Apache Daffodil for Network Traffic Validation

Abstract

This paper explores the relative merit of Apache Daffodil for the automated generation of real-time network traffic validators associated with military vehicles. Daffodil is an "open-source implementation of the Data Format Description Language (DFDL)" which converts between natively formatted data and Extensible Markup Language (XML), JavaScript Object Notation (JSON) or other structures based on predefined schemas. Daffodil can also automatically generate executable parsers, and it is the efficacy and maturity of this facet of the technology for traffic validation that is our primary interest. Military vehicles have traditionally used compact protocols, such as Space Packet Protocol (SPP), MIL-STD-1553, or Controller Area Network bus (CAN bus), to enable real-time validation and limit malicious implants embedded in normal traffic. Over time, message traffic has grown increasingly complex due to increases in performance and use of commercial-off-the-shelf networking technologies leveraging Ethernet and TCP/IP protocols. Messages may now include mission-specific or recursively defined data embedded in the payload fields of variable-length packets. Consequently, it is valuable to assess Daffodil's ability to handle both existing formats and representative payload data within this emerging context. Here we directly compare DFDL schemas with equivalent grammars expressed in an extended version of Backus-Naur Form (xBNF) and Hammer to assess its expressive capability and succinctness. To assess the maturity of its validator generator, we compared Daffodil to the industry-standard Bison tool (for xBNF) and Hammer library. Though the comparison is based on numerous formats, here we present three examples: JSON numbers—a simple recursive data format; Micro Air Vehicle Link (MAVLink) messages—non-trivial byte-oriented traffic; and generic SPP messages—a bit-oriented, fixed-size format. Unfortunately, Daffodil's automated parser generation capabilities are currently neither mature nor robust. Daffodil is primarily useful for analysing fixed-length formats or variable-length components which follow descriptive header fields. Daffodil parsers can elegantly check compact bit-wise protocol formats, which is more difficult using Bison and some versions of Hammer. Daffodil is currently of limited utility in analysing recursive or non-prefixed formats such as JSON. Writing DFDL manually appears significantly more verbose and error-prone than both xBNF and Hammer.