Nuff - the Network Universal Frame Forge
Doug Hoyte (doug@hcsw.org)
Kelowna, BC, Canada
4th year Computer Science major at UBC Okanagan

I am finishing my last year of undergraduate school at UBC Okanagan
and plan to graduate in December, 2007.

Experience:
~~~~~~~~~~~

* Extensive innovative contributions to open source network security
  software over more than 6 years. My first contribution to Nmap was
  in 2001.

* Successfully completed 2 previous SoCs with the Nmap Security Scanner
  project. I've been involved with many diverse parts of Nmap
  development and have maintained an excellent working relationship
  with my mentor of both summers, Fyodor.

* Employed to work on Nmap outside of the SoC as a result of my SoC
  work and experience.

* Extensive professional, academic, and personal experience with
  Scheme, Common Lisp, C, and Perl.

* Intimate knowledge of and experience with low-level networking
  APIs and protocols.

Introduction to nuff:
~~~~~~~~~~~~~~~~~~~~~

NUFF stands for the Network Universal Frame Forge. Over the past year,
I developed the core of nuff and even in the current state it has
already enabled significant innovation in low-level network research.

Nuff's goal is to design and implement the most powerful low-level
network programming environment ever. It tries to allow people to
program network applications in ways never before conceived. Nuff is
distributed under the GNU GPL.

Except for a small ANSI C kernel and a heavily modified C-based Scheme
interpreter/compiler, nuff is entirely written in Scheme because:

1) Scheme is a very powerful and flexible language.

2) There are many high-quality Scheme implementations to choose
   from. Nuff currently uses Tinyscheme because of the small footprint
   and portability.

Nuff is not a proof of concept or an experiment. Nuff is designed to be
a professional, high-quality, open-source network security tool. Some
intended uses are:

* Custom penetration-testing "pen test" attacks
* Highly flexible embedded protocol stacks
* Very secure "privilege separated", portable, light-weight daemons
* "Fuzz testing" to discover obscure vulnerabilities in network daemons
  and protocol stacks
* Advanced techniques for discovering, committing, and defending
  against, intricate resource consumption denial of service attacks
* Rapid development platform for testing the efficiency and effectiveness
  of new network algorithms
* Applying statistical and artificial intelligence techniques to network
  mapping, enumeration, and discovery

Nothing currently available approaches nuff in terms of scope, design,
or goals. Like Nmap, nuff has the potential to be a "killer" open-source
app, leading the way in innovation for open-source and proprietary
software alike.

I plan to devote 20-30 hours a week to further develop nuff during the
summer should this proposal be accepted.

Thank you for reading this proposal. Also, thank you, Google, for the
excellent Summer of Code program!

Proposal:
~~~~~~~~~

Since nuff is exploring new network security frontiers, I propose to
create a detailed roadmap with my mentor before locking down any solid
timelines/goals.

Here are some important directions I'd like nuff to take:

* For nuff to really be a "universal frame forge" it needs to support
  more protocol layers. Currently, nuff supports 8 protocols. Adding
  layers is a difficult, time-consuming process. SoC funding that allows
  me to add new layers would greatly benefit the nuff project.

* Nuff already incorporates some novel "privilege separation" techniques
  and other compile-time/run-time security features. Scheme makes "optimizing
  for security" feasible in most applications.

  There are still several additional privilege separation techniques
  that need to be implemented in nuff like chroot() on all scripts.
  Using compile-time information to further restrict the privileges of a
  running program in other ways is also planned. This research may be useful
  in mission-critical applications and said research could extend beyond
  nuff in the interest of improving general software security.

* Asynchronous clustering and automatic scheduling. The details of this
  are beyond the scope of this proposal but the idea is to use clever
  Scheme tricks and smart compilation techniques to automate the process
  of "pipelining" network applications. In programs like Nmap, much effort
  is spent ensuring that operations are done in parallel so as to make full
  use of the network's bandwidth. While this is done very well in Nmap, etc,
  abstracting this task away from the programmer will make it easier to
  write pipelined applications and opens up new opportunities for
  multiple-stage pipelining where the concurrency details are too complex
  to program manually.

  An advanced pipelining system is already included and documented in
  nuff. However, much more can be done as I researched this concept
  in depth when I implemented Nmap's asynchronous DNS system.

* Create a large collection of useful, well documented nuff scripts
  for non-developers to use. Nuff was designed as a convenient
  command-line based tool in addition to a powerful programming
  environment. There are many ideas for network tools that haven't
  been implemented in the past because nuff didn't exist. Now that
  nuff is becoming usable, I would like to implement:

  * lossmon - sends packets of differing size at random intervals and
    attempts to figure out how the packet loss percentage depends on
    the size of the packet (think ping -f -s [0,100,...,1500]). There
    are some interesting results when applying this test to noisy
    wireless links. It may even be possible to remotely determine the
    type of wireless network (802.11a/b, GPRS, etc) based only on the
    characteristics of these packet loss percentages.

  * congmap - similar to lossmon, except that it monitors packet loss
    due to congestion at every hop along a route to a host.  It will
    be useful for discovering bottlenecks, diagnosing network
    problems, interactively determining the saturation level of a
    network link, optimizing denial of service attacks, and more.

  * routetree - sends packets to random IP addresses with limited TTLs
    in a breadth-first search style. It allows easy and efficient
    mapping of all routes out of (and into) your ISP. More generally,
    this tool allows us to "black box" map the routing tables of any
    router.

  * dnsd - A simple, extremely secure, caching DNS forwarder. dnsd
    will also use an experimental based-on-historical-patterns DNS
    pre-fetching algorithm which I am in the process of inventing.
    This should outperform BIND in a number of common cases.

  * tcp-rewrite - Although ambitious, this tool aims to use your OS's
    TCP stack to communicate with a foreign TCP stack while allowing
    you to inject, rewrite, re-order, modify and selectively drop TCP
    packets. This tool will allow people to pretend a different OS is
    creating packets and makes it possible to fool p0f and certain
    intrusion detection systems.

  * I have many, many more ideas! Please see the links below.

Links:
~~~~~~

The Network Universal Frame Forge:
  http://hcsw.org/nuff/

Details on my work with Nmap:
  http://hcsw.org/nmap/

My Technical Blog where I write about Nmap development, Lisp
programming, nuff, network security, and more:
  http://hcsw.org/blog.pl