Method to evaluate low level network student's programs, without sending actual data











up vote
3
down vote

favorite












What I want to achieve/Context

I am currently trying to find a method to evaluate (automatically) students programs here at our school.
Students have to code low level networking programs in C, that perform network attacks (without using libraries, just raw sockets). Some of these projects among others include: an ARP_spoofing, an IDLE_port_scanning, and a network_analyser program.
I am aware that by evaluating some of those projects, we might accidentally disrupt services and/or perform unwanted attacks in segments of the network where we do not have authority, and we really do not want that to happen. Therefore, our objective is to find a method, to evaluate those projects in a secure manner, while blocking outbound traffic that could potentially harm other systems.



It is to be noted though, that not all programs act like the network_analyser one and that some of those programs might send a frame, analyse the response and accordingly, send back another specific frame based on that response.
A simple example would be the ARP_spoofing program where in the beginning it broadcasts a message asking for the MAC address of the victim in order to send correct spoofed packets later.
Therefore, in most of those projects, we need to have some sort of interaction with a host/entity that (potentially checks the frame) and answers back, while avoiding sending actual data to the network and eventually breaking things.



What I tried

I tried to find a solution to this problem while taking into account an existing architecture that we use to evaluate other projects. The current "architecture" is composed of a single Fedora 28 machine and this one is running inside a docker container, and all project evaluation happen on that machine.



Therefore, the solution that I immediately thought about this problem is to spawn 2 programs on the Userspace of that machine and make them communicate between them via the kernel. The first will be the program of the student (e.g. ARP_spoofing); let's name this process "X". The second process, let's name it "responder/validator", is a program that tries to "simulate" a network stack or simply enough - to be more precise - it is a program that just answers back to specific packets it receives. The communication (of course) needs to go from one program to the other program and vice versa but never send data to the same process.
Those programs can communicate between them via an L2 virtual network Kernel interface (TUN).
By using such an interface, I can copy data from the raw socket to the TUN interface and see the contents of the packet that I am sending (from the Userspace) back to Userspace (and, not related, but also random network packets that come into that socket). I tested a similar implementation of this gist https://gist.github.com/vi/3629756, and it seems to work.



It is to be noted that we can not just make the 2 processes communicate between them. The student's program must be working and be able to implement the attack correctly, when not testing on our testing environment (that is, spawn a raw socket and write into it correctly). The idea was to make half of the validation by the Kernel and the other half by the Userspace without having to actually send the packets (and provoke damages).



Apart from copying data (that arrives from the Userspace) from the raw interface on to the TUN interface (to transmit it back to the Userspace), I also tried to block those outbound packets before copying them to the TUN interface by using iptables but did not had any luck. Unless I am mistaken, raw sockets operate at a lower level than iptables inside the Kernel, therefore (regarding raw sockets), we might be able to apply rules to the inbound traffic but not to outbound traffic.



The problem

The problem that has arisen with this solution so far, (apart from the fact that I still haven't blocked outbound traffic,) it seems that I can not distinguish in the Userspace if it is "X" or "responder/validator" that sent the packet earlier from the userspace. I guess that if I had this opportunity, I would be able to drop that packet in one of the two processes while dissect/analyse it in the other/correct one. That way, I will be able to send from one process to the other one while passing by the Kernel. At this point, with hopes of fixing this, I thought of perhaps adding a personalised header in front of the packet, each time before sending it into the "loop" (userspace->raw socket->TUN interface->userspace).
But I am afraid that this solution might not work as the packet will not be valid, and the raw socket will drop at some point this packet.
Or this could perhaps help my problem: being able to distinguish in the Userspace whose turn it is to receive and send back to the other process and also drop outbound traffic (since the Ethernet frame will be destroyed) ?



