research-article

Design of a secure packet processor

Authors:

Tilman WolfAuthors Info & Claims

ANCS '10: Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems

Article No.: 3, Pages 1 - 10

https://doi.org/10.1145/1872007.1872011

Published: 25 October 2010 Publication History

Abstract

Programmability in the data path of routers provides the basis for modern router implementations that can adapt to new functional requirements. This programmability is typically achieved through software-programmable packet processing systems. One key concern with the proliferation of these programmable devices throughout the Internet is the potential impact of software vulnerabilities that can be exploited remotely. We present a design and proof-of-concept implementation of a packet processing system that uses two security techniques to defend against potential attacks: a processing monitor is used to track operations on each processor core to detect attacks at the processing instruction level; an I/O monitor is used to track operations of the router to detect attacks at the protocol level. Our prototype implementation on the NetFPGA system shows that these monitors can be implemented to operate at high data rates and with little additional hardware resources.

References

[1]

Anderson, T., Peterson, L., Shenker, S., and Turner, J. Overcoming the Internet impasse through virtualization. Computer 38, 4 (Apr. 2005), 34--41.

Digital Library

[2]

Arora, D., Ravi, S., Raghunathan, A., and Jha, N. K. Secure embedded processing through hardware-assisted run-time monitoring. In Proc. of the Design, Automation and Test in Europe Conference and Exhibition (DATE'05) (Munich, Germany, Mar. 2005), pp. 178--183.

Digital Library

[3]

Ballani, H., Chawathe, Y., Ratnasamy, S., Roscoe, T., and Shenker, S. Off by default! In Proc. of Fourth Workshop on Hot Topics in Networks (HotNets-IV) (College Park, MD, Nov. 2005).

[4]

Cavium Networks. OCTEON Plus CN58XX 4 to 16-Core MIPS64-Based SoCs. Mountain View, CA, 2008.

[5]

Cisco Systems, Inc. The Cisco QuantumFlow Processor: CiscoSs Next Generation Network Processor. San Jose, CA, Feb. 2008.

[6]

Clark, D. D. The design philosophy of the DARPA Internet protocols. In Proc. of ACM SIGCOMM 88 (Stanford, CA, Aug. 1988), pp. 106--114.

Digital Library

[7]

Cui, A., Song, Y., Prabhu, P. V., and Stolfo, S. J. Brave new world: Pervasive insecurity of embedded network devices. In Proc. of 12th International Symposium on Recent Advances in Intrusion Detection (RAID) (Saint-Malo, France, Sept. 2009), vol. 5758 of Lecture Notes in Computer Science, pp. 378--380.

Digital Library

[8]

Eatherton, W. The push of network processing to the top of the pyramid. In Keynote Presentation at ACM/IEEE Symposium on Architectures for Networking and Communication Systems (ANCS) (Princeton, NJ, Oct. 2005).

[9]

Estevez-Tapiador, J. M., Garcia-Teodoro, P., and Diaz-Verdejo, J. E. Anomaly detection methods in wired networks: a survey and taxonomy. Computer Communications 27, 16 (Oct. 2004), 1569--1584.

Digital Library

[10]

EZchip Technologies Ltd. NP-3 -- 30-Gigabit Network Processor with Integrated Traffic Management. Yokneam, Israel, May 2007. http://www.ezchip.com/.

[11]

Geer, D. Malicious bots threaten network security. Computer 38, 1 (2005), 18--20.

Digital Library

[12]

Lesk, M. E. The new front line: Estonia under cyberassault. IEEE Security & Privacy 5, 4 (July 2007), 76--79.

Digital Library

[13]

Liao, Y., Yin, D., and Gao, L. PdP: parallelizing data plane in virtual network substrate. In Proc. of the First ACM SIGCOMM Workshop on Virtualized Infrastructure Systems and Architectures (VISA) (Barcelona, Spain, Aug. 2009), pp. 9--18.

Digital Library

[14]

Lockwood, J. W., McKeown, N., Watson, G., Gibb, G., Hartke, P., Naous, J., Raghuraman, R., and Luo, J. NetFPGA--an open platform for gigabit-rate network switching and routing. In MSE '07: Proceedings of the 2007 IEEE International Conference on Microelectronic Systems Education (San Diego, CA, June 2007), pp. 160--161.

