GSoC2014 Proposal: TLS support for the MongoDB destination (sirius)

Abstract

Syslog-ng is a flexible, reliable, high speed event log management system based on a centralized, client-server approach implementing the Syslog Protocol standard. It can transmit, collect, store, search and filter log messages which may be persisted into different destinations, including a MongoDB database. The goal of this project is to secure log message transmission over the network between MongoDB peers by adding TLS support to the existing MongoDB client library used in syslog-ng.

Requirements

The task is to extend an existing MongoDB client library (libmongo-client, https://github.com/algernon/libmongo-client) with TLS/SSL support to guarantee secure, encrypted and authenticated message transport between the client and the MongoDB database server. The used cipher(s), key exchange algorithm(s), authentication method(s) and additional parameters must be chosen very carefully to achieve adequate security. The programming language to be used is C, typically in a UNIX-based environment - which naturally implies the use of autoconf, automake, make, etc. Since the purpose of the project is to add a layer of security, it is essential that the implementation must not be vulnerable to any low-level attacks like buffer overflow, etc. In general, bug-free programming is crucial to this task. (See "weakest link problem") It is also important to follow standards, and best practices during both the design and the implementation phases.

Development

The basic idea is that the added feature should be as transparent as it can be - making the least modification to the existing library by applying the principle of loose coupling would result in less additional work in the future and better maintainability.

The current version of libmongodb-client is capable of sending and receiving MongoDB packets over TCP connections. These library functions (like mongo_connect, mongo_disconnect, mongo_packet_recv, mongo_packet_send, etc.) may be supplied with an additional parameter like mongo_tls_config that is a pointer to a structure describing the necessary TLS settings to establish the connection and transfer messages. When it is NULL, the library remains working the same way as it currently does - without encryption and authentication. This way, the API stays clean and simple. From a library user's perspective, it should only be extended by functions that create or manipulate a mongo_tls_config structure and the structure itself of course.

The implementation process will involve frequent use of third-party libraries. GnuTLS may be utilized to build the specified functionalities and GLib may be used for supporting tasks.

Pros of GnuTLS

Easy-to-use API
Detailed, high quality documentation
Thread safe by design
Supports TLS 1.2 and SSL 3.0
Supports popular extensions (SNI, OCSP, ...)

Pros of GLib

Stable implementation of some common tasks related to this project too, like threading and memory management
Easy-to-use API
Already used throughout syslog-ng and libmongo-client (does not add extra dependency)

The entire project can be divided into the following tasks:

Getting familiar with the MongoDB server, especially concerning SSL/TLS support parameters and requirements
Getting familiar with the existing MongoDB client library (libmongodb-client)
Getting familiar with the GnuTLS library
Implementing TLS support inside libmongodb-client
Implementing configuration interface for the extended mongodb() destination via syslog-ng configuration files using the bison parser generator
Providing smooth integration into the existing code base
Developing and conducting continuous unit tests during the development cycle
Writing comprehensive documentation
Continuous consultation with the mentor, code reviews, etc.

Most of the required software-specific knowledge can be acquired from the following sources:

Schedule plan

19 May - 1 Jun: Preparation (deep diving into the related technologies, personal research)
2 Jun - 10 Jun: Design prototype and create skeleton
11 Jun - 21 Jun: Implement and test connection handling (handshake, authentication, etc.)
22 Jun - 1 Jul : Implement secure MongoDB packet transmission
2 Jul - 20 Jul: Conduct debug and performance tests, fully integrate into libmongo-client
20 Jul - 30 Jul: Integrate into syslog-ng (config file parsing, cmdline interface, etc.)
31 Jul - 6 Aug: Conduct global tests and write detailed documentation
7 Aug - 10 Aug: Deployment, summary, last revision, administration if necessary

About Me

My name is György Demarcsek. I'm 20 years old, and studying Computer Engineering at Budapest University of Technology and Economics (BUTE), Hungary. I'm expecting to receive a BSc degree in a year.

I am especially interested in IT security and software development - these are not just my field of studies, but also my primary hobbies. I'm a security enthusiast, I passionately love coding, designing and hacking software. I've been doing IT since I was 11 - I already knew back then, that I want to be a programmer or IT security expert. Therefore, I have some programming experience not just from university projects, but own experiments too. I have a solid understanding of the concepts and building blocks of cryptography, networking, and security. Particularly, I'm quite familiar with the basic concepts and architecture of the syslog-ng suite and I also get on with it at user level. I also have experience of RDBMS software and also a basic understanding of NoSQL databases like MongoDB. (Please consult my CV for full list of technical competencies.) I consider myself hard-working, co-operative and ambitious. I like music, dance and literature, especially poems.

Note: upon request, this proposal is also available in Hungarian

Additional info: https://www.dropbox.com/s/m2tb9pf7kbnkiwm/gsoc.zip Melange link: https://www.google-melange.com/gsoc/proposal/review/student/google/gsoc2014/dgyjr92/5629499534213120

Provide feedback

Saved searches

Use saved searches to filter your results more quickly