← Back to Research Vault

Data Hop Firewall: Zero Trust & DLP in Rust for Envoy Proxy

By Shay Mordechai | March 8, 2026

Researcher's Note: The core value of this project lies in the architectural research. The conceptualization, Zero-Trust security architecture, and identification of the attack vectors (React2Shell, CWE-209, Information Disclosure) are entirely my own design. Because my focus is vulnerability research and system internals rather than day-to-day Rust engineering, the actual Rust/WASM implementation was executed with AI assistance under my direct technical guidance and responsibility. The true asset presented here is the identification of a structural flaw in a production financial environment and the engineering of its mitigation.

This project (wasm-dlp-firewall) was born out of a practical need for a SaaS product I developed. When I spun up the EC2 infrastructure on AWS, I quickly noticed bots from all over the world starting to scan the servers for vulnerabilities. This led me to completely redesign the infrastructure's security posture and implement a strict Zero Trust model.

1. Infrastructure Hardening

The first step was preventing direct access to the server. I completely blocked all inbound ports to the EC2 instance. In their place, I set up a Cloudflare Tunnel — routing all ingress traffic exclusively through a secure medium. I secured my personal admin access using a business Proton Mail account backed by a hardware USB Security Key. At runtime, application services were isolated inside containers running together in a Podman Pod.

2. Application Layer Defense (Layer 7 DLP)

After researching modern attack vectors like React2Shell, and given my previous deep-dives into V8 and the Log4j vulnerability (from 2022), I realized network hardening wasn't enough. The primary threat in a Microservices architecture is API Over-fetching (CWE-201/CWE-209) — a scenario where the Backend returns full objects from the database, trusting the Frontend (like React) to filter out sensitive data. This can lead to the leakage of PII, internal tokens, or Stack Traces.

I decided to shift the responsibility of data sanitization (Redaction) from the application layer directly to the infrastructure layer.

3. The Architecture of Wasm DLP Firewall

I built a smart Filter component for the Envoy Proxy. I chose to write it in Rust and compile it to WebAssembly (wasm32-wasi). The choice of Rust guaranteed Memory Safety and high performance (Zero-cost abstractions), while Wasm provided an isolated Sandbox inside the Proxy that allowed me to perform Hot-reloading without router downtime.

Key Capabilities:

4. Field Case Study: Error Shielding and Information Disclosure

To test the system, I modeled a real-world attack scenario from financial environments (CWE-209). In this scenario, a session left open for over 60 minutes combined with aggressive refreshing (Ctrl+F5) caused the ASP.NET Backend to crash. Instead of a generic error, the server returned a 500 Internal Server Error that included HTML pages exposing:

The Data Hop Firewall automatically detects 5xx errors before they leave the internal network, locates system strings (like "Stack Trace" or "System.Web"), and replaces the sensitive payload with a clean, standardized JSON response:

{
  "status": "error",
  "message": "Internal Security Proxy Intervention",
  "code": 500
}

This ensures that even if a developer forgets to set customErrors="On" in the application, the Zero-Trust mechanism guarantees that server configuration data will never leak to the internet.