Commit bf34ca89 authored by 's avatar

Added a test for anonymization policies in VOd for users to verify their installation.

Works pretty much the same as the offline tests in trunk/tests.


git-svn-id: file:///home/svn/mapi/trunk@1262 8d5bb341-7cf1-0310-8cf6-ba355fef3186
parent 48033535
#!/usr/bin/perl
use Net::Pcap;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use strict;
# Use network device passed in program arguments or if no
# argument is passed, determine an appropriate network
# device for packet sniffing using the
# Net::Pcap::lookupdev method
#my $dev = $ARGV[0];
#unless (defined $dev) {
# $dev = Net::Pcap::lookupdev(\$err);
# if (defined $err) {
# die 'Unable to determine network device for monitoring - ', $err;
# }
#}
# Look up network address information about network
# device using Net::Pcap::lookupnet - This also acts as a
# check on bogus network device arguments that may be
# passed to the program as an argument
#my ($address, $netmask);
#if (Net::Pcap::lookupnet($dev, \$address, \$netmask, \$err)) {
# die 'Unable to look up device information for ', $dev, ' - ', $err;
#}
# Create offline source for capturing
my $object1, $object2;
$object1 = Net::Pcap::open_offline("../../tests/anonflib/full_test/traces/http.trace", \$err);
$object2 = Net::Pcap::open_offline("/tmp/1packet2", \$err);
unless (defined $object1) {
die 'Unable to create packet capture on device ', $dev, ' - ', $err;
}
Net::Pcap::loop($object1, -1, \&decode_packet, "dummy argument for callback");
# Create packet capture object on device
#my $object;
#$object = Net::Pcap::open_live($dev, 1500, 0, 0, \$err);
#unless (defined $object) {
# die 'Unable to create packet capture on device ', $dev, ' - ', $err;
#}
# Compile and set packet filter for packet capture
# object - For the capture of TCP packets with the SYN
# header flag set directed at the external interface of
# the local host, the packet filter of '(dst IP) && (tcp
# [13] & 2 != 0)' is used where IP is the IP address of
# the external interface of the machine. For
# illustrative purposes, the IP address of 127.0.0.1 is
# used in this example.
#my $filter;
#Net::Pcap::compile(
# $object,
# \$filter,
# '(dst 127.0.0.1) && (tcp[13] & 2 != 0)',
# 0,
# $netmask
#) && die 'Unable to compile packet capture filter';
#Net::Pcap::setfilter($object, $filter) &&
# die 'Unable to set packet capture filter';
# Set callback function and initiate packet capture loop
#Net::Pcap::loop($object, -1, \&syn_packets, '') ||
# die 'Unable to perform packet capture';
Net::Pcap::loop($object2, -1, \&check_IP_packet, $parts);
Net::Pcap::close($object2);
sub syn_packets {
my ($user_data, $header, $packet) = @_;
# Strip ethernet encapsulation of captured packet
my $ether_data = NetPacket::Ethernet::strip($packet);
# Decode contents of TCP/IP packet contained within
# captured ethernet packet
my $ip = NetPacket::IP->decode($ether_data);
my $tcp = NetPacket::TCP->decode($ip->{'data'});
# Print all out where its coming from and where its
# going to!
print
$ip->{'src_ip'}, ":", $tcp->{'src_port'}, " -> ",
$ip->{'dest_ip'}, ":", $tcp->{'dest_port'}, "\n";
}
sub decode_packet {
my($data, $header, $pkt) = @_;
my $eth = NetPacket::Ethernet->decode($pkt);
my $ip = NetPacket::IP->decode($eth->{data});
my $tcp = NetPacket::TCP->decode($ip->{data});
$original_IP_packets[$pkts_num] = $ip;
$original_TCP_packets[$pkts_num++] = $tcp;
}
sub check_IP_packet {
my($data, $header, $pkt) = @_;
my $eth = NetPacket::Ethernet->decode($pkt);
my $ip = NetPacket::IP->decode($eth->{data});
if ( match_anonymized($original_IP_packets[$pkt_index++]->{$IP_field{$parts[2]}}, $ip->{$IP_field{$parts[2]}}, $ARGV[0])<0 ) {
$error_found=1;
Net::Pcap::breakloop($pcap_handle);
}
}
sub check_TCP_packet {
my($data, $header, $pkt) = @_;
my $eth = NetPacket::Ethernet->decode($pkt);
my $ip = NetPacket::IP->decode($eth->{data});
my $tcp = NetPacket::TCP->decode($ip->{data});
if ( match_anonymized($original_TCP_packets[$pkt_index++]->{$TCP_field{$parts[2]}}, $tcp->{$TCP_field{$parts[2]}}, $ARGV[0])<0 ) {
$error_found=1;
Net::Pcap::breakloop($pcap_handle);
}
}
sub match_anonymized {
my($original, $anonymized, $function) =@_;
if ( $function eq "UNCHANGED" ) { if ( $original eq $anonymized) { return 1; } else { return -1; } }
elsif ( $function eq "MAP") { if ( not exists $mapped{$original} ) { $mapped{$original}=$anonymized; return 1; } else { if ( $mapped{$original} eq $anonymized ) { return 1; } else { return -1; } } }
elsif ( $function eq "MAP_DISTRIBUTION_UNIFORM") { if ( not exists $mapped{$original} ) { $mapped{$original}=$anonymized; if ($anonymized =~ /^\d\.\d\.\d/) { return 1; } else { if ( $anonymized>=1 && $anonymized<=10000 ) { return 1; } else { return -1; } } } else { if ( $mapped{$original} eq $anonymized ) { return 1; } else { return -1; } } }
elsif ( $function eq "MAP_DISTRIBUTION_GAUSSIAN") { if ( not exists $mapped{$original} ) { $mapped{$original}=$anonymized; return 1; } else { if ( $mapped{$original} eq $anonymized ) { return 1; } else { return -1; } } } # compute mean and variation values?
elsif ( $function eq "STRIP") { if ( not ($original eq "") && ($original eq $anonymized)) { return -1; } else { return 1; } } #a better way to test it?
# elsif ( $function eq "RANDOM") { if ( $random_first==-1) { $random_first=$anonymized; return 1; } else { if ($anonymized!=(((($random_first * 1103515245 + 12345)/65536)%32768)) ) { return -1} else { $random_first=$anonymized; return 1; } } }
# elsif ( $function eq "RANDOM") { return 1; } #above is the right solution
elsif ( $function eq "PATTERN_FILL") { if ( $anonymized eq "84.69.83.84" || substr($anonymized,0,4) eq "TEST" || (get_byte($anonymized,0) eq ord(T)) || (get_byte($anonymized,0) eq ord(E) && get_byte($anonymized,1) eq ord(T) ) || (get_byte($anonymized,0) eq ord(T) && get_byte($anonymized,1) eq ord(S) && get_byte($anonymized,2) eq ord(E) && get_byte($anonymized,3) eq ord(T)) ) { return 1; } else { return -1; } }
elsif ( $function eq "ZERO") { if ( $anonymized eq 0 || ord($anonymized) eq ord("\0") || $anonymized eq "0.0.0.0") { return 1; } else { print $anonymized."\n"; return -1; } }
elsif ( $function eq "REPLACE") { if ( $anonymized eq "84.69.83.84" || substr($anonymized,0,4) eq "TEST" || (get_byte($anonymized,0) eq ord(T)) || (get_byte($anonymized,0) eq ord(E) && get_byte($anonymized,1) eq ord(T) ) || (get_byte($anonymized,0) eq ord(T) && get_byte($anonymized,1) eq ord(S) && get_byte($anonymized,2) eq ord(E) && get_byte($anonymized,3) eq ord(T)) ) { return 1; } else { return -1; } }
