterprise environments. Robin holds
a doctorate from TU München, Germany.