research-article

High-performance hardware monitors to protect network processors from data plane attacks

Authors:

Harikrishnan Chandrikakutty,

Deepak Unnikrishnan,

Russell Tessier,

Tilman WolfAuthors Info & Claims

DAC '13: Proceedings of the 50th Annual Design Automation Conference

Article No.: 80, Pages 1 - 6

https://doi.org/10.1145/2463209.2488832

Published: 29 May 2013 Publication History

Abstract

The Internet represents an essential communication infrastructure that needs to be protected from malicious attacks. Modern network routers are typically implemented using embedded multi-core network processors that are inherently vulnerable to attack. Hardware monitor subsystems, which can verify the behavior of a router's packet processing system at runtime, can be used to identify and respond to an ever-changing range of attacks. While hardware monitors have primarily been described in the context of general-purpose computing, our work focuses on two important aspects that are relevant to the embedded networking domain: We present the design and prototype implementation of a high-performance monitor that can track each processor instruction with low memory overhead. Additionally, our monitor is capable of defending against attacks on processors with a Harvard architecture, the dominant contemporary network processor organization. We demonstrate that our monitor architecture provides no network slowdown in the absence of an attack and provides the capability to drop attack packets without otherwise affecting regular network traffic when an attack occurs.

References

[1]

Abadi, M., Budiu, M., Erlingsson, Ú., and Ligatti, J. Control-flow integrity principles, implementations, and applications. In ACM Conference on Computer and Communication Security (CCS) (Alexandria, VA, Nov. 2005), pp. 340--353.

Digital Library

[2]

Anderson, T., Peterson, L., Shenker, S., and Turner, J. Overcoming the Internet impasse through virtualization. Computer 38, 4 (Apr. 2005), 34--41.

Digital Library

[3]

Arora, D., Ravi, S., Raghunathan, A., and Jha, N. K. Secure embedded processing through hardware-assisted run-time monitoring. In Proc. of the Design, Automation and Test in Europe Conference and Exhibition (DATE'05) (Munich, Germany, Mar. 2005), pp. 178--183.

Digital Library

[4]

Cavium Networks. OCTEON Plus CN58XX 4 to 16-Core MIPS64-Based SoCs. Mountain View, CA, 2008.

[5]

Chasaki, D., and Wolf, T. Attacks and defenses in the data plane of networks. IEEE Transactions on Dependable and Secure Computing 9, 6 (Nov. 2012), 798--810.

Digital Library

[6]

Cisco Systems, Inc. The Cisco QuantumFlow Processor: Cisco's Next Generation Network Processor. San Jose, CA, Feb. 2008.

[7]

Cui, A., Song, Y., Prabhu, P. V., and Stolfo, S. J. Brave new world: Pervasive insecurity of embedded network devices. In Proc. of 12th International Symposium on Recent Advances in Intrusion Detection (RAID) (Saint-Malo, France, Sept. 2009), vol. 5758 of Lecture Notes in Computer Science, pp. 378--380.

Digital Library

[8]

Francillon, A., and Castelluccia, C. Code injection attacks on Harvard-architecture devices. In Proc. of the 15th ACM Conference on Computer and Communications Security (CSS) (Alexandria, VA, Oct. 2008), pp. 15--26.

Digital Library

[9]

Geer, D. Malicious bots threaten network security. Computer 38, 1 (2005), 18--20.

Digital Library

[10]

Gogniat, G., Wolf, T., Burleson, W., Diguet, J.-P., Bossuet, L., and Vaslin, R. Reconfigurable hardware for high-security/high-performance embedded systems: the SAFES perspective. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 16, 2 (Feb. 2008), 144--155.

Digital Library

[11]

Hopcroft, J. E., and Ullman, J. D. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 1979.

Digital Library

[12]

Lee, B. K., and John, L. K. NpBench: A benchmark suite for control plane and data plane applications for network processors. In Proc. of IEEE International Conference on Computer Design (ICCD) (San Jose, CA, Oct. 2003), pp. 226--233.

Digital Library

[13]

Mao, S., and Wolf, T. Hardware support for secure processing in embedded systems. IEEE Transactions on Computers 59, 6 (June 2010), 847--854.

Digital Library

[14]

Moore, D., Shannon, C., and Brown, J. Code-Red: a case study on the spread and victims of an Internet worm. In IMW '02: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement (Marseille, France, Nov. 2002), pp. 273--284.

Digital Library

[15]

Ragel, R. G., and Parameswaran, S. IMPRES: integrated monitoring for processor reliability and security. In Proc. of the 43rd Annual Conference on Design Automation (DAC) (San Francisco, CA, USA, July 2006), pp. 502--505.

Digital Library

[16]

Zambreno, J., Choudhary, A., Simha, R., Narahari, B., and Memon, N. SAFE-OPS: An approach to embedded software security. Transactions on Embedded Computing Sys. 4, 1 (Feb. 2005), 189--210.

