Gaston S. Ormazabal

Secure SIP: A Scalable Prevention Mechanism for DoS Attacks on SIP Based VoIP Systems

Traditional perimeter security solutions cannot cope with the com-plexity of VoIP protocols at carrier-class performance. We implemented a large-scale, rule-based SIP-aware application-layer-firewall capable of detect-ing and mitigating SIP-based Denial-of-Service (DoS) attacks at the signaling and media levels. The detection algorithms, implemented in a highly distributed hardware solution leveraged to obtain filtering rates in the order of hundreds of transactions per second, suggest carrier class performance. Firewall performs SIP traffic filtering against spoofing attacks; and request, response and out-of-state floods. The functionality and performance of the DoS prevention schemes were validated using a distributed test-bed and a custom-built, automated testing and analysis tool that generated high-volume signaling and media traffic, and performed fine grained measurements of filtering rates and load-induced delays of the system under test. The test-tool included SIP-based attack vectors of spoofed traffic, as-well-as floods of requests, responses and out-of-state message sequences. This paper also presents experimental results.

Securing Processors Against Insider Attacks: A Circuit-Microarchitecture Co-Design Approach

Modification to traditional SoC design flow can enable effective protection against maliciously inserted rogue functionality during design and fabrication. This article presents a joint circuit-architecture-level design approach that helps in preventing or detecting Trojan attacks.

A high-performance, low-overhead microarchitecture for secure program execution

High performance and low power consumption have traditionally been the primary design goals for computer architects. With computer systems facing a wave of attacks that disrupt their normal execution or leak sensitive data, computer security is no longer an afterthought. Dynamic integrity checking has emerged as a possible solution to protect computer systems by thwarting various attacks. Dynamic integrity checking involves calculation of hashes of the instructions in the code being executed and comparing these hashes against corresponding precomputed hashes at runtime. The processor pipeline is stalled and the instructions are not allowed to commit until the integrity check is complete. Such an approach has severe performance implications as it stalls the pipeline for several cycles. In this paper, we propose a hardware-based dynamic integrity checking approach that does not stall the processor pipeline. We permit the instructions to commit before the integrity check is complete, and allow them to make changes to the register file, but not the data cache. The system is rolled back to a known state if the checker deems the instructions as modified. Our experiments show an average performance overhead of 1.66%, area overhead of 4.25%, and a power overhead of 2.45% over a baseline processor.

Heterogeneous Access: Survey and Design Considerations

As voice, multimedia, and data services are converging to IP, there is a need for a new networking architecture to support future innovations and applications. Users are consuming Internet services from multiple devices that have multiple network interfaces such as Wi-Fi, LTE, Bluetooth, and possibly wired LAN. Such diverse network connectivity can be used to increase both reliability and performance by running applications over multiple links, sequentially for seamless user experience, or in parallel for bandwidth and performance enhancements. The existing networking stack, however, offers almost no support for intelligently exploiting such network, device, and location diversity. In this work, we survey recently proposed protocols and architectures that enable heterogeneous networking support. Upon evaluation, we abstract common design patterns and propose a unified networking architecture that makes better use of a heterogeneous dynamic environment, both in terms of networks and devices. The architecture enables mobile nodes to make intelligent decisions about how and when to use each or a combination of networks, based on access policies. With this new architecture, we envision a shift from current applications, which support a single network, location, and device at a time to applications that can support multiple networks, multiple locations, and multiple devices.

A Survey of Microarchitecture Support for Embedded Processor Security

The number of attacks on embedded processors is on the rise. Attackers exploit vulnerabilities in the software to launch new attacks and get unauthorized access to sensitive information stored in these devices. Several solutions have been proposed by both the academia and the industry to protect the programs running on these embedded-processor based computer systems. After a description of the several attacks that threaten a computer system, this paper surveys existing defenses - software-based and hardware-based (watchdog checkers, integrity trees, memory encryption, and modification of processor architecture), that protect against such attacks. This paper also provides a comparative discussion of their advantages and disadvantages.

Unified Heterogeneous Networking Design

The Internet was designed under the assumption that end-hosts are stationary and have one interface. Current mobile devices have multiple network interfaces, such as Wi-Fi, LTE, WiMAX, and possibly Ethernet. Such diverse network connectivity can be used to increase both reliability and performance by running applications over multiple links sequentially, for a seamless user experience, or in parallel, for bandwidth and performance enhancements. Users are also consuming Internet services from multiple locations and devices, such as smartphones, tablets, laptops, and IP-enabled TVs. The existing networking stack, however, offers almost no support for intelligently exploiting such network, location and device diversity. Since, most Internet devices today are mobile, we propose a unified networking architecture that makes optimal use of a heterogeneous dynamic environment, both in terms of networks and user devices. The system core functionalities include mobility, multi-homing, multipath, and disruption tolerance. The system enables mobile nodes to make decisions about how and when to use each or a combination of networks, in a secure manner. With this new architecture, we envision a shift from current applications supporting a single network, location, and device at a time, to applications that can support multiple networks, multiple locations, and multiple devices.

Heterogeneous networking: Security Challenges and Considerations

In this article, security challenges related to a mobile heterogeneous networking environment, and the general access patterns are discussed. A novel, unified networking architecture that enables secure heterogeneous networking, both in terms of networks and user devices is discussed. A comprehensive security framework providing a generalized authentication scheme using the Extensible Authentication Protocol (EAP) is then presented, by taking into account existing methods for secure network and device access.