Using Multi-core to Support Security-related Applications

Size: px

Start display at page:

Download "Using Multi-core to Support Security-related Applications"

Charla Higgins
6 years ago
Views:

1 Using Multi-core to Support Security-related Applications Prof Wanlei Zhou Deakin University, Australia Dr Yang Xiang Central Queensland University, Australia Citation: Wanlei Zhou and Yang Xiang, "Using Multi-core to Support Securityrelated Applications", The 8th International Conference on Algorithms and Architectures for Parallel Processing (ICA3PP2008), Cyprus, 9-11 June, 2008

2 Outline Part 1: Introduction to Multi-core Part 2: Background of multiprocessing Part 3:Security-related applications Part 4: Using multi-core to support security-related applications

3 Part 4: Using multi-core to support security-related applications 10. Security challenges Isolated running environment Parallel intrusion detection and packet filtering Parallel visualization of network monitoring Parallel processing of critical flaws and exploits 11. The need for multi-core What does multi-core offer? The need for multi-core What are the difficulties multi-core brings to security-related applications? 12. The support from multi-core Recent development in this area Partitioning and distributing workload of security-related applications Fine-grained multi-threading Smartly using the memory system Communications between cores New software architecture based on multi-core Our current projects on multi-core 13. Conclusions Vision: system bodyguard Future research directions and conclusions

4 10. Security challenges Isolated running environment Parallel intrusion detection and packet filtering Parallel visualization of network monitoring Parallel processing of critical flaws and exploits

5 10.1. Isolated running environment Why do we need isolated running environment? Security-related applications should be run separately from other applications Limit system failure to minimum area Isolation is a good way to provide security What do we need to isolate Processor Cache Memory I/O Data Challenges Malicious software can access almost all the resources Isolation must have support from hardware

6 10.2. Parallel intrusion detection and packet filtering Why do we need parallel intrusion detection and packet filtering? Faster processing speed Higher detection and filtering rate More intelligent, adaptive mechanisms can be used The key function in intrusion detection and packet filtering: deep packet inspection examine both packet headers and payloads What can be parallelized Deep packet inspection process Network traffic data Challenges High network bandwidth (Gbps) but low processing speed (Mbps) Deep packet inspection in real-time High true positive rate, low false positive rate, low false negative rate Frequently changed rules

7 10.3. Parallel visualization of network monitoring Why do we need visualization of network monitoring? Quickly identify the attack Dynamic management of network resources What do we need to visualize? Nodes Links Traffic direction and speed Locations Network characteristics, such as IP addresses, port numbers Contents in network traffic Correlated or reconstructed information from network traffic

8 10.3. Parallel visualization of network monitoring (continued) Example 1: Core AS on current Internet * Internet Atlas Gallery, visited May 2008

9 10.3. Parallel visualization of network monitoring (continued) Example 2: CodeRed worm infection * CodeRed Worm Infections in /8 on July 19, 2001, visited May 2008

10 10.3. Parallel visualization of network monitoring (continued) Challenges High network bandwidth (Gbps) but very low processing speed it is almost impossible to display real-time network conditions Visualizing a large amount of data Visualizing high-dimension data

11 10.4. Parallel processing of critical flaws and exploits Why do we need parallel processing of critical flaws and exploits? These computing-intensive processes prohibit other applications from smoothly running Security requirements from operating systems and applications What critical flaws and exploits do we need to process? Input validation failures. From security perspective, it is very important that all input data are validated prior to application processing Output sanitation. Generated output should be verified for all known values to prevent possible insertion of malicious input by hackers. Any unknown values, comments and identifiers must be eliminated

12 10.4. Parallel processing of critical flaws and exploits (continued) What critical flaws and exploits do we need to process? (continued) Buffer overflow. When an application or process tries to store data in a data storage or memory buffer, buffer overflow check should be carried out Data injection flaw. To prevent intruders piggyback user data or inject malicious code together with user data, all user data such as query strings, form fields, cookies, client-side scripts must be validated for known and valid values only Broken access control. It is important to verify the applicationspecific access control lists for all known risks and to run penetration test to identify potential access control failures Audit, logging and tracing failures. Carry out processes for audit, logging and tracing of exceptions and bugs with high availability and efficiency for applications is vital

13 10.4. Parallel processing of critical flaws and exploits (continued) Challenges Validating input parameters (such as data type, format, length, range, null-value handling, verifying for character set, etc) are time-consuming Output sanitation has been ignored by many applications because of the cost Processing large data injection flaw is difficult Access control lists are too large Audit, logging and tracing failures requires high processing power and data storage

14 11. The need for multi-core What does multi-core offer? The need for multi-core What are the difficulties multi-core brings to security-related applications?

15 11.1. What does multi-core offer? Higher processing power Lower energy requirement Potential isolated environment

16 11.2. The need for multi-core From the server or router side (network device), if the network security software is not fast enough, it can be very difficult to process every incoming packet then it would slow down the traffic From the client side (end user s computing device), it can also be very difficult to run network security applications without any interruption to normal applications because those computing-intensive applications significantly slow down other simultaneously running applications

17 11.2. The need for multi-core (continued) Current security-related applications in network devices or end user s computing devices can not do both: Processing security checks in real-time Processing information with large number of states and semantic contexts More processing power is urgently needed: what multi-core can provide

18 11.3. What are the difficulties multi-core brings to security-related applications? Multi-core provides a network security application with more processing power from the hardware perspective, the difficulties mainly come from software perspective How can we actually use multi-core to continue running the network security applications while keeping the overall system performance? How can we efficiently partition and distribute the workload of network security applications between the different cores in the multi-core processor? How can we split network data and solve the data dependency problem? As multi-core uses shared off-chip memory, how can we smartly utilize the memory then it will bring less memory access latencies? How can we synchronize and coordinate different threads of the applications when it is parallelized on multi-core?

19 12. The support from multi-core Recent development in this area Partitioning and distributing workload of security-related applications Fine-grained multi-threading Smartly using the memory system Communications between cores New software architecture based on multicore Our current projects on multi-core

20 12.1. Recent development in this area Automatically mapping applications onto multi-core systems Turning serial applications into parallel applications without special security considerations Limitations: Coarse-grained parallelisms Security applications have own unique behavioral characteristics such as frequent memory or disk access, complex data structures, and high bandwidth and high speed requirements - automatically mapping can not solve the problem References G. S. Sohi, S. E. Breach and T. N. Vijaykumar, "Multiscalar Processors", Proceedings of 22nd Annual International Symposium on Computer Architecture, pp , M. B. Taylor, W. Lee, J. Miller, D. Wentzlaff, I. Bratt, B. Greenwald, H. Hoffmann, P. Johnson, J. Kim, J. Psota, A. Saraf, N. Shnidman, V. Strumpen, M. Frank, S. Amarasinghe and A. Agarwal, "Evaluation of the Raw Microprocessor: An Exposed-Wire-Delay Architecture for ILP and Streams", Proceedings of 31st Annual International Symposium on Computer Architecture, pp. 2-13, J. Yan and W. Zhang, "Hybrid Multi-Core Architecture for Boosting Single-Threaded Performance", ACM SIGARCH Computer Architecture News, vol. 35, no. 1, pp , H. Zhong, S. A. Lieberman and S. A. Mahlke, "Extending Multicore Architectures to Exploit Hybrid Parallelism in Single-thread Applications", Proceedings of IEEE 13th International Symposium on High Performance Computer Architecture, pp , H. Zhou, "Dual-Core Execution: Building a Highly Scalable Single-Thread Instruction Window", Proceedings of 14th International Conference on Parallel Architectures and Compilation Techniques, pp , 2005.

21 12.1. Recent development in this area (continued) Virtualization Using virtual machine to utilize unused processing power Handling unsafe code: directly execute code until not safe Limitations: isolation is a problem shared memory and shared I/O References Stephen Herrod, The Future of Virtualization Technology, Proceedings of the 33rd annual international symposium on Computer Architecture, keynote, pp. 352, 2006 Matthew Carpenter, Tom Liston, and Ed Skoudis, Hiding Virtualization from Attackers and Malware, IEEE Security and Privacy, pp , vol. 5, no. 3, 2007 Nidhi Aggarwal, Parthasarathy Ranganathan, Norman P. Jouppi, and James E. Smith, Isolation in Commodity Multicore Processors, IEEE Computer, pp , vol. 40, no. 6, 2007

22 12.1. Recent development in this area (continued) Hardware-based parallelisms Using ASICs or FPGAs to accelerate the speed of processing network packets Require highly deliberate and customized programming, which is directly at odds with the pressing need to perform diverse, increasingly sophisticated forms of analysis Limitations: not flexible, expensive, not support sophisticated processing References O. Villa, D. P. Scarpazza and F. Petrini, Accelerating Real-Time String Searching with Multicore Processors, IEEE Computer, vol. 41, no. 4, pp , 2008 S. Dharmapurikar, P. Krishnamurthy, T. S. Sproull, J. W. Lockwood, Deep Packet Inspection Using Parallel Bloom Filters, IEEE Micro, vol. 24, no. 1, pp , 2004 H. Liu, K. Zheng, B. Liu, X. Zhang and Y. Liu, A Memory-Efficient Parallel String Matching Architecture for High-Speed Intrusion Detection, IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp , 2006 C. L. Hayes and Y. Luo, DPICO: A High Speed Deep Packet Inspection Engine Using Compact Finite Automata, Proceedings of ACM/IEEE ANCS 07, pp , 2007 P. Piyachon and Y. Luo, Efficient Memory Utilization on Network Processors for Deep Packet Inspection, Proceedings of ACM/IEEE ANCS 06, pp , 2006 V. Paxson, K. Asanovi, S. Dharmapurikar, J. Lockwood, R. Pang, R. Sommer and N. Weaver, Rethinking Hardware Support for Network Analysis and Intrusion Prevention, Proceedings of the 1st conference on USENIX Workshop on Hot Topics in Security, 2006

