Securing Network Processors with High-Performance Hardware Monitors
As the net becomes integrated into nearly all aspects of everyday life, its reliability grows in importance. This vital communication resource, which has become an inviting target for attackers, should be protected with the identical vigor as the end-systems it interconnects. Recent trends in network router design towards programmability and adaptability have increased the susceptibility of communication hardware to software attacks that modify meant information processing and forwarding functions. Contemporary routers typically feature network processors, whose protocol processing functions are determined via software. Prior work has shown that these general-purpose software-based processing systems can be attacked with data packets sent through the web. As a defense mechanism, the correct functionality of a network processor can be verified by a hardware monitor that observes processor operation and compares it to expected behavior. In the event of an attack, the monitor can interrupt the network processor, suppress malicious behavior, and reset the processor to a usable state for processing of subsequent traffic. During this work, we gift many important advances in hardware monitoring for network processors. A low-overhead monitor design that evaluates correct network processor operation in real-time on an instruction-by-instruction basis is described and tested. The monitor is shown to effectively prevent stack smashing attacks on processors that use a Harvard architecture, a widely used network processor configuration. Through experimentation, we tend to show that our approach to hardware monitoring will not affect data plane packet throughput. In the event of an attack, malicious packets are dropped whereas packets of regular network traffic proceed through the network unaffected. A full analysis of monitor architectural parameters is provided to create an optimized monitor design.
Did you like this research project?
To get this research project Guidelines, Training and Code... Click Here