A session key caching and prefetching scheme for secure communication in cluster systems

With the widespread use of cluster systems and ever increasing threat to computer security, it becomes more necessary to design and build secure cluster systems. Most cluster systems rely on security products like firewalls for their security, but they cannot guarantee security of intra-cluster communications, which can be a weak spot that hackers exploit for further security attacks. A recent study by Lee and Kim (2007) [22] proposed a security framework to protect intra-cluster communications by encrypting and authenticating all packets with fine-grained security where any two communicating processes dynamically generate and share a cryptographic key, called a session key. However, the fine-grained security scheme can incur serious performance degradation in large-scale cluster systems since it may take a long time to access session keys. To solve this problem, we propose to incorporate a session key cache inside a cluster interconnect card to speed up accesses to the session keys and build an analytical cluster traffic model to estimate the behavior of the cache in large-scale cluster systems. For further performance improvement, we propose a prefetching scheme speculating job scheduler's decision without OS interventions. Simulation results indicate that the session key cache with the prefetching scheme decreases the network latency by 50% on average, compared to the configurations without the enhancements.

[1]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[2]  Sean W. Smith,et al.  Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[3]  Jonathan M. Smith,et al.  Cryptographic Support in a Gigabit Network , 1992 .

[4]  David J. Lilja,et al.  Characterization of Communication Patterns in Message-Passing Parallel Scientific Application Programs , 1998, CANPC.

[5]  Gregory A. Koenig,et al.  Cluster Security as a Unique Problem with Emergent Properties: Issues and Techniques , 2004 .

[6]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[7]  Makan Pourzandi A new distributed security model for Linux Clusters , 2004 .

[8]  Chita R. Das,et al.  Alternatives to Coscheduling a Network of Workstations , 1999, J. Parallel Distributed Comput..

[9]  Chita R. Das,et al.  Coscheduling in Clusters: Is It a Viable Alternative? , 2004, Proceedings of the ACM/IEEE SC2004 Conference.

[10]  Hsien-Hsin S. Lee,et al.  High efficiency counter mode security architecture via prediction and precomputation , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[11]  G. Edward Suh,et al.  Caches and hash trees for efficient memory integrity verification , 2003, The Ninth International Symposium on High-Performance Computer Architecture, 2003. HPCA-9 2003. Proceedings..

[12]  Brian Rogers,et al.  Improving Cost, Performance, and Security of Memory Encryption and Authentication , 2006, 33rd International Symposium on Computer Architecture (ISCA'06).

[13]  Chris G. Demetriou,et al.  Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference, June 10-15, 2002, Monterey, California, USA , 2002, USENIX Annual Technical Conference, FREENIX Track.

[14]  Peter Gutmann An Open-Source Cryptographic Coprocessor , 2000, USENIX Security Symposium.

[15]  Gregory A. Koenig,et al.  Cluster security with NVisionCC: process monitoring by leveraging emergent properties , 2005, CCGrid 2005. IEEE International Symposium on Cluster Computing and the Grid, 2005..

[16]  Sean W. Smith,et al.  Trusting Trusted Hardware: Towards a Formal Model for Programmable Secure Coprocessors , 1998, USENIX Workshop on Electronic Commerce.

[17]  George Markowsky,et al.  Survey of Supercomputer Cluster Security Issues , 2007, Security and Management.

[18]  Dan S. Wallach,et al.  Performance analysis of TLS Web servers , 2006, TOCS.

[19]  Subhash Saini,et al.  Workload Characterization of CFD Applications Using Partial Differential Equation Solvers , 1998 .

[20]  Yutaka Ishikawa,et al.  Highly Efficient Gang Scheduling Implementation , 1998, Proceedings of the IEEE/ACM SC98 Conference.

[21]  Hsien-Hsin S. Lee,et al.  High Efficiency Counter Mode Security Architecture via Prediction and Precomputation , 2005, ISCA 2005.

[22]  Milo M. K. Martin,et al.  Multifacet's general execution-driven multiprocessor simulator (GEMS) toolset , 2005, CARN.

[23]  Dennis W. Duke,et al.  Proceedings of the 1998 ACM/IEEE conference on Supercomputing , 1998 .

[24]  Mazin S. Yousif,et al.  Instant attack stopper in InfiniBand architecture , 2005, CCGRID.

[25]  Patrick Sobalvarro,et al.  Demand-Based Coscheduling of Parallel Jobs on Multiprogrammed Multiprocessors , 1995, JSSPP.

[26]  Jeff Huskamp Proceedings of the 2004 ACM/IEEE conference on Supercomputing , 2004 .

[27]  D.E. Culler,et al.  Effects Of Communication Latency, Overhead, And Bandwidth In A Cluster Architecture , 1997, Conference Proceedings. The 24th Annual International Symposium on Computer Architecture.

[28]  Ramesh Karri,et al.  A High Speed Architecture for Galois/Counter Mode of Operation (GCM) , 2005, IACR Cryptol. ePrint Arch..

[29]  Angelos D. Keromytis,et al.  Cryptography as an operating system service: A case study , 2006, TOCS.

[30]  Fredrik Larsson,et al.  Simics: A Full System Simulation Platform , 2002, Computer.

[31]  Mateo Valero,et al.  Multiple-banked register file architectures , 2000, Proceedings of 27th International Symposium on Computer Architecture (IEEE Cat. No.RS00201).

[32]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[33]  Hillary Brown Building for high performance , 2000 .

[34]  Trevor Mudge,et al.  Proceedings of the 24th annual international symposium on Computer architecture , 1997 .

[35]  Chita R. Das,et al.  Performance Enhancement Techniques for InfiniBand Architecture , 2003, HPCA 2003.

[36]  Andrea C. Arpaci-Dusseau,et al.  Scheduling with implicit information in distributed systems , 1998, SIGMETRICS '98/PERFORMANCE '98.

[37]  Rossen Dimitrov,et al.  Challenges and New Technologies for Addressing Security in High Performance Distributed Environments , 1998 .

[38]  Richard P. Martin,et al.  Effects Of Communication Latency, Overhead, And Bandwidth In A Cluster Architecture , 1997, Conference Proceedings. The 24th Annual International Symposium on Computer Architecture.

[39]  Manhee Lee,et al.  A Comprehensive Framework for Enhancing Security in InfiniBand Architecture , 2007, IEEE Transactions on Parallel and Distributed Systems.

[40]  David H. Bailey,et al.  The Nas Parallel Benchmarks , 1991, Int. J. High Perform. Comput. Appl..

[41]  Angelos D. Keromytis,et al.  A Study of the Relative Costs of Network Security Protocols , 2002, USENIX Annual Technical Conference, FREENIX Track.

[42]  Andrew A. Chien,et al.  Breaking the barriers: high performance security for high performance computing , 2002, NSPW '02.

[43]  Chita R. Das,et al.  Towards a communication characterization methodology for parallel applications , 1997, Proceedings Third International Symposium on High-Performance Computer Architecture.

[44]  Dror G. Feitelson,et al.  User-level communication in a system with gang scheduling , 2001, Proceedings 15th International Parallel and Distributed Processing Symposium. IPDPS 2001.