Digital Library

[15]

Mao, S., and Wolf, T. Hardware support for secure processing in embedded systems. In Proc. of 44th Design Automation Conference (DAC) (San Diego, CA, June 2007), pp. 483--488.

Digital Library

[16]

Mogul, J. C. Simple and flexible datagram access controls for UNIX-based gateways. In USENIX Conference Proceedings (Baltimore, MD, June 1989), pp. 203--221.

[17]

Nakka, N., Kalbarczyk, Z., Iyer, R. K., and Xu, J. An architectural framework for providing reliability and security support. In Proc. of the 2004 International Conference on Dependable Systems and Networks (DSN) (Florence, Italy, June 2004), pp. 585--594.

Digital Library

[18]

Parno, B., Wendlandt, D., Shi, E., Perrig, A., Maggs, B., and Hu, Y.-C. Portcullis: protecting connection setup from denial-of-capability attacks. In SIGCOMM '07: Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications (Kyoto, Japan, Aug. 2007), pp. 289--300.

Digital Library

[19]

Ragel, R. G., and Parameswaran, S. IMPRES: integrated monitoring for processor reliability and security. In Proc. of the 43rd Annual Conference on Design Automation (DAC) (San Francisco, CA, USA, July 2006), pp. 502--505.

Digital Library

[20]

Ragel, R. G., Parameswaran, S., and Kia, S. M. Micro embedded monitoring for security in application specific instruction-set processors. In Proc. of the 2005 international conference on Compilers, architectures and synthesis for embedded systems (CASES) (San Francisco, CA, Sept. 2005), pp. 304--314.

Digital Library

[21]

Savage, S., Wetherall, D., Karlin, A., and Anderson, T. Network support for IP traceback. IEEE/ACM Transactions on Networking 9, 3 (June 2001), 226--237.

Digital Library

[22]

Snort. The Open Source Network Intrusion Detection System, 2004. http://www.snort.org.

[23]

Stallings, W. Cryptography and Network Security, 4th ed. Prentice Hall, 2006.

Digital Library

[24]

Turner, J. S., and Taylor, D. E. Diversifying the Internet. In Proc. of IEEE Global Communications Conference (GLOBECOM) (Saint Louis, MO, Nov. 2005), vol. 2.

[25]

Wiseman, C., Turner, J., Becchi, M., Crowley, P., DeHart, J., Haitjema, M., James, S., Kuhns, F., Lu, J., Parwatikar, J., Patney, R., Wilson, M., Wong, K., and Zar, D. A remotely accessible network processor-based router for network experimentation. In Proc. of ACM/IEEE Symposium on Architectures for Networking and Communication Systems (ANCS) (San Jose, CA, Nov. 2008), pp. 20--29.

Digital Library

[26]

Wolf, T. Data path credentials for high-performance capabilities-based networks. In Proc. of ACM/IEEE Symposium on Architectures for Networking and Communication Systems (ANCS) (San Jose, CA, Nov. 2008), pp. 129--130.

Digital Library

[27]

Wolf, T., and Tessier, R. Design of a secure router system for next-generation networks. In Proc. of Third International Conference on Network and System Security (NSS) (Gold Coast, Australia, Oct. 2009).

Digital Library

[28]

Wolf, T., Tessier, R., and Prabhu, G. Securing the data path of next-generation router systems. Computer Communications (2010).

Digital Library

[29]

Wu, Q., Chasaki, D., and Wolf, T. Implementation of a simplified network processor. In Proc. of IEEE International Conference on High Performance Switching and Routing (HPSR) (Richardson, TX, June 2010).

[30]

Zambreno, J., Choudhary, A., Simha, R., Narahari, B., and Memon, N. SAFE-OPS: An approach to embedded software security. Transactions on Embedded Computing Sys. 4, 1 (Feb. 2005), 189--210.