Digital Library

Cited By

Pouraghily AWolf T(2019)Securing IoT Protocol Implementations Through Hardware Monitoring2019 IEEE 16th International Conference on Mobile Ad Hoc and Sensor Systems (MASS)10.1109/MASS.2019.00061(467-475)Online publication date: Nov-2019
https://doi.org/10.1109/MASS.2019.00061
(2018)- Reconfigurable Network Router SecurityReconfigurable Logic10.1201/b19388-22(404-425)Online publication date: 3-Sep-2018
https://doi.org/10.1201/b19388-22
Pouraghily AWolf TTessier R(2017)Hardware support for embedded operating system security2017 IEEE 28th International Conference on Application-specific Systems, Architectures and Processors (ASAP)10.1109/ASAP.2017.7995260(61-66)Online publication date: Jul-2017
https://doi.org/10.1109/ASAP.2017.7995260
Show More Cited By

Index Terms

High-performance hardware monitors to protect network processors from data plane attacks

Recommendations

Securing Network Processors with High-Performance Hardware Monitors
As the Internet becomes integrated into nearly all aspects of everyday life, its reliability grows in importance. This vital communication resource, which has become an inviting target for attackers, must be protected with the same vigor as the end-...
Attacks and Defenses in the Data Plane of Networks

Security issues in computer networks have focused on attacks on end systems and the control plane. An entirely new class of emerging network attacks aims at the data plane of the network. Data plane forwarding in network routers has traditionally been ...
System-Level Security for Network Processors with Hardware Monitors
DAC '14: Proceedings of the 51st Annual Design Automation Conference

New attacks are emerging that target the Internet infrastructure. Modern routers use programmable network processors that may be exploited by merely sending suitably crafted data packets into a network. Hardware monitors that are co-located with ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

DAC '13: Proceedings of the 50th Annual Design Automation Conference

May 2013

1285 pages

ISBN:9781450320719

DOI:10.1145/2463209

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

EDAC: Electronic Design Automation Consortium
SIGDA: ACM Special Interest Group on Design Automation
IEEE-CEDA

In-Cooperation

SIGBED: ACM Special Interest Group on Embedded Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 May 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

DAC '13

Sponsor:

EDAC
SIGDA

DAC '13: The 50th Annual Design Automation Conference 2013

May 29 - June 7, 2013

Texas, Austin

Acceptance Rates

Overall Acceptance Rate 1,770 of 5,499 submissions, 32%

Upcoming Conference

DAC '25

Sponsor:
sigda

62nd ACM/IEEE Design Automation Conference

June 22 - 26, 2025

San Francisco , CA , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
136
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pouraghily AWolf T(2019)Securing IoT Protocol Implementations Through Hardware Monitoring2019 IEEE 16th International Conference on Mobile Ad Hoc and Sensor Systems (MASS)10.1109/MASS.2019.00061(467-475)Online publication date: Nov-2019
https://doi.org/10.1109/MASS.2019.00061
(2018)- Reconfigurable Network Router SecurityReconfigurable Logic10.1201/b19388-22(404-425)Online publication date: 3-Sep-2018
https://doi.org/10.1201/b19388-22
Pouraghily AWolf TTessier R(2017)Hardware support for embedded operating system security2017 IEEE 28th International Conference on Application-specific Systems, Architectures and Processors (ASAP)10.1109/ASAP.2017.7995260(61-66)Online publication date: Jul-2017
https://doi.org/10.1109/ASAP.2017.7995260
Hu KChandrikakutty HGoodman ZTessier RWolf T(2016)Dynamic Hardware Monitors for Network Processor ProtectionIEEE Transactions on Computers10.1109/TC.2015.243575065:3(860-872)Online publication date: 1-Mar-2016
https://dl.acm.org/doi/10.1109/TC.2015.2435750
Wolf TChandrikakutty HHu KUnnikrishnan DTessier R(2015)Securing Network Processors with High-Performance Hardware MonitorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2014.237337812:6(652-664)Online publication date: 1-Nov-2015
https://doi.org/10.1109/TDSC.2014.2373378
Mansour CShehadeh YChasaki D(2015)Design of an adaptive security mechanism for modern routers2015 IEEE International Conference on Consumer Electronics (ICCE)10.1109/ICCE.2015.7066397(241-244)Online publication date: Jan-2015
https://doi.org/10.1109/ICCE.2015.7066397
Thomas TPouraghily AHu KTessier RWolf T(2015)Multi-task support for security-enabled embedded processors2015 IEEE 26th International Conference on Application-specific Systems, Architectures and Processors (ASAP)10.1109/ASAP.2015.7245721(136-143)Online publication date: Jul-2015
https://doi.org/10.1109/ASAP.2015.7245721
Hu KWolf TTeixeira TTessier R(2014)System-Level Security for Network Processors with Hardware MonitorsProceedings of the 51st Annual Design Automation Conference10.1145/2593069.2593226(1-6)Online publication date: 1-Jun-2014
https://dl.acm.org/doi/10.1145/2593069.2593226
Hu KWolf TTeixeira TTessier R(2014)System-level security for network processors with hardware monitors2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC)10.1109/DAC.2014.6881538(1-6)Online publication date: Jun-2014
https://doi.org/10.1109/DAC.2014.6881538
Hu XXu YMa JChen GHu YXie Y(2014)Thermal-sustainable power budgeting for dynamic threading2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC)10.1109/DAC.2014.6881514(1-6)Online publication date: Jun-2014
https://doi.org/10.1109/DAC.2014.6881514

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten