Alberto Ferrante

IPSec hardware resource requirements evaluation

IPSec is a suite of protocols that adds security to communications at the IP level. This suite of protocols is becoming more and more important as it is included as mandatory security mechanism in IPv6. In this paper we provide an evaluation of the hardware resources needed for supporting virtual private networking through IPSec. The target system of this study is a home secure gateway, therefore only the tunnel mode is considered. Focus is on ESP protocol, but also some evaluations on AH are provided. We discuss usage of the AES, HMAC-SHA-1, and HMAC-SHA-2 cryptographic algorithms. In this paper we show that enabling IPSec in a 100 Mbit/s network kills its performance in almost every case. In a 10 Mbit/s network the results obtained for performance and CPU usage are much better. An interesting case within this network configuration is that in which IPComp is enabled and used on compressible data: CPU usage grows to 100%, but network throughput rises over the 10 Mbit/s limit, due to data compression. This performance evaluation leads the conclusion that while a hardware crypto-accelerator is really key in reaching high performance, it may also be useful in small, slow systems (e.g. small embedded systems) where it would help improving performance and security.

Gradual adaptation of security for sensor networks

Wireless sensor networks are composed of nodes with stringent constraints on resources. Some of this devices may have the possibility to recharge batteries (e.g., by means of solar panels); though, a reduced power consumption is anyway a key factor when recharge resources are not available (e.g., during the night for solar panels). In this paper we describe a method for security self-adaptation tailed for wireless sensor networks. This method allows devices to adapt security of applications gradually with the goal of guaranteeing the maximum possible level of security while satisfying power constraints. A case study, implemented on Sun SPOTs, is also presented to show how the method works in a real wireless sensor network.

Coordinated management of hardware and software self-adaptivity

Self-adaptivity is the capability of a system to adapt itself dynamically to achieve its goals. Self-adaptive systems will be widely used in the future both to efficiently use system resources and to ease the management of complex systems. The frameworks for self-adaptivity developed so far usually concentrate either on self-adaptive software or on self-adaptive hardware, but not both. In this paper, we propose a model of self-adaptive systems and we describe how to manage self-adaptivity at all levels (both hardware and software) by means of a decentralized control algorithm. The key advantage of decentralized control is in the simplicity of the local controllers. Simulation results are provided to show the main characteristics of the model and to discuss it.

A QoS-enabled packet scheduling algorithm for IPSec multi-accelerator based systems

IPSec is a suite of protocols that adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is needed to support high throughput. In this paper we discuss a scheduling algorithm for distributing IPSec packet processing over the CPU with a software implementation of the cryptographic algorithms considered and multiple cryptographic accelerators. This algorithm also provides support for quality of service. High-level simulations and the related results are provided to show the properties of the algorithm. Some architectural improvements suitable to better exploit this scheduling algorithm are also presented

A packet scheduling algorithm for IPSec multi-accelerator based systems

IPSec is a suite of protocols that adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is needed to support high throughput. We discuss a scheduling algorithm for distributing IPSec packet processing over the CPU with a software implementation of the cryptographic algorithms considered and multiple cryptographic accelerators. High-level simulations and the related results are provided to show the properties of the algorithm. Some architectural improvements suitable to better exploit this scheduling algorithm are also presented.

Run-time selection of security algorithms for networked devices

One of the most important challenges that need to be currently faced in securing resource-constrained embedded systems is optimizing the trade-off between resources used (energy consumption and computational capabilities required) and security requirements for cryptographic algorithms: any adopted security solutions should guarantee an adequate level of protection, yet respecting constraints on computational resources and consumed power. In this paper a generic, efficient, and energy-aware mechanism to determine a correct trade off between security requirements and resources consumed is proposed. The solution proposed relies on Analytic Hierarchy Process (AHP) to define priorities among different requirements and to compare different security solutions. A knapsack problem is formulated to select the most relevant algorithms based on their utility and on available resources.

High-level Architecture of an IPSec-dedicated System on Chip

IPSec is a suite of protocols which adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is needed to support high throughput. In this paper we propose a high level architecture of a system on chip (SoC) which implements IPSec. This SoC has been thought to be placed on the main data path of the host machine (flow-through architecture), thus allowing for transparent processing of IPSec traffic. The functionalities of the different blocks and their interactions, along with an estimation of the internal memory size, are also shown.

A Friend or a Foe? Detecting Malware using Memory and CPU Features

With an ever-increasing and ever more aggressive proliferation of malware, its detection is of utmost importance. However, due to the fact that IoT devices are resource-constrained, it is difficult to provide effective solutions. The main goal of this paper is the development of lightweight techniques for dynamic malware detection. For this purpose, we identify an optimized set of features to be monitored at runtime on mobile devices as well as detection algorithms that are suitable for battery-operated environments. We propose to use a minimal set of most indicative memory and CPU features reflecting malicious behavior. The performance analysis and validation of features usefulness in detecting malware have been carried out by considering the Android operating system. The results show that memory and CPU related features contain enough information to discriminate between execution traces belonging to malicious and benign applications with significant detection precision and recall. Since the proposed approach requires only a limited number of features and algorithms of low complexity, we believe that it can be used for effective malware detection, not only on mobile devices, but also on other smart elements of IoT.

What does the memory say? Towards the most indicative features for efficient malware detection

Malware detection methods are divided in two groups: static and dynamic. While methods based on static analysis might be lightweight and suitable for constrained resources of mobile devices, they suffer from inability to detect malware during its execution. On the other side, dynamic detection methods are usually too complex to be run on mobile devices. This paper is about dynamic, but lightweight, detection methods and, in particular, about features that can be used in these methods to identify malware. We take into account all the features related to memory and CPU usage that can be collected and observed on the mobile device through its operating system. We analyze these features and their significance within the malware families they belong to, and take into account the most indicative ones for each family. Furthermore, we analyze the occurrence of features in all the families. By taking into account the most indicative features per malware family we determine ones that are more resistant to variety of mobile malware rather than just observe the overall significance of features. Results show that the number of occurrences of features among the most indicative ones varies; some features appear as good candidates for malware detection in general, some features appear as good candidates for detection of specific malware families, and some others are simply irrelevant.

A Resource-Optimized Approach to Efficient Early Detection of Mobile Malware

With explosive growth in the number of mobile devices mobile malware is rapidly spreading, making security one of the key issues. Existing solutions, which are mainly based on binary signatures, are not very effective. The main contribution of this paper is a novel methodology to design and implement secure mobile devices by offering a resource-optimized method that combines efficient, light-weight malware detection on the mobile device with high precision detection methods on cloud servers. We focus on the early detection of behavioral patterns of malware families rather than the detection of malware binary signatures. Upon detection of an attack, an alarm is raised and the damage that can be caused by the detected malware type is estimated. Furthermore, the database with behavioral patterns is continuously updated, thus keeping a device resistant to new malware families.