Matching Items (2)
Filtering by
- All Subjects: Policy Management
- Creators: Zhao, Ziming
Description
Hardware-Assisted Security (HAS) is an emerging technology that addresses the shortcomings of software-based virtualized environment. There are two major weaknesses of software-based virtualization that HAS attempts to address - performance overhead and security issues. Performance overhead caused by software-based virtualization is due to the use of additional software layer (i.e., hypervisor). Since the performance is highly related to efficiency of processing data and providing services, reducing performance overhead is one of the major concerns in data centers and enterprise networks. Software-based virtualization also imposes additional security issues in the virtualized environments. To resolve those issues, HAS is developed to offload security functions from application layer to a dedicated hardware, thereby achieving almost bare-metal performance and enhanced security. As a result, HAS gained
more popularity and the number of studies regarding efficiency of the technology is increasing.
However, there exists no attempt to our knowledge that provides a generic test mechanism that is universally applicable to all HAS devices. Preparing such a testbed for each specific HAS device is a time-consuming and costly task for hardware manufacturers and network administrators. Therefore, we try to address the demands of hardware vendors and researchers for a generic testbed that can evaluate both performance and security functions of the HAS-enabled systems.
In this thesis, the HAS device evaluation framework (HEF) is defined for hardware vendors, network administrators, and researchers to measure performance of the system with HAS devices. HEF provides a generic test environments for a given HAS device by providing generic test metrics and evaluation mechanisms. HEF is also designed to take user-defined test metrics and test cases to support various hardware. The framework performs the entire process in an automated fashion, and thus it requires no user intervention. Finally, the efficacy of HEF is demonstrated by performing a case study using Intel QuickAssist Technology (QAT) adapter, which is a dedicated PCI express device for cryptographic tasks.
more popularity and the number of studies regarding efficiency of the technology is increasing.
However, there exists no attempt to our knowledge that provides a generic test mechanism that is universally applicable to all HAS devices. Preparing such a testbed for each specific HAS device is a time-consuming and costly task for hardware manufacturers and network administrators. Therefore, we try to address the demands of hardware vendors and researchers for a generic testbed that can evaluate both performance and security functions of the HAS-enabled systems.
In this thesis, the HAS device evaluation framework (HEF) is defined for hardware vendors, network administrators, and researchers to measure performance of the system with HAS devices. HEF provides a generic test environments for a given HAS device by providing generic test metrics and evaluation mechanisms. HEF is also designed to take user-defined test metrics and test cases to support various hardware. The framework performs the entire process in an automated fashion, and thus it requires no user intervention. Finally, the efficacy of HEF is demonstrated by performing a case study using Intel QuickAssist Technology (QAT) adapter, which is a dedicated PCI express device for cryptographic tasks.
ContributorsKyung, Sukwha (Author) / Ahn, Gail-Joon (Thesis advisor) / Doupe, Adam (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2017
Description
Software-Defined Networking (SDN) is an emerging network paradigm that decouples the control plane from the data plane, which allows network administrators to consolidate common network services into a centralized module named SDN controller. Applications’ policies are transformed into standardized network rules in the data plane via SDN controller. Even though this centralization brings a great flexibility and programmability to the network, network rules generated by SDN applications cannot be trusted because there may exist malicious SDN applications, and insecure network flows can be made due to complex relations across network rules. In this dissertation, I investigate how to identify and resolve these security violations in SDN caused by the combination of network rules and applications’ policies. To this end, I propose a systematic policy management framework that better protects SDN itself and hardens existing network defense mechanisms using SDN.
More specifically, I discuss the following four security challenges in this dissertation: (1) In SDN, generating reliable network rules is challenging because SDN applications cannot be trusted and have complicated dependencies each other. To address this problem, I analyze applications’ policies and remove those dependencies by applying grid-based policy decomposition mechanism; (2) One network rule could accidentally affect others (or by malicious users), which lead to creating of indirect security violations. I build systematic and automated tools that analyze network rules in the data plane to detect a wide range of security violations and resolve them in an automated fashion; (3) A fundamental limitation of current SDN protocol (OpenFlow) is a lack of statefulness, which is extremely important to several security applications such as stateful firewall. To bring statelessness to SDN-based environment, I come up with an innovative stateful monitoring scheme by extending existing OpenFlow specifications; (4) Existing honeynet architecture is suffering from its limited functionalities of ’data control’ and ’data capture’. To address this challenge, I design and implement an innovative next generation SDN-based honeynet architecture.
More specifically, I discuss the following four security challenges in this dissertation: (1) In SDN, generating reliable network rules is challenging because SDN applications cannot be trusted and have complicated dependencies each other. To address this problem, I analyze applications’ policies and remove those dependencies by applying grid-based policy decomposition mechanism; (2) One network rule could accidentally affect others (or by malicious users), which lead to creating of indirect security violations. I build systematic and automated tools that analyze network rules in the data plane to detect a wide range of security violations and resolve them in an automated fashion; (3) A fundamental limitation of current SDN protocol (OpenFlow) is a lack of statefulness, which is extremely important to several security applications such as stateful firewall. To bring statelessness to SDN-based environment, I come up with an innovative stateful monitoring scheme by extending existing OpenFlow specifications; (4) Existing honeynet architecture is suffering from its limited functionalities of ’data control’ and ’data capture’. To address this challenge, I design and implement an innovative next generation SDN-based honeynet architecture.
ContributorsHan, Wonkyu (Author) / Ahn, Gail-Joon (Thesis advisor) / Zhao, Ziming (Thesis advisor) / Doupe, Adam (Committee member) / Huang, Dijiang (Committee member) / Zhang, Yanchao (Committee member) / Arizona State University (Publisher)
Created2016