Use WinSock2 SPI to control access content

Editor's note: Unlike the traditional packet filtering firewall technology, this article starts with the application layer gateway technology and explores the use of WinSock2 SPI for network content access control. This is a new part of network security, or it provides a new idea for network security technology enthusiasts and R & D personnel.

Firewalls can implement and execute network access policies. However, the traditional firewall technology focuses on how to prevent external network intrusion and attacks on internal networks, the research on how to control the access of internal users to external networks is not in-depth enough, and there are not many related control technologies. According to authoritative data, there are about 0.25 million pornographic websites around the world, relying solely on traditional packet filtering and other firewall technologies, will inevitably seriously affect network performance. To solve this problem, we start with the application layer gateway technology and use the WinSock2 SPI technology to conduct research and discussion.

 

Diagram of Winsock2 SPI

Winsock2 SPI (Service Provider Interface) Service Provider Interface is built on Windows Open System Architecture WOSA (Windows Open System Architecture). It is the underlying programming Interface for the System provided by Winsock System components. The Winsock system component provides a standard API interface to the user application, and a standard SPI interface between the Winsock component and the Winsock service provider (such as the TCP/IP protocol stack. Various service providers are Windows-supported DLL, which is attached to the Ws2_32.dll module of Winsock2. For many internal functions defined in the Winsock2 API used by your application, these service providers provide their corresponding operation methods (for example, the API function WSAConnect has the corresponding SPI function WSPConnect ). In most cases, when an application calls the Winsock2 API function, Ws2_32.dll calls the corresponding Winsock2 SPI function and uses a specific service provider to execute the requested service.

Winsock2 SPI allows the development of two types of service providers: transmission service provider and namespace service provider. Transport Providers (such as TCP/IP) can provide transmission functions such as communication, data transmission, daily data flow control, and error control. The "namespace provider" (Name Space Providers, such as the DNS Name resolution service) associates the IP attributes of a network protocol with one or more user-friendly names, to enable the name resolution scheme unrelated to the application.

There are two types of transmission service providers used in Winsock2: basic service providers and hierarchical service providers. The basic service provider executes the details of the network transmission protocol (such as TCP/IP), including core network protocol functions such as sending and receiving data on the network. The "Layered" service provider is only responsible for implementing advanced custom communication functions, and relies on the following basic service providers for real data exchange on the network.

To implement external access control for internal users, we need to set up a hierarchical URL Filter manager on the existing basic provider TCP/IP provider. Through URL filtering, the administrator can intercept the URL address in the HTTP data packet requested by the user, and then use efficient data retrieval algorithms (such as using the hash table of the onacci hash function ), find the specified IP address in the access rule repository (the IP address set to which access is prohibited) and reject or provide the access service based on the result.

The Installation Method of the transmission service provider determines that it is not only a layered provider, but also a basic service provider. Winsock 2 uses the system configuration database to configure the transmission service provider. Configure the database to let Winsock2 know the existence of the service provider and define the type of service provided. To successfully install and manage the service provider in the Winsock2 service provider database, four functions are required: WSCEnumProtocols, WSCInstallProvider, WSCWriteProvider Order, and WSCDeInstallProvider. These functions use the WSAPROTOCOL_INFOW structure to query and operate the service provider database. To install a layered service provider, you must create two WSPPROTOCOL_INFOW directory entry structures. One stands for the layered provider (the Protocol chain length is equal to 0), and the other stands for a protocol chain (the Protocol length is greater than 1), which links the layered provider with a basic service provider. Use the attribute of the WSAPROTOCOL_INFOW directory entry structure of the existing service provider to initialize these two structures. You can call WSCEnumProtocols to obtain the WSAPROTOCOL_INFOW directory entry structure of the existing service provider. After initialization, we first need to use WSCInstallProvider to install our access control hierarchical service provider directory entries, and then use WSCEnumProtocols to list all directory entries, obtain the directory ID allocated to the structure after installation. Then, use this directory entry to set a protocol chain directory entry and link our access control service provider with another provider (TCP basic provider. Then we call WSCInstallProvider again to install our layered chain service provider.

When WSCInstallProvider is used to install a service provider, the directory entry automatically becomes the last entry in the configuration database. To implement access control, we must make our URL filtering service provider a default TCP/IP provider. We must call the WSCWriteProviderOrder function to do this, sort the provider directory entries in the database and place the Protocol chain directory entries before the TCP/IP basic provider.

The Winsock2 transmission service provider is executed along with the standard Windows dynamic link library module. We must import the DLLMain function in the dynamic link library module of our service provider and a single function entry named WSPStartup. Our URL filtering service provider must support the WSPStartup function and 30 other SPI functions. During WSAStartup, Winsock determines which service provider to load based on the address family, socket type, and protocol parameters called by WSASocket. Only when an application creates a socket using the address family AF_INET and the socket type is SOCK_STREAM through socket or WSASocket API call, winsock searches for and loads the corresponding transmission service provider that can provide TCP/IP capabilities. The UpcallTable parameter of WSPStartup gets the SPI function dispatch table of Ws2_32.dll. Our Access Control hierarchical service provider uses these functions to manage the I/O operations between itself and Winsock2.

We use the WSPConnect function to implement the access control function. When you request an HTTP service, you must first establish a connection with the target site. After the connection is successful, an HTTP request packet is sent based on the connection. When your application calls the connect or WSAConnect function to establish a connection, SPI calls the corresponding WSPConnect function: int wspapi WSPConnect (..., const struct sockaddr FAR * name ,..., int far * lpErrno ). The sockaddr parameter name contains the IP address of the target site to be accessed. We pass the name parameter to the IPFilter instance of IP accessibility determination. If the IPFilter function returns the result representing the authorized access, we use the Protocol chain command routing to call the basic service provider (TCP/IP) at the next layer to complete the connection request. If the IPFilter function returns a result that represents a denial of service, we set the lpErrno parameter to the corresponding error code and then return the result without calling the service provider at the next layer of the Protocol chain to implement access control.

Layered service providers have greatly realized the potential of online services, enhanced Winsock applications, and played a huge role in our URL filtering service, it basically implements access control for internal users to access external networks and provides users with healthy Internet access services.