72 research outputs found
APHID: Anomaly Processor in Hardware for Intrusion Detection
The Anomaly Processor in Hardware for Intrusion Detection (APHID) is a step forward in the field of co-processing intrusion detection mechanism. By using small, fast hardware primitives APHID relieves the production CPU from the burden of security processing. These primitives are tightly coupled to the CPU giving them access to critical state information such as the current instruction(s) in execution, the next instruction, registers, and processor state information. By monitoring these hardware elements, APHID is able to determine when an anomalous action occurs within one clock cycle. Upon detection, APHID can force the processor into a corrective state, or a halted state, depending on the required response. APHID primitives also harden the production system against attacks such as Distribute Denial of Service attack and buffer overflow attacks. APHID is designed to be fast and agile, with the ability to create multiple monitors that switch in and out of monitoring with the context switches of the production processor to highly focused coverage over multiple devices and sections of code
Silicon firewall prototype
The Internet is a technological advance that provides access to information, and the ability to publish information, in revolutionary ways. There is also a major danger that provides the ability to corrupt and destroy information as well. When a computer is connected to the Internet, three things are put at risk: the data storage, the computing resources and the userâs reputation. In order to balance the advantages and risks, the contact between a computer and the Internet or the contact between different networks should be controlled carefully. A firewall is a form of protection that allows a network to connect to the Internet or to another network while maintaining a degree of security. The firewall is an effective type of network security, and in most situations, it is the most effective tool for doing that. With the availability of larger bandwidth, it is becoming more and more difficult for traditional software firewalls to function over a high-speed connection. In addition, the advances in network hardware technology, such as routers, and new applications of firewalls have caused the software firewall to be an impediment to high throughput. This network bottleneck leads to the requirement for new solutions to balance performance and security. Replacing software with hardware could lead to improved performance, enabling the firewalls to handle significantly larger amounts of data. The goal of this project is to investigate if and how existing desktop computer firewall technology could be improved by replacing software functionality with hardware (i.e., silicon). A hardware-based Silicon Firewall system has been designed by choosing the appropriate architecture and implemented using Altera FPGA (Field Programmable Gate Array) on a SOPC (System On a Programmable Chip) Board. The performance of the Silicon Firewall is tested and compared with the software firewall
A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research
With traditional networking, users can configure control plane protocols to
match the specific network configuration, but without the ability to
fundamentally change the underlying algorithms. With SDN, the users may provide
their own control plane, that can control network devices through their data
plane APIs. Programmable data planes allow users to define their own data plane
algorithms for network devices including appropriate data plane APIs which may
be leveraged by user-defined SDN control. Thus, programmable data planes and
SDN offer great flexibility for network customization, be it for specialized,
commercial appliances, e.g., in 5G or data center networks, or for rapid
prototyping in industrial and academic research. Programming
protocol-independent packet processors (P4) has emerged as the currently most
widespread abstraction, programming language, and concept for data plane
programming. It is developed and standardized by an open community and it is
supported by various software and hardware platforms. In this paper, we survey
the literature from 2015 to 2020 on data plane programming with P4. Our survey
covers 497 references of which 367 are scientific publications. We organize our
work into two parts. In the first part, we give an overview of data plane
programming models, the programming language, architectures, compilers,
targets, and data plane APIs. We also consider research efforts to advance P4
technology. In the second part, we analyze a large body of literature
considering P4-based applied research. We categorize 241 research papers into
different application domains, summarize their contributions, and extract
prototypes, target platforms, and source code availability.Comment: Submitted to IEEE Communications Surveys and Tutorials (COMS) on
2021-01-2
A Modular Approach to Adaptive Reactive Streaming Systems
The latest generations of FPGA devices offer large resource counts that provide the headroom to implement large-scale and complex systems. However, there are increasing challenges for the designer, not just because of pure size and complexity, but also in harnessing effectively the flexibility and programmability of the FPGA. A central issue is the need to integrate modules from diverse sources to promote modular design and reuse. Further, the capability to perform dynamic partial reconfiguration (DPR) of FPGA devices means that implemented systems can be made reconfigurable, allowing components to be changed during operation. However, use of DPR typically requires low-level planning of the system implementation, adding to the design challenge. This dissertation presents ReShape: a high-level approach for designing systems by interconnecting modules, which gives a âplug and playâ look and feel to the designer, is supported by tools that carry out implementation and verification functions, and is carried through to support system reconfiguration during operation. The emphasis is on the inter-module connections and abstracting the communication patterns that are typical between modules â for example, the streaming of data that is common in many FPGA-based systems, or the reading and writing of data to and from memory modules. ShapeUp is also presented as the static precursor to ReShape. In both, the details of wiring and signaling are hidden from view, via metadata associated with individual modules. ReShape allows system reconfiguration at the module level, by supporting type checking of replacement modules and by managing the overall system implementation, via metadata associated with its FPGA floorplan. The methodology and tools have been implemented in a prototype for a broad domain-specific setting â networking systems â and have been validated on real telecommunications design projects
Techniques for Processing TCP/IP Flow Content in Network Switches at Gigabit Line Rates
The growth of the Internet has enabled it to become a critical component used by businesses, governments and individuals. While most of the trafïŹc on the Internet is legitimate, a proportion of the trafïŹc includes worms, computer viruses, network intrusions, computer espionage, security breaches and illegal behavior. This rogue trafïŹc causes computer and network outages, reduces network throughput, and costs governments and companies billions of dollars each year. This dissertation investigates the problems associated with TCP stream processing in high-speed networks. It describes an architecture that simpliïŹes the processing of TCP data streams in these environments and presents a hardware circuit capable of TCP stream processing on multi-gigabit networks for millions of simultaneous network connections. Live Internet trafïŹc is analyzed using this new TCP processing circuit
Automatically Parallelizing Embedded Legacy Software on Soft-Core SoCs
Nowadays, embedded systems are utilized in many areas and become omnipresent, making people's lives more comfortable. Embedded systems have to handle more and more functionality in many products. To maintain the often required low energy consumption, multi-core systems provide high performance at moderate energy consumption. The development started with dual-core processors and has today reached many-core designs with dozens and hundreds of processor cores. However, existing applications can barely leverage the potential of that many cores.
Legacy applications are usually written sequentially and thus typically use only one processor core. Thus, these applications do not benefit from the advantages provided by modern many-core systems. Rewriting those applications to use multiple cores requires new skills from developers and it is also time-consuming and highly error prone. Dozens of languages, APIs and compilers have already been presented in the past decades to aid the user with parallelizing applications. Fully automatic parallelizing compilers are seen as the holy grail, since the user effort is kept minimal. However, automatic parallelizers often cannot extract parallelism as good as user aided approaches. Most of these parallelization tools are designed for desktop and high-performance systems and are thus not tuned or applicable for low performance embedded systems. To improve this situation, this work presents an automatic parallelizer for embedded systems, which is able to mostly deliver better quality than user aided approaches and if not allows easy manual fine-tuning.
Parallelization tools extract concurrently executable tasks from an application. These tasks can then be executed on different processor cores. Parallelization tools and automatic parallelizers in particular often struggle to efficiently map the extracted parallelism to an existing multi-core processor. This work uses soft-core processors on FPGAs, which makes it possible to realize custom multi-core designs in hardware, within a few minutes. This allows to adapt the multi-core processor to the characteristics of the extracted parallelism. Especially, core-interconnects for communication can be optimized to fit the communication pattern of the parallel application.
Embedded applications are often structured as follows: receive input data, (multiple) data processing steps, data output. The multiple processing steps are often realized as consecutive loosely coupled transformations. These steps naturally already model the structure of a processing pipeline. It is the goal of this work to extract this kind of pipeline-parallelism from an application and map it to multiple cores to increase the overall throughput of the system. Multiple cores forming a chain with direct communication channels ideally fit this pattern. The previously described, so called pipeline-parallelism is a barely addressed concept in most parallelization tools. Also, current multi-core designs often do not support the hardware flexibility provided by soft-cores, targeted in this approach.
The main contribution of this work is an automatic parallelizer which is able to map different processing steps from the source-code of a sequential application to different cores in a multi-core pipeline. Users only specify the required processing speed after parallelization. The developed tool tries to extract a matching parallelized software design along with a custom multi-core design out of sequential embedded legacy applications. The automatically created multi-core system already contains used peripherals extracted from the source-code and is ready to be used. The presented parallelizer implements multi-objective optimization to generate a minimal hardware design, just fulfilling the user defined requirement. To the best of my knowledge, the possibility to generate such a multi-core pipeline defined by the demands of the parallelized software has never been presented before.
The approach is implemented for two soft-core processors and evaluation shows for both targets high speedups of 12x and higher at a reasonable hardware overhead. Compared to other automatic parallelizers, which mainly focus on speedups through latency reduction, significantly higher speedups can be achieved depending on the given application structure
Model-driven Security Engineering for FPGAs
Tato prĂĄce obsahuje analĂœzu a adaptaci vhodnĂœch metod zabezpeÄenĂ, pochĂĄzejĂcĂch
ze softwarovĂ© domĂ©ny, do svÄta FPGA. Metoda formalizace bezpeÄnostnĂ vĂœzvy
FPGA je prezentovĂĄna jazykem FPGASECML, specifickĂœm pro danou domĂ©nu,
vhodnĂœm pro modelovĂĄnĂ hrozeb zamÄĆenĂœch na systĂ©m a pro formĂĄlnĂ definovĂĄnĂ
bezpeÄnostnĂ politiky. VytvoĆenĂ vhodnĂœch obrannĂœch mechanismĆŻ vyĆŸaduje
inteligenci o agentech ohroĆŸenĂ, zejmĂ©na o jejich motivaci a schopnostech.
Konstrukce zaloĆŸenĂ© na FPGA jsou, stejnÄ jako jakĂœkoli jinĂœ IT systĂ©m, vystaveny
rĆŻznĂœm agentĆŻm hrozeb po celou dobu jejich ĆŸivotnosti, coĆŸ nalĂ©havÄ vyĆŸaduje
potĆebu vhodnĂ© a pĆizpĆŻsobitelnĂ© bezpeÄnostnĂ strategie. SystematickĂĄ analĂœza
nĂĄvrhu zaloĆŸenĂĄ na konceptu STRIDE poskytuje cennĂ© informace o hrozbĂĄch a
poĆŸadovanĂœch mechanismech protiopatĆenĂ. Minimalizace povrchu Ăștoku je jednĂm
z nezbytnĂœch krokĆŻ k vytvoĆenĂ odolnĂ©ho designu. KonvenÄnĂ paradigmata ĆĂzenĂ
pĆĂstupu mohou modelovat pravidla ĆĂzenĂ pĆĂstupu v nĂĄvrzĂch FPGA. VĂœbÄr
vhodnĂ©ho zĂĄvisĂ na sloĆŸitosti a bezpeÄnostnĂch poĆŸadavcĂch nĂĄvrhu.
FormĂĄlnĂ popis architektury FPGA a bezpeÄnostnĂ politiky podporuje pĆesnou
definici aktiv a jejich moĆŸnĂœch, povolenĂœch a zakĂĄzanĂœch interakcĂ. OdstraĆuje
nejednoznaÄnost z modelu hrozby a zĂĄroveĆ poskytuje plĂĄn implementace. Kontrola
modelu mĆŻĆŸe bĂœt pouĆŸita k ovÄĆenĂ, zda a do jakĂ© mĂry, je nĂĄvrh v souladu s
uvedenou bezpeÄnostnĂ politikou. PĆenesenĂ architektury do vhodnĂ©ho modelu a
bezpeÄnostnĂ politiky do ovÄĆitelnĂœch logickĂœch vlastnostĂ mĆŻĆŸe bĂœt, jak je uvedeno v
tĂ©to prĂĄci, automatizovanĂ©, zjednoduĆĄujĂcĂ proces a zmĂrĆujĂcĂ jeden zdroj chyb.
PosĂlenĂ uÄenĂ mĆŻĆŸe identifikovat potenciĂĄlnĂ slabiny a kroky, kterĂ© mĆŻĆŸe ĂștoÄnĂk
podniknout, aby je vyuĆŸil. NÄkterĂ© metody zde uvedenĂ© mohou bĂœt pouĆŸitelnĂ© takĂ©
v jinĂœch domĂ©nĂĄch.ObhĂĄjenoThe thesis provides an analysis and adaptation of appropriate security methods from the
software domain into the FPGA world and combines them with formal verification
methods and machine learning techniques.
