Nael B. Abu-Ghazaleh

Analysis of TCP performance on ad hoc networks using preemptive maintenance routing

In mobile ad hoc networks, the topology of the network is constantly changing as nodes move in and out of each others range, breaking and establishing links. TCP performs poorly in such networks because packets that are lost due to path disconnections trigger TCPs congestion avoidance mechanisms. We investigate the effect of preemptive routing protocols, where an alternative path is found before an actual disconnection occurs, on the performance of TCP. Preemptive routing should perform well for TCP traffic because it reduces the delays caused by TCPs unnecessary use of congestion avoidance when paths break. We observe this behavior under some, but not all scenarios. Specifically, it appears that when the network is saturated, the additional traffic introduced by preemptive routing causes small degradation in performance. In the analysis process, we encountered an unfairness problem resulting from interaction between the routing protocol and the MAC layer under multiple continuous transmission cases. Similar unfairness problems were encountered by other studies-however the observations of those studies related those problems to the number of hops, and not the routing effects as we observed. This motivates the study of fairer wireless MAC protocols for multi-hop and ad hoc networks.

Wireless Software Defined Networking: A Survey and Taxonomy

One of the primary architectural principles behind the Internet is the use of distributed protocols, which facilitates fault tolerance and distributed management. Unfortunately, having nodes (i.e., switches and routers) perform control decisions independently makes it difficult to control the network or even understand or debug its overall emergent behavior. As a result, networks are often inefficient, unstable, and fragile. This Internet architecture also poses a significant, often insurmountable, challenge to the deployment of new protocols and evolution of existing ones. Software defined networking (SDN) is a recent networking architecture with promising properties relative to these weaknesses in traditional networks. SDN decouples the control plane, which makes the network forwarding decisions, from the data plane, which mainly forwards the data. This decoupling enables more centralized control where coordinated decisions directly guide the network to desired operating conditions. Moreover, decoupling the control enables graceful evolution of protocols, and the deployment of new protocols without having to replace the data plane switches. In this survey, we review recent work that leverages SDN in wireless network settings, where they are not currently widely adopted or well understood. More specifically, we evaluate the use of SDN in four classes of popular wireless networks: cellular, sensor, mesh, and home networks. We classify the different advantages that can be obtained by using SDN across this range of networks, and hope that this classification identifies unexplored opportunities for using SDN to improve the operation and performance of wireless networks.

Jump over ASLR: attacking branch predictors to bypass ASLR

Address Space Layout Randomization (ASLR) is a widely-used technique that protects systems against a range of attacks. ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the addresses of specific code objects and consequently redirect the control flow to this code. In this paper, we develop an attack to derive kernel and user-level ASLR offset using a side-channel attack on the branch target buffer (BTB). Our attack exploits the observation that an adversary can create BTB collisions between the branch instructions of the attacker process and either the user-level victim process or on the kernel executing on its behalf. These collisions, in turn, can impact the timing of the attackers code, allowing the attacker to identify the locations of known branch instructions in the address space of the victim process or the kernel. We demonstrate that our attack can reliably recover kernel ASLR in about 60 milliseconds when performed on a real Haswell processor running a recent version of Linux. Finally, we describe several possible protection mechanisms, both in software and in hardware.

A framework for performance analysis of parallel discrete event simulators

A framework for performance analysis of parallel discrete event simulators is presented. The centerpiece of this framework is a platform-independent Workload Specification Language (WSL). WSL is a language that allows the characterization of simulation models using a set of fundamental performancecritical parameters. WSL also implements a facility for representing real models. For each simulator to be tested, a WSL translator is used to generate synthetic platform-specific simulation models that conform to the performance characteristics captured by the WSL description. Accordingly, sets of portable simulation models that explore the effects of the different parameters, individually or collectively, on the performance can be constructed. The construction of the workload simulation models is assisted using a Synthetic Workload Generator (SWG). The utility of the system is demonstrated with the generation of a representative set of experiments. The described framework can be used to create a standard benchmark suite that consists of a mixture of real simulation models, selected from different application domains, and synthetic models generated by SWG.