23 12.2. Partitioning and distributing workload of security-related applications Parallelization can be created by slicing program regions into multiple communicating sequential parts or threads Characteristics of security-related applications must be carefully examined The key step to efficiently make use of multicore is to parallelise applications at application level, which means to optimize the parallelization not by program compilers, but by fine-grained analysis of each application then decide the detailed parallelization

24 12.2. Partitioning and distributing workload of security-related applications (continued) Three key questions require further study How can we divide computing tasks into smaller parts? We must break the traditional security-related applications into different smaller tasks that can concurrently run on cores How can we find and remove the dependencies to maximise parallelization? In order to run the single threaded applications in parallel, we need to limit the dependencies including data dependencies, memory dependencies, and control dependencies, which severely restrict the degree of parallelization How can we partition the application work load, especially for graphicbased security-related applications such as network visualizer, to realize the goal of real-time processing? Network security devices must be able to process a large amount of network data. For example, 1 hour data from a 100Mbps network interface processed by the network visualiser could theoretically equals 11 GB. Therefore we need to carefully consider this tough requirement of real-time processing when parallelizing security-related applications

25 12.3. Fine-grained multi-threading From software perspective, 2 forms of fine-grained thread-level parallelization can be used: Decoupled software pipelining The execution of a single iteration of a loop is subdivided and spread across multiple cores. When the compiler can create subdivisions that form an acyclic dependence graph, each subpart can be independently executed forming a pipeline Strand decomposition Strand decomposition refers to slicing program regions into a set of communicating subgraphs. Strands must be carefully identified to allow overlap of memory instructions and any cache misses that result From security-related application perspective, 2 forms of finegrained thread-level parallelization can be used: Packet-level multi-threading allocating network packet data directly into different threads, which is only suitable for single packet inspection Flow-level multi-threading reconstructing network packet data into flows, then allocating them into different threads, which is suitable for sophisticated applications such as intrusion detection systems * H. Zhong, S. A. Lieberman and S. A. Mahlke, "Extending Multicore Architectures to Exploit Hybrid Parallelism in Single-thread Applications", Proceedings of IEEE 13th International Symposium on High Performance Computer Architecture, pp , 2007.

26 12.4. Smartly using the memory system The inherent design feature of multi-core is to fasten memory access through the cache and memory system but not through network communications, if compared with traditional multi-processor cluster systems Excessively accessing external off-chip memory will significantly slow down the overall performance The key questions on this issue are How to compress the data structure efficiently while still maintaining fast processing speed? How to allocate data onto the hierarchical memory system to reduce memory access latency while balancing memory access load? How to avoid the cache contention problem, where multiple cores compete for usage of the shared L2 cache?

27 12.5. Communications between cores The cores in multi-core systems communicate through memory if the data is stored outside the cache Synchronisation of the cores is also performed through memory, thereby causing a high overhead for synchronisation High communication latency between cores can easily outweigh the benefit of parallelization Communication middleware and applications should be written in a multi-core aware manner to alleviate this problem Data should be carefully examined and stored in order to avoid unnecessary communications

28 12.6. New software architecture based on multi-core System architecture of using multi-core processors in network security applications * Yang Xiang, Wanlei Zhou, Using Multi-core Processors to Support Network Security Applications, 12 th IEEE International Workshop on Future Trends of Distributed Computing Systems, submitted May 2008

29 12.6 New software architecture based on multi-core (continued) Benefits that this architecture brings High performance The workload of security-related applications can be distributed to different cores to achieve high performance, in terms of latency, throughput, and CPU utilization Comprehensive With the processing power, the system can integrate as many modules (such as intrusion detection module, anti-virus module, and anti-spam module) as necessary Intelligent Highly computing-intensive methods can be performed to inspect packet payloads and detect anomalies Scalable Protection can be done by the cooperation between the end host level and the infrastructure level

30 12.7. Our current projects on Deakin University multi-core Defend against DDoS attacks by using multicore Multi-classifier classification of spam on a ubiquitous multi-core architecture Central Queensland University Personal computer bodyguard: using multicore to support security-related applications

31 12.7. Our current projects on multi-core (continued) Defend against DDoS attacks by using multicore Bodyguard architecture = front bodyguard + side bodyguard * Ashley Chonka, Wanlei Zhou, Keith Knapp, and Yang Xiang, "Protecting Information Systems from DDoS Attack Using Multicore Methodology", IEEE 8th International Conference on Computer and Information Technology, IEEE, 2008

32 12.7. Our current projects on multi-core (continued) Performance in DDoS defense * Ashley Chonka, Wanlei Zhou, Keith Knapp, and Yang Xiang, "Protecting Information Systems from DDoS Attack Using Multicore Methodology", IEEE 8th International Conference on Computer and Information Technology, IEEE, 2008

33 12.7. Our current projects on multi-core (continued) Spam classification by using multi-core Multi-classifier classification (MCC) spam filter architecture * Md. Rafiqul Islam, Jaipal Singh, Ashley Chonka, and Wanlei Zhou, "Multi-Classifier Classification of Spam on a Ubiquitous Multi-Core Architecture", 2008 IFIP International Workshop on Network and System Security, IEEE, 2008

34 12.7. Our current projects on multi-core (continued) * Md. Rafiqul Islam, Jaipal Singh, Ashley Chonka, and Wanlei Zhou, "Multi-Classifier Classification of Spam on a Ubiquitous Multi-Core Architecture", 2008 IFIP International Workshop on Network and System Security, IEEE, 2008

35 12.7. Our current projects on multi-core (continued) Performance on spam classification by using multi-core * Md. Rafiqul Islam, Jaipal Singh, Ashley Chonka, and Wanlei Zhou, "Multi-Classifier Classification of Spam on a Ubiquitous Multi-Core Architecture", 2008 IFIP International Workshop on Network and System Security, IEEE, 2008

36 12.7. Our current projects on multi-core (continued) Performance on spam classification by using multi-core * Md. Rafiqul Islam, Jaipal Singh, Ashley Chonka, and Wanlei Zhou, "Multi-Classifier Classification of Spam on a Ubiquitous Multi-Core Architecture", 2008 IFIP International Workshop on Network and System Security, IEEE, 2008

37 12.7. Our current projects on multi-core (continued) Parallel intrusion detection system by using multi-core Packet-level parallelization Flow-level parallelization * Daxin Tian, Yang Xiang, A Multi-core Supported Intrusion Detection System, 2008 IFIP International Workshop on Network and System Security, IEEE, 2008

38 12.7. Our current projects on multi-core (continued) Performance on intrusion detection system by using multi-core 0.7 dropping rate (core x 1) dropping rate (core x 2) false negative rate false positive rate dropping rate (core x 3) dropping rate (core x 4) Figure 2. Dropping rate by different number of cores used Figure 3. False negative and false positive rate by different number of cores used * Yang Xiang, Wanlei Zhou, Using Multi-core Processors to Support Network Security Applications, 12 th IEEE International Workshop on Future Trends of Distributed Computing Systems, submitted May 2008

39 13. Conclusions Vision: system bodyguard Future research directions and conclusions

40 13.1. Vision: system bodyguard Multi-core provides a possibility for creating a Bodyguard for each personal computer and network device The Bodyguard will perform security-related tasks described previously, tailored to the needs of individuals (similar to the development of personalized web pages, Google desktop, etc.) The Bodyguard could become a killer application for multi-core, as security is everyone s concern nowadays The aim of system bodyguard: protect the system in real-time, at all times

41 13.2. Future research directions and conclusions Future research directions Partitioning and distributing workload of security-related applications Fine-grained multi-threading Smartly using the memory system Communications between cores Isolation between cores

42 13.2. Future research directions and conclusions (continued) What have we covered in this tutorial? Part 1: Introduction to multi-core Part 2: Background of multiprocessing Part 3: Security-related applications Part 4: Using multi-core to support securityrelated applications

43 13.2. Future research directions and conclusions (continued) Concluding remarks Multi-core provide security-related applications with more processing power Rethinking of building security-related applications from software perspective is essential Parallelism based on multi-core faces many challenges System bodyguard will be a future paradigm of security-related applications

44 Thank you very much! Questions? Prof Wanlei Zhou Deakin University, Australia Dr Yang Xiang Central Queensland University, Australia

Packet Inspection on Programmable Hardware

Abstract Packet Inspection on Programmable Hardware Benfano Soewito Information Technology Department, Bakrie University, Jakarta, Indonesia E-mail: benfano.soewito@bakrie.ac.id In the network security