High-performance hardware monitors to protect network processors from data plane attacks

Chandrikakutty, Harikrishnan Kumarapillai; Unnikrishnan, Deepak; Tessier, Russell; Wolf, Tilman

doi:10.1145/2463209.2488832

Cited by 12 publications

(4 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hardware monitoring has been studied extensively for embedded systems [15]- [17] and has also been proposed for use in network processors [6]. In our recent work, we describe a high-performance implementation of such a hardware monitoring system that can meet the throughput demands of a network processor with a single processing core [18].…”

Section: Related Workmentioning

confidence: 99%

“…In addition, attacks on network processors have been shown both on systems that are based on von Neumann architecture [3], leading to arbitrary code execution, and on systems based on Harvard architecture [18], leading to return-to-libc attacks.…”

Section: Vulnerabilities In Networking Infrastructurementioning

confidence: 99%

“…Hardware monitors for single core network processor systems have been demonstrated in prior work [3], [18]. These solutions, however, do not address three critical problems that appear in practical network processor systems:…”

Section: Defense Mechanisms With Hardware Monitoringmentioning

confidence: 99%

“…Our benchmark analysis shows that this is the typical case for NP applications. Full details of graph generation, including a detailed example, are shown in [18].…”

Section: Multi-ported Hardware Monitor Designmentioning

confidence: 99%

See 3 more Smart Citations

Dynamic Hardware Monitors for Network Processor Protection

Chandrikakutty

Goodman

et al. 2016

IEEE Trans. Comput.

Self Cite

View full text Add to dashboard Cite

The importance of the Internet for society is increasing. To ensure a functional Internet, its routers need to operate correctly. However, the need for router flexibility has led to the use of softwareprogrammable network processors in routers, which exposes these systems to data plane attacks. Recently, hardware monitors have been introduced into network processors to verify the expected behavior of processor cores at run time. If instruction-level execution deviates from the expected sequence, an attack is identified, triggering processor core recovery efforts. In this manuscript, we describe a scalable network processor monitoring system that supports the reallocation of hardware monitors to processor cores in response to workload changes. The scalability of our monitoring architecture is demonstrated using theoretical models, simulation, and router system-level experiments implemented on an FPGA-based hardware platform. For a system with four processor cores and six monitors, the monitors result in a 6% logic and 38% memory bit overhead versus the processor's core logic and instruction storage. No slowdown of system throughput due to monitoring is reported.Index Terms-network security, network infrastructure, data plane attack, hardware monitor, multicore processor, FPGA 0018-9340 (c)

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Vulnerabilities In Networking Infrastructurementioning

confidence: 99%

Section: Defense Mechanisms With Hardware Monitoringmentioning

confidence: 99%

“…Our benchmark analysis shows that this is the typical case for NP applications. Full details of graph generation, including a detailed example, are shown in [18].…”

Section: Multi-ported Hardware Monitor Designmentioning

confidence: 99%

See 2 more Smart Citations