Danai Chasaki

Attacks on Network Infrastructure

We present the first practical example of an entirely new class of network attacks -- attacks that target the network infrastructure. Modern routers in computer networks use general-purpose programmable packet processors. The software used for packet processing on these systems is potentially vulnerable to remote exploits. In this paper, we demonstrate a specific attack that can launch a devastating denial-of-service attack by sending just a single packet. We show that vulnerable packet processing code can be exploited on a Click modular router as well as on a custom packet processor on the NetFPGA platform. We also show that defense techniques based on processor monitoring that we have proposed in prior work can help in detecting and avoiding such attacks.

Attacks and Defenses in the Data Plane of Networks

Security issues in computer networks have focused on attacks on end systems and the control plane. An entirely new class of emerging network attacks aims at the data plane of the network. Data plane forwarding in network routers has traditionally been implemented with custom-logic hardware, but recent router designs increasingly use software-programmable network processors for packet forwarding. These general-purpose processing devices exhibit software vulnerabilities and are susceptible to attacks. We demonstrate-to our knowledge the first-practical attack that exploits a vulnerability in packet processing software to launch a devastating denial-of-service attack from within the network infrastructure. This attack uses only a single attack packet to consume the full link bandwidth of the routers outgoing link. We also present a hardware-based defense mechanism that can detect situations where malicious packets try to change the operation of the network processor. Using a hardware monitor, our NetFPGA-based prototype system checks every instruction executed by the network processor and can detect deviations from correct processing within four clock cycles. A recovery system can restore the network processor to a safe state within six cycles. This high-speed detection and recovery system can ensure that network processors can be protected effectively and efficiently from this new class of attacks.

Design of a secure packet processor

Programmability in the data path of routers provides the basis for modern router implementations that can adapt to new functional requirements. This programmability is typically achieved through software-programmable packet processing systems. One key concern with the proliferation of these programmable devices throughout the Internet is the potential impact of software vulnerabilities that can be exploited remotely. We present a design and proof-of-concept implementation of a packet processing system that uses two security techniques to defend against potential attacks: a processing monitor is used to track operations on each processor core to detect attacks at the processing instruction level; an I/O monitor is used to track operations of the router to detect attacks at the protocol level. Our prototype implementation on the NetFPGA system shows that these monitors can be implemented to operate at high data rates and with little additional hardware resources.

Implementation of a simplified network processor

Programmable packet processors have replaced traditional fixed-function custom logic in the data path of routers. Programmability of these systems allows the introduction of new packet processing functions, which is essential for todays Internet as well as for next-generation network architectures. Software development for many existing implementations of these network processors requires a deep understanding of the architecture and careful resource management by the software developer. Resource management that is tied to application development makes it difficult for packet processors to adapt to changes in the workload that are based on traffic conditions and the deployment of new functionality. Therefore, we present a network processor design that separates programming from resource management, which simplifies the software development process and improves the systems ability to adapt to network conditions. Based on our initial system design, we present a prototype implementation of a 4-core network processor using the NetFPGA platform. We demonstrate the operation of the system using header-processing and payload-processing applications. For packet forwarding, our simplified network processor can achieve a throughput of 2.79 Gigabits per second at a clock rate of only 62.5 MHz. Our results indicate the proposed design can scale to configurations with many more processors that operate at much higher clock rates and thus can achieve considerable higher throughput while using modest amounts of hardware resources.

Inferring Packet Processing Behavior Using Input/Output Monitors

Programmable packet processors have replaced traditional fixed-function custom logic in the data path of routers. This programmability introduces new vulnerabilities in these systems that can lead to new types of network attacks. We propose a modular packet processor monitoring technique that can help in detecting and avoiding such attacks. Using information about the processing time distribution of individual modules, input/output traffic characteristics can be inferred and abnormal behavior can be detected.

Low complexity Intercarrier Interference reduction for high mobility wireless systems

With the growing number of infotainment services, the demand on high speed internet in vehicles is increasing. Yet, ensuring a high speed internet access at high mobility is challenging. Indeed, high mobility leads to Doppler shifts that result in Inter Carrier Interference (ICI) in OFDM-based wireless systems. Many ICI equalization techniques have been proposed, yet these incur an additional computational complexity and hence higher energy consumption. In this work, we propose a very low complexity interference reduction method. Based on a linear modeling of the channel variation, we derive relations between the interference terms at the different subcarriers and show that interference can be significantly reduced through simple linear operations.

Design of an adaptive security mechanism for modern routers

Modern routers should be able to support many new functions to meet the needs of customers. To achieve such flexibility, programmable packet processors have replaced traditional fixed-function custom logic in the data path of routers. This programmability introduces new vulnerabilities in these systems that can lead to new types of network attacks. We propose a monitoring subsystem which functions in parallel with the processing core of the router and aids in the detection of such attacks. Upon detection, our system has the ability to restore the routers operation to a different, but functionally equivalent state.

External monitoring of highly parallel network processors

Modern routers use high-performance multi-core packet processing systems to implement protocol operations and to forward traffic. As the diversity of protocols and the number of processor cores increases, it becomes increasingly difficult to manage these systems and ensure their correct operation at runtime. In particular, it is challenging to identify situations in which a part of processor cores behave incorrectly, either due to failure or due to malicious attacks. To address this problem, we present a novel approach to verifying correct operation of a packet processor by analyzing packet latency and throughput. This approach can treat the network processor as a “black box” and does not need to observe internal functionality. We show that processing time statistics are affected by system misbehavior and present an analytic model to quantify these effects. Our results show that the presented technique is an effective approach to provide an extra level of protection to packet processor systems.

Fast regular expression matching in hardware using NFA-BDD combination

The development of Network Intrusion Detection Systems (NIDS) is nowadays a powerful solution to defend against various network security threats. There has been a lot of research effort devoted to hardware-based NIDS, because of (1) the massive amount of computation performed by regular expression matching algorithms and (2) the gigabit per second performance requirement of modern NIDS. Hardware-based NIDS take advantage of parallelization inherent in FPGAs, ASICs or network processors to support very high network speeds, while software approaches fail to do so.

Simplifying data path processing in next-generation routers

Customizable packet processing is an important aspect of next-generation networks. Packet processing architectures using multi-core systems on a chip can be difficult to program. In our work, we propose a new packet processor design that simplifies packet processing by managing packet contexts in hardware. We show how such a design scales to large systems. Our results also show that the management of such a system is feasible with the proposed mapping algorithm.