I am really confused at this point. I am not fully sure if the above method, which I am trying to put in place, can truly work. Can I achieve more or less the same result with a simpler solution? Am I going towards the wrong direction?
If you have completely different solutions than the one I tried for this problem, you are more than welcome (even if that does not respect our current testing "architecture").










share|improve this question


























    up vote
    3
    down vote

    favorite












    What I want to achieve/Context

    I am currently trying to find a method to evaluate (automatically) students programs here at our school.
    Students have to code low level networking programs in C, that perform network attacks (without using libraries, just raw sockets). Some of these projects among others include: an ARP_spoofing, an IDLE_port_scanning, and a network_analyser program.
    I am aware that by evaluating some of those projects, we might accidentally disrupt services and/or perform unwanted attacks in segments of the network where we do not have authority, and we really do not want that to happen. Therefore, our objective is to find a method, to evaluate those projects in a secure manner, while blocking outbound traffic that could potentially harm other systems.



    It is to be noted though, that not all programs act like the network_analyser one and that some of those programs might send a frame, analyse the response and accordingly, send back another specific frame based on that response.
    A simple example would be the ARP_spoofing program where in the beginning it broadcasts a message asking for the MAC address of the victim in order to send correct spoofed packets later.
    Therefore, in most of those projects, we need to have some sort of interaction with a host/entity that (potentially checks the frame) and answers back, while avoiding sending actual data to the network and eventually breaking things.



    What I tried

    I tried to find a solution to this problem while taking into account an existing architecture that we use to evaluate other projects. The current "architecture" is composed of a single Fedora 28 machine and this one is running inside a docker container, and all project evaluation happen on that machine.



    Therefore, the solution that I immediately thought about this problem is to spawn 2 programs on the Userspace of that machine and make them communicate between them via the kernel. The first will be the program of the student (e.g. ARP_spoofing); let's name this process "X". The second process, let's name it "responder/validator", is a program that tries to "simulate" a network stack or simply enough - to be more precise - it is a program that just answers back to specific packets it receives. The communication (of course) needs to go from one program to the other program and vice versa but never send data to the same process.
    Those programs can communicate between them via an L2 virtual network Kernel interface (TUN).
    By using such an interface, I can copy data from the raw socket to the TUN interface and see the contents of the packet that I am sending (from the Userspace) back to Userspace (and, not related, but also random network packets that come into that socket). I tested a similar implementation of this gist https://gist.github.com/vi/3629756, and it seems to work.



    It is to be noted that we can not just make the 2 processes communicate between them. The student's program must be working and be able to implement the attack correctly, when not testing on our testing environment (that is, spawn a raw socket and write into it correctly). The idea was to make half of the validation by the Kernel and the other half by the Userspace without having to actually send the packets (and provoke damages).



    Apart from copying data (that arrives from the Userspace) from the raw interface on to the TUN interface (to transmit it back to the Userspace), I also tried to block those outbound packets before copying them to the TUN interface by using iptables but did not had any luck. Unless I am mistaken, raw sockets operate at a lower level than iptables inside the Kernel, therefore (regarding raw sockets), we might be able to apply rules to the inbound traffic but not to outbound traffic.



    The problem

    The problem that has arisen with this solution so far, (apart from the fact that I still haven't blocked outbound traffic,) it seems that I can not distinguish in the Userspace if it is "X" or "responder/validator" that sent the packet earlier from the userspace. I guess that if I had this opportunity, I would be able to drop that packet in one of the two processes while dissect/analyse it in the other/correct one. That way, I will be able to send from one process to the other one while passing by the Kernel. At this point, with hopes of fixing this, I thought of perhaps adding a personalised header in front of the packet, each time before sending it into the "loop" (userspace->raw socket->TUN interface->userspace).
    But I am afraid that this solution might not work as the packet will not be valid, and the raw socket will drop at some point this packet.
    Or this could perhaps help my problem: being able to distinguish in the Userspace whose turn it is to receive and send back to the other process and also drop outbound traffic (since the Ethernet frame will be destroyed) ?



    I am really confused at this point. I am not fully sure if the above method, which I am trying to put in place, can truly work. Can I achieve more or less the same result with a simpler solution? Am I going towards the wrong direction?
    If you have completely different solutions than the one I tried for this problem, you are more than welcome (even if that does not respect our current testing "architecture").










    share|improve this question
























      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      What I want to achieve/Context

      I am currently trying to find a method to evaluate (automatically) students programs here at our school.
      Students have to code low level networking programs in C, that perform network attacks (without using libraries, just raw sockets). Some of these projects among others include: an ARP_spoofing, an IDLE_port_scanning, and a network_analyser program.
      I am aware that by evaluating some of those projects, we might accidentally disrupt services and/or perform unwanted attacks in segments of the network where we do not have authority, and we really do not want that to happen. Therefore, our objective is to find a method, to evaluate those projects in a secure manner, while blocking outbound traffic that could potentially harm other systems.



      It is to be noted though, that not all programs act like the network_analyser one and that some of those programs might send a frame, analyse the response and accordingly, send back another specific frame based on that response.
      A simple example would be the ARP_spoofing program where in the beginning it broadcasts a message asking for the MAC address of the victim in order to send correct spoofed packets later.
      Therefore, in most of those projects, we need to have some sort of interaction with a host/entity that (potentially checks the frame) and answers back, while avoiding sending actual data to the network and eventually breaking things.



      What I tried

      I tried to find a solution to this problem while taking into account an existing architecture that we use to evaluate other projects. The current "architecture" is composed of a single Fedora 28 machine and this one is running inside a docker container, and all project evaluation happen on that machine.



      Therefore, the solution that I immediately thought about this problem is to spawn 2 programs on the Userspace of that machine and make them communicate between them via the kernel. The first will be the program of the student (e.g. ARP_spoofing); let's name this process "X". The second process, let's name it "responder/validator", is a program that tries to "simulate" a network stack or simply enough - to be more precise - it is a program that just answers back to specific packets it receives. The communication (of course) needs to go from one program to the other program and vice versa but never send data to the same process.
      Those programs can communicate between them via an L2 virtual network Kernel interface (TUN).
      By using such an interface, I can copy data from the raw socket to the TUN interface and see the contents of the packet that I am sending (from the Userspace) back to Userspace (and, not related, but also random network packets that come into that socket). I tested a similar implementation of this gist https://gist.github.com/vi/3629756, and it seems to work.



      It is to be noted that we can not just make the 2 processes communicate between them. The student's program must be working and be able to implement the attack correctly, when not testing on our testing environment (that is, spawn a raw socket and write into it correctly). The idea was to make half of the validation by the Kernel and the other half by the Userspace without having to actually send the packets (and provoke damages).



      Apart from copying data (that arrives from the Userspace) from the raw interface on to the TUN interface (to transmit it back to the Userspace), I also tried to block those outbound packets before copying them to the TUN interface by using iptables but did not had any luck. Unless I am mistaken, raw sockets operate at a lower level than iptables inside the Kernel, therefore (regarding raw sockets), we might be able to apply rules to the inbound traffic but not to outbound traffic.



      The problem

      The problem that has arisen with this solution so far, (apart from the fact that I still haven't blocked outbound traffic,) it seems that I can not distinguish in the Userspace if it is "X" or "responder/validator" that sent the packet earlier from the userspace. I guess that if I had this opportunity, I would be able to drop that packet in one of the two processes while dissect/analyse it in the other/correct one. That way, I will be able to send from one process to the other one while passing by the Kernel. At this point, with hopes of fixing this, I thought of perhaps adding a personalised header in front of the packet, each time before sending it into the "loop" (userspace->raw socket->TUN interface->userspace).
      But I am afraid that this solution might not work as the packet will not be valid, and the raw socket will drop at some point this packet.
      Or this could perhaps help my problem: being able to distinguish in the Userspace whose turn it is to receive and send back to the other process and also drop outbound traffic (since the Ethernet frame will be destroyed) ?



      I am really confused at this point. I am not fully sure if the above method, which I am trying to put in place, can truly work. Can I achieve more or less the same result with a simpler solution? Am I going towards the wrong direction?
      If you have completely different solutions than the one I tried for this problem, you are more than welcome (even if that does not respect our current testing "architecture").










      share|improve this question













      What I want to achieve/Context

      I am currently trying to find a method to evaluate (automatically) students programs here at our school.
      Students have to code low level networking programs in C, that perform network attacks (without using libraries, just raw sockets). Some of these projects among others include: an ARP_spoofing, an IDLE_port_scanning, and a network_analyser program.
      I am aware that by evaluating some of those projects, we might accidentally disrupt services and/or perform unwanted attacks in segments of the network where we do not have authority, and we really do not want that to happen. Therefore, our objective is to find a method, to evaluate those projects in a secure manner, while blocking outbound traffic that could potentially harm other systems.