Malware-aware processors: A framework for efficient online malware detection

Security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Therefore, software detectors are applied selectively and at a low frequency, creating opportunities for malware to remain undetected. In this paper, we propose Malware-Aware Processors (MAP) - processors augmented with an online hardware-based detector to serve as the first line of defense to differentiate malware from legitimate programs. The output of this detector helps the system prioritize how to apply more expensive software-based solutions. The always-on nature of MAP detector helps protect against intermittently operating malware. Our work improves on the state of the art in the following ways: (1) We define and explore the use of sub-semantic features for online detection of malware. (2) We explore hardware implementations and show that simple classifiers appropriate for such implementations can effectively classify malware. We also study different classifiers, develop implementation optimizations, and explore complexity to performance trade-offs. (3) We propose a two-level detection framework where the hardware classifier prioritizes the work of a more accurate but more expensive software defense mechanism. (4) We integrate the MAP implementation with an open-source x86-compatible core, synthesizing the resulting design to run on an FPGA.

OFC: A Distributed Fossil-Collection Algorithm for Time-Warp

In the Time-Warp synchronization model, the processes must occasionally interrupt execution in order to reclaim memory space used by state and event histories that are no longer needed (fossil-collection). Traditionally, fossil-collection techniques have required the processes to reach a consensus on the Global Virtual-Time (GVT) — the global progress time. Events with time-stamps less than GVT are guaranteed to have been processed correctly; their histories can be safely collected. This paper presents Optimistic Fossil-Collection (OFC), a new fossil-collection algorithm that is fully distributed. OFC uses a local decision function to estimate the fossilized portion of the histories (and optimistically collects them). Because a global property is estimated using local information only, an erroneous estimate is possible. Accordingly, OFC must also include a recovery mechanism to be feasible. An uncoordinated distributed checkpointing algorithm for Time-Warp that is domino-effect free and lightweight is used. We show that, in addition to eliminating the overhead for GVT estimation, OFC has several desireable memory-management properties.

The concurrent execution of non-communicating programs on SIMD processors

This paper explores the use of SIMD (single-instruction multiple-data) (or SIMD-like) hardware to support the efficient interpretation of concurrent, noncommunicating programs. This approach places compiled programs into the local memory space of each distinct processing element (PE). Within each PE, a local program contour is initialized, and the instructions are interpreted in parallel across all of the PEs by control signals emanating from the central control unit. Initial experiments have been conducted with two distinct software architectures (MINTABs and MIPS R2000) on the MasPar MP-1 and two distinct applications (program mutation analysis and Monte Carlo simulation). While these experiments have shown only marginal performance improvement, it appears that, with several minor hardware modifications, SIMD-like hardware can be constructed that will cost-effectively support both SIMD and MIMD (multiple-instruction multiple-data) processing.<<ETX>>

A high-resolution side-channel attack on last-level cache

Recently demonstrated side-channel attacks on shared Last Level Caches (LLCs) work under a number of constraints on both the system and the victim behavior that limit their applicability. This paper demonstrates on a real system a new high-resolution LLC side channel attack that relaxes some of these assumptions. Specifically, we introduce and exploit new techniques to achieve high-resolution tracking of the victim accesses to enable attacks on ciphers where critical events have a small cache footprint. We compare the quality of the side-channel in our attack to that obtained using Flush+ RELOAD attacks, which are significantly more precise but work only when the sensitive data is shared between the attacker and the victim. We show that our attack frequently obtains an equal quality channel, which we also confirmed by reconstructing the victim cryptographic key.

Understanding and Mitigating Covert Channels Through Branch Predictors

Covert channels through shared processor resources provide secret communication between two malicious processes: the trojan and the spy. In this article, we classify, analyze, and compare covert channels through dynamic branch prediction units in modern processors. Through experiments on a real hardware platform, we compare contention-based channel and the channel that is based on exploiting the branch predictor’s residual state. We analyze these channels in SMT and single-threaded environments under both clean and noisy conditions. Our results show that the residual state-based channel provides a cleaner signal and is effective even in noisy execution environments with another application sharing the same physical core with the trojan and the spy. We also estimate the capacity of the branch predictor covert channels and describe a software-only mitigation technique that is based on randomizing the state of the predictor tables on context switches. We show that this protection eliminates all covert channels through the branch prediction unit with minimal impact on performance.

Covert channels through branch predictors: a feasibility study

Covert channels through shared processor resources provide secret communication between malicious processes. In this paper, we introduce a new mechanism for covert communication using the processor branch prediction unit. Specifically, we demonstrate how a trojan and a spy can manipulate the branch prediction tables in a way that creates high-capacity, robust and noise-resilient covert channel. We demonstrate this covert channel on a real hardware platform both in Simultaneous Multi-Threading (SMT) and single-threaded settings. We also discuss techniques for improving the channel quality and outline possible defenses to protect against this covert channel.