The deployment of appropriate defense mechanisms requires intelligence about the threat
agents, especially their motivation and capabilities. FPGA based designs are, like any other
IT system, exposed to different threat agents throughout the systems lifetime, urging the
need for a suitable and adaptable security strategy. The systematic analysis of the design,
based on the STRIDE concept, provides valuable insight into the threats and the mandated
counter mechanisms. Minimizing the attack surface is one essential step to create a resilient
design. Conventional access control paradigms can model access control rules in FPGA
designs and thereby restrict the exposure of sensitive elements to untrustworthy ones.
A method to formalize the FPGA security challenge is presented. FPGASECML is a
domain-specific language, suitable for dataflow-centric threat modeling as well as the formal
definition of an enforceable security policy. The formal description of the FPGA
architecture and the security policy promotes a precise definition of the assets and their
possible, allowed, and prohibited interactions. Formalization removes ambiguity from the
threat model while providing a blueprint for the implementation.
Model transformations allow the application of dedicated and proven tools to answer
specific questions while minimizing the workload for the user. Model-checking can be
applied to verify if, and to a certain degree when, a design complies with the stated security
policy. Transferring the architecture into a suitable model and the security policy into
verifiable logic properties can be, as demonstrated in the thesis, automated, simplifying the
process and mitigating one source of error. Reinforcement learning, a machine learning
method, can identify potential weaknesses and the steps an attacker may take to exploit
them. The approach presented uses a Markov Decision Process in combination with a Qlearning
algorithm
Web service control of component-based agile manufacturing systems
Current global business competition has resulted in significant challenges for
manufacturing and production sectors focused on shorter product lifecyc1es, more diverse
and customized products as well as cost pressures from competitors and customers. To
remain competitive, manufacturers, particularly in automotive industry, require the next
generation of manufacturing paradigms supporting flexible and reconfigurable production
systems that allow quick system changeovers for various types of products. In addition,
closer integration of shop floor and business systems is required as indicated by the
research efforts in investigating "Agile and Collaborative Manufacturing Systems" in
supporting the production unit throughout the manufacturing lifecycles.
The integration of a business enterprise with its shop-floor and lifecycle supply partners
is currently only achieved through complex proprietary solutions due to differences in
technology, particularly between automation and business systems. The situation is
further complicated by the diverse types of automation control devices employed.
Recently, the emerging technology of Service Oriented Architecture's (SOA's) and Web
Services (WS) has been demonstrated and proved successful in linking business
applications. The adoption of this Web Services approach at the automation level, that
would enable a seamless integration of business enterprise and a shop-floor system, is an
active research topic within the automotive domain. If successful, reconfigurable
automation systems formed by a network of collaborative autonomous and open control
platform in distributed, loosely coupled manufacturing environment can be realized
through a unifying platform of WS interfaces for devices communication.
The adoption of SOA- Web Services on embedded automation devices can be achieved
employing Device Profile for Web Services (DPWS) protocols which encapsulate device
control functionality as provided services (e.g. device I/O operation, device state
notification, device discovery) and business application interfaces into physical control
components of machining automation. This novel approach supports the possibility of
integrating pervasive enterprise applications through unifying Web Services interfaces
and neutral Simple Object Access Protocol (SOAP) message communication between
control systems and business applications over standard Ethernet-Local Area Networks
(LAN's). In addition, the re-configurability of the automation system is enhanced via the
utilisation of Web Services throughout an automated control, build, installation, test,
maintenance and reuse system lifecycle via device self-discovery provided by the DPWS
protocol...cont'd
Distributed control of reconfigurable mobile network agents for resource coordination
Includes abstract.Includes bibliographical references.Considering the tremendous growth of internet applications and network resource federation proposed towards future open access network (FOAN), the need to analyze the robustness of the classical signalling mechanisms across multiple network operators cannot be over-emphasized. It is envisaged, there will be additional challenges in meeting the bandwidth requirements and network management...The first objective of this project is to describe the networking environment based on the support for heterogeneity of network components..
- âŠ