Digital Library

Cited By

Mansour CChasaki D(2017)Real-time attack and failure detection for next generation networks2017 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICCNC.2017.7876125(189-193)Online publication date: Jan-2017
https://doi.org/10.1109/ICCNC.2017.7876125
Hu KChandrikakutty HGoodman ZTessier RWolf T(2016)Dynamic Hardware Monitors for Network Processor ProtectionIEEE Transactions on Computers10.1109/TC.2015.243575065:3(860-872)Online publication date: 1-Mar-2016
https://dl.acm.org/doi/10.1109/TC.2015.2435750
Patil RModi C(2016)A novel approach to detect extraneous network traffic from the compromised router2016 3rd International Conference on Recent Advances in Information Technology (RAIT)10.1109/RAIT.2016.7507930(352-358)Online publication date: Mar-2016
https://doi.org/10.1109/RAIT.2016.7507930
Show More Cited By

Index Terms

Design of a secure packet processor
1. Networks
  1. Network components
    1. Intermediate nodes
      1. Routers

Recommendations

Embedded SoPC Design with Nios II Processor and Verilog Examples
Processor efficiency for packet-processing applications
Design Principles for Packet Deparsers on FPGAs
FPGA '21: The 2021 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays

The P4 language has drastically changed the networking field as it allows to quickly describe and implement new networking applications. Although a large variety of applications can be described with the P4 language, current programmable switch ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ANCS '10: Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems

October 2010

244 pages

ISBN:9781450303798

DOI:10.1145/1872007

General Chair:
Bill Lin
University of California, San Diego
,
Program Chairs:
Jeffrey Mogul
HP Labs
,
Ravishankar Iyer
Intel

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication
SIGARCH: ACM Special Interest Group on Computer Architecture
IEEE-CS\TCCA: TC on Computer Arhitecture

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Division of Computing and Communication Foundations

Conference

ANCS '10

Sponsor:

SIGCOMM
SIGARCH
IEEE-CS\TCCA

ANCS '10: Symposium on Architecture for Networking and Communications Systems

October 25 - 26, 2010

California, La Jolla

Acceptance Rates

Overall Acceptance Rate 88 of 314 submissions, 28%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
246
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mansour CChasaki D(2017)Real-time attack and failure detection for next generation networks2017 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICCNC.2017.7876125(189-193)Online publication date: Jan-2017
https://doi.org/10.1109/ICCNC.2017.7876125
Hu KChandrikakutty HGoodman ZTessier RWolf T(2016)Dynamic Hardware Monitors for Network Processor ProtectionIEEE Transactions on Computers10.1109/TC.2015.243575065:3(860-872)Online publication date: 1-Mar-2016
https://dl.acm.org/doi/10.1109/TC.2015.2435750
Patil RModi C(2016)A novel approach to detect extraneous network traffic from the compromised router2016 3rd International Conference on Recent Advances in Information Technology (RAIT)10.1109/RAIT.2016.7507930(352-358)Online publication date: Mar-2016
https://doi.org/10.1109/RAIT.2016.7507930
Mansour CChasaki D(2016)Power monitoring of highly parallel network processors2016 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICCNC.2016.7440713(1-5)Online publication date: Feb-2016
https://doi.org/10.1109/ICCNC.2016.7440713
Brooks TPark J(2016)Cyber‐Assurance Through Embedded Security for the Internet of ThingsCyber‐Assurance for the Internet of Things10.1002/9781119193784.ch2(101-127)Online publication date: 17-Dec-2016
https://doi.org/10.1002/9781119193784.ch2
(2016)BibliographyCyber‐Assurance for the Internet of Things10.1002/9781119193784.biblio(433-455)Online publication date: 17-Dec-2016
https://doi.org/10.1002/9781119193784.biblio
Chen XChasaki DWolf T(2013)External monitoring of highly parallel network processors2013 IEEE 14th International Conference on High Performance Switching and Routing (HPSR)10.1109/HPSR.2013.6602312(197-204)Online publication date: Jul-2013
https://doi.org/10.1109/HPSR.2013.6602312
Kekai Hu Chandrikakutty HTessier RWolf T(2013)Scalable hardware monitors to protect network processors from data plane attacks2013 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS.2013.6682721(314-322)Online publication date: Oct-2013
https://doi.org/10.1109/CNS.2013.6682721
Chasaki DWolf TMoore APrasanna V(2012)Securing multi-core multi-threaded packet processorsProceedings of the eighth ACM/IEEE symposium on Architectures for networking and communications systems10.1145/2396556.2396591(149-150)Online publication date: 29-Oct-2012
https://dl.acm.org/doi/10.1145/2396556.2396591
Chasaki DWolf T(2012)Attacks and Defenses in the Data Plane of NetworksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2012.509:6(798-810)Online publication date: 1-Nov-2012
https://dl.acm.org/doi/10.1109/TDSC.2012.50
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten