Design of a secure packet processor

Author

Chasaki, Danai ; Wolf, Tilman

Author_Institution

Dept. of Electr. & Comput. Eng., Univ. of Massachusetts, Amherst, MA, USA

fYear

2010

fDate

25-26 Oct. 2010

Firstpage

1

Lastpage

10

Abstract

Programmability in the data path of routers provides the basis for modern router implementations that can adapt to new functional requirements. This programmability is typically achieved through software-programmable packet processing systems. One key concern with the proliferation of these programmable devices throughout the Internet is the potential impact of software vulnerabilities that can be exploited remotely. We present a design and proof-of-concept implementation of a packet processing system that uses two security techniques to defend against potential attacks: a processing monitor is used to track operations on each processor core to detect attacks at the processing instruction level; an I/O monitor is used to track operations of the router to detect attacks at the protocol level. Our prototype implementation on the NetFPGA system shows that these monitors can be implemented to operate at high data rates and with little additional hardware resources.

Keywords

Internet; field programmable gate arrays; security of data; I-O monitor; Internet; NetFPGA system; instruction level processing; processing monitor; programmable devices; protocol level; secure packet processor design; software vulnerabilities; software-programmable packet processing systems; Computer crime; Hardware; Monitoring; Prototypes; Routing protocols; Design; Performance; Security;

fLanguage

English

Publisher

ieee

Conference_Titel

Architectures for Networking and Communications Systems (ANCS), 2010 ACM/IEEE Symposium on

Conference_Location

La Jolla, CA

Print_ISBN

978-1-4244-9127-8

Electronic_ISBN

978-1-4503-0379-8

Type

conf

Filename

5623847