elsif ( $function eq "PREFIX_PRESERVING") { if ( not exists $mapped{$original} ) { $mapped{$original}=$anonymized; return 1; } else { if ( $mapped{$original} eq $anonymized ) { return 1; } else { return -1; } } }
elsif ( $function eq "PREFIX_PRESERVING_MAP") { if ( not exists $mapped{$original} ) { $mapped{$original}=$anonymized; return 1; } else { if ( $mapped{$original} eq $anonymized ) { return 1; } else { return -1; } } }
elsif ( $function eq "FILENAME_RANDOM") { return 1; } #no filename
elsif ( $function eq "HASHED_SHA_PAD_WITH_ZERO") { if ( length($original)>0 && ($original eq $anonymized) ) { return -1; } else { return 1; } } #compute sha and compare
else { print "Invalid anonymization function\n"; return -1; }
}
#!/bin/bash
protocols=(IP TCP UDP HTTP)
ipfields=(SRC_IP DST_IP TTL TOS ID FIELD_VERSION OPTIONS PACKET_LENGTH IP_PROTO IHL)
tcpfields=(SRC_PORT DST_PORT SEQUENCE_NUMBER ACK_NUMBER FLAGS URGENT_POINTER WINDOW TCP_OPTIONS CHECKSUM)
udpfields=(SRC_PORT DST_PORT UDP_DATAGRAM_LENGTH CHECKSUM)
httpfields=()
functions=(UNCHANGED MAP MAP_DISTRIBUTION STRIP RANDOM HASHED PATTERN_FILL ZERO REPLACE PREFIX_PRESERVING )
mapargs=( UNIFORM:1:10000 GAUSSIAN:100:10 )
hashargs=( SHA:PAD_WITH_ZERO ) # AES SHA_2 CRC32 TRIPLE_DES MD5)
patternargs=( STR:TEST )
policystring="[dumbvo]\nANONYMIZE="
dummy="[smartvo]\nANONYMIZE=IP:SRC_IP:UNCHANGED"
for (( ii = 0 ; ii < ${#functions[@]} ; ii++ )) do
sleep 2
case "${functions[$ii]}" in
"MAP_DISTRIBUTION")
for (( jj=0; jj<${#mapargs[@]};jj++ )) do
policy=$policystring${functions[$ii]}":"${mapargs[$jj]}
echo -e $policy > policy.conf
echo -e $dummy >> policy.conf
(./vod) &
(/usr/local/sbin/mapicommd) &
(/usr/local/sbin/mapid) &
(./vod_test ../../tests/anonflib/full_test/traces/http.trace)
if(jj==1)
(./check.pl MAP_DISTRIBUTION_UNIFORM)
else
(./check.pl MAP_DISTRIBUTION_GAUSSIAN)
sleep 1
done
;;
"STRIP")
policy=$policystring${functions[$ii]}":0"
echo -e $policy > policy.conf
echo -e $dummy >> policy.conf
(./vod) &
(/usr/local/sbin/mapicommd) &
(/usr/local/sbin/mapid) &
(./vod_test)
(./check.pl STRIP)
sleep 1
;;
"HASHED")
for (( jj=0; jj<${#hashargs[@]};jj++ )) do
policy=$policystring${functions[$ii]}":"${hashargs[$jj]}
echo -e $policy > policy.conf
echo -e $dummy >> policy.conf
(./vod) &
(/usr/local/sbin/mapicommd) &
(/usr/local/sbin/mapid) &
(./vod_test)
(./check.pl HASHED_SHA_PAD_WITH_ZERO)
sleep 1
done
;;
"PATTERN_FILL")
for (( jj=0; jj<${#patternargs[@]};jj++ )) do
policy=$policystring${functions[$ii]}":"${patternargs[$jj]}
echo -e $policy > policy.conf
echo -e $dummy >> policy.conf
(./vod) &
(/usr/local/sbin/mapicommd) &
(/usr/local/sbin/mapid) &
(./vod_test)
(./check.pl PATTERN_FILL)
sleep 1
done
;;
"REPLACE")
policy=$policystring${functions[$ii]}":fubar"
echo -e $policy > policy.conf
echo -e $dummy >> policy.conf
(./vod) &
(/usr/local/sbin/mapicommd) &
(/usr/local/sbin/mapid) &
(./vod_test)
(./check_replace.pl)
sleep 1
;;
*)
policy=$policystring${functions[$ii]}
echo -e $policy > policy.conf
echo -e $dummy >> policy.conf
(./vod) &
(/usr/local/sbin/mapicommd) &
(/usr/local/sbin/mapid) &
(./vod_test)
(./check.pl)
sleep 1
;;
esac
done
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment