Design of a secure packet processor

Programmability in the data path of routers provides the basis for modern router implementations that can adapt to new functional requirements. This programmability is typically achieved through software-programmable packet processing systems. One key concern with the proliferation of these programmable devices throughout the Internet is the potential impact of software vulnerabilities that can be exploited remotely. We present a design and proof-of-concept implementation of a packet processing system that uses two security techniques to defend against potential attacks: a processing monitor is used to track operations on each processor core to detect attacks at the processing instruction level; an I/O monitor is used to track operations of the router to detect attacks at the protocol level. Our prototype implementation on the NetFPGA system shows that these monitors can be implemented to operate at high data rates and with little additional hardware resources.

[1]  Tilman Wolf Data path credentials for high-performance capabilities-based networks , 2008, ANCS '08.

[2]  David Geer,et al.  Malicious bots threaten network security , 2005, Computer.

[3]  Tilman Wolf,et al.  Implementation of a simplified network processor , 2010, 2010 International Conference on High Performance Switching and Routing.

[4]  Tilman Wolf,et al.  Securing the data path of next-generation router systems , 2011, Comput. Commun..

[5]  Tilman Wolf,et al.  Design of a Secure Router System for Next-Generation Networks , 2009, 2009 Third International Conference on Network and System Security.

[6]  Scott Shenker,et al.  Overcoming the Internet impasse through virtualization , 2005, Computer.

[7]  Nasir D. Memon,et al.  SAFE-OPS: An approach to embedded software security , 2005, TECS.

[8]  Ravishankar K. Iyer,et al.  An architectural framework for providing reliability and security support , 2004, International Conference on Dependable Systems and Networks, 2004.

[9]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[10]  David D. Clark,et al.  The design philosophy of the DARPA internet protocols , 1988, SIGCOMM '88.

[11]  Salvatore J. Stolfo,et al.  Brave New World: Pervasive Insecurity of Embedded Network Devices , 2009, RAID.

[12]  MemonNasir,et al.  SAFE-OPS: An approach to embedded software security , 2005 .

[13]  William Stallings,et al.  Cryptography and Network Security (4th Edition) , 2005 .

[14]  Lixin Gao,et al.  PdP: parallelizing data plane in virtual network substrate , 2009, VISA '09.

[15]  Jonathan S. Turner,et al.  Diversifying the Internet , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[16]  Glen Gibb,et al.  NetFPGA--An Open Platform for Gigabit-Rate Network Switching and Routing , 2007, 2007 IEEE International Conference on Microelectronic Systems Education (MSE'07).

[17]  Jeffrey C. Mogul,et al.  Simple and Flexible Datagram Access Controls for UNIX-based Gateways , 1999 .

[18]  Michael E. Lesk,et al.  The New Front Line: Estonia under Cyberassault , 2007, IEEE Security & Privacy.

[19]  Juan E. Tapiador,et al.  Anomaly detection methods in wired networks: a survey and taxonomy , 2004, Comput. Commun..

[20]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[21]  Fred Kuhns,et al.  A remotely accessible network processor-based router for network experimentation , 2008, ANCS '08.

[22]  William Stallings,et al.  Cryptography and network security , 1998 .

[23]  Sri Parameswaran,et al.  IMPRES: integrated monitoring for processor reliability and security , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[24]  Sayed Mohammad Kia,et al.  Micro embedded monitoring for security in application specific instruction-set processors , 2005, CASES '05.

[25]  Srivaths Ravi,et al.  Secure embedded processing through hardware-assisted run-time monitoring , 2005, Design, Automation and Test in Europe.

[26]  Shufu Mao,et al.  Hardware Support for Secure Processing in Embedded Systems , 2007, 2007 44th ACM/IEEE Design Automation Conference.