      It is to be noted though, that not all programs act like the network_analyser one and that some of those programs might send a frame, analyse the response and accordingly, send back another specific frame based on that response.
      A simple example would be the ARP_spoofing program where in the beginning it broadcasts a message asking for the MAC address of the victim in order to send correct spoofed packets later.
      Therefore, in most of those projects, we need to have some sort of interaction with a host/entity that (potentially checks the frame) and answers back, while avoiding sending actual data to the network and eventually breaking things.



      What I tried

      I tried to find a solution to this problem while taking into account an existing architecture that we use to evaluate other projects. The current "architecture" is composed of a single Fedora 28 machine and this one is running inside a docker container, and all project evaluation happen on that machine.



      Therefore, the solution that I immediately thought about this problem is to spawn 2 programs on the Userspace of that machine and make them communicate between them via the kernel. The first will be the program of the student (e.g. ARP_spoofing); let's name this process "X". The second process, let's name it "responder/validator", is a program that tries to "simulate" a network stack or simply enough - to be more precise - it is a program that just answers back to specific packets it receives. The communication (of course) needs to go from one program to the other program and vice versa but never send data to the same process.
      Those programs can communicate between them via an L2 virtual network Kernel interface (TUN).
      By using such an interface, I can copy data from the raw socket to the TUN interface and see the contents of the packet that I am sending (from the Userspace) back to Userspace (and, not related, but also random network packets that come into that socket). I tested a similar implementation of this gist https://gist.github.com/vi/3629756, and it seems to work.



      It is to be noted that we can not just make the 2 processes communicate between them. The student's program must be working and be able to implement the attack correctly, when not testing on our testing environment (that is, spawn a raw socket and write into it correctly). The idea was to make half of the validation by the Kernel and the other half by the Userspace without having to actually send the packets (and provoke damages).



      Apart from copying data (that arrives from the Userspace) from the raw interface on to the TUN interface (to transmit it back to the Userspace), I also tried to block those outbound packets before copying them to the TUN interface by using iptables but did not had any luck. Unless I am mistaken, raw sockets operate at a lower level than iptables inside the Kernel, therefore (regarding raw sockets), we might be able to apply rules to the inbound traffic but not to outbound traffic.



      The problem

      The problem that has arisen with this solution so far, (apart from the fact that I still haven't blocked outbound traffic,) it seems that I can not distinguish in the Userspace if it is "X" or "responder/validator" that sent the packet earlier from the userspace. I guess that if I had this opportunity, I would be able to drop that packet in one of the two processes while dissect/analyse it in the other/correct one. That way, I will be able to send from one process to the other one while passing by the Kernel. At this point, with hopes of fixing this, I thought of perhaps adding a personalised header in front of the packet, each time before sending it into the "loop" (userspace->raw socket->TUN interface->userspace).
      But I am afraid that this solution might not work as the packet will not be valid, and the raw socket will drop at some point this packet.
      Or this could perhaps help my problem: being able to distinguish in the Userspace whose turn it is to receive and send back to the other process and also drop outbound traffic (since the Ethernet frame will be destroyed) ?



      I am really confused at this point. I am not fully sure if the above method, which I am trying to put in place, can truly work. Can I achieve more or less the same result with a simpler solution? Am I going towards the wrong direction?
      If you have completely different solutions than the one I tried for this problem, you are more than welcome (even if that does not respect our current testing "architecture").







      networking kernel raw-sockets tun






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 20 at 10:49









      SRJanel

      161




      161





























          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53391351%2fmethod-to-evaluate-low-level-network-students-programs-without-sending-actual%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53391351%2fmethod-to-evaluate-low-level-network-students-programs-without-sending-actual%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Wiesbaden

          Marschland

          Dieringhausen