Robin Sommer
Vern Paxson
ABSTRACT
When developing networking systems such as firewalls, routers, and intrusion detection systems, one faces a striking gap between the ease with which one can often describe a desired analysis in high-level terms, and the tremendous amount of low-level implementation details that one must still grapple with to come to a robust solution. We present HILTI, a platform that bridges this divide by providing to application developers much of the low-level functionality, without tying it to a specific analysis structure. HILTI consists of two parts: (1) an abstract machine model that we tailor specifically to the networking domain, directly supporting the field's common abstractions and idioms in its instruction set; and (2) a compilation strategy for turning programs written for the abstract machine into optimized, natively executable code. We have developed a prototype of the HILTI compiler toolchain that fully implements the design's functionality, and ported exemplars of networking applications to the HILTI model to demonstrate the aptness of its abstractions. Our evaluation of HILTI's functionality and performance confirms its potential to become a powerful platform for future application development.
- libnids. http://libnids.sourceforge.net.Google Scholar
- libtask. http://swtch.com/libtask.Google Scholar
- Objective-C Automatic Reference Counting (ARC). http://clang.llvm.org/docs/AutomaticReferenceCounting.html.Google Scholar
- re2c. http://re2c.org.Google Scholar
- Suricata source code -textttsrc/flow-hash.c. https://github.com/inliniac/suricata/blob/master/src/flow-hash.c.Google Scholar
- Web site and source code for HILTI and BinPACGoogle Scholar
- . http://www.icir.org/hilti.Google Scholar
- Xplico. http://www.xplico.org.Google Scholar
- B. Anderson. Abandoning Segmented Stacks in Rust. https://mail.mozilla.org/pipermail/rust-dev/2013-November/006314.html.Google Scholar
- M. B. Anwer, M. Motiwala, M. b. Tariq, and N. Feamster. SwitchBlade: A Platform for Rapid Deployment of Network Protocols on Programmable Hardware. In Proc. ACM SIGCOMM, 2010. Google ScholarDigital Library
- A. W. Appel. Compiling with Continuations. Cambridge University Press, 1992. Google ScholarDigital Library
- J. Corbet. A JIT for packet filters. http://lwn.net/Articles/437981/.Google Scholar
- S. Das. Segmented Stacks in LLVM. http://www.google-melange.com/gsoc/project/google/gsoc2011/sanjoyd/13001.Google Scholar
- L. De Carli, Y. Pan, A. Kumar, C. Estan, and K. Sankaralingam. PLUG: Flexible Lookup Modules for Rapid Deployment of New Protocols in High-Speed Routers. ACM SIGCOMM Computer Communication Review, 39:207--218, 2009. Google ScholarDigital Library
- L. De Carli, R. Sommer, and S. Jha. Beyond Pattern Matching: A Concurrency Model for Stateful Deep Packet Inspection. In Proc. ACM Computer and Communications Security (CCS), 2014. Google ScholarDigital Library
- S. Dharmapurikar and V. Paxson. Robust TCP Stream Reassembly in the Presence of Adversaries. In USENIX Security, 2005. Google ScholarDigital Library
- H. Dreger, A. Feldmann, V. Paxson, and R. Sommer. Operational Experiences with High-Volume Network Intrusion Detection. In Proc. ACM Computer and Communications Security (CCS), Oct. 2004. Google ScholarDigital Library
- H. Dreger, A. Feldmann, V. Paxson, and R. Sommer. Predicting the Resource Consumption of Network Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection (RAID), 2008. Google ScholarDigital Library
- K. Fall, G. Iannaccone, M. Manesh, S. Ratnasamy, K. Argyraki, M. Dobrescu, and N. Egi. RouteBricks: Enabling General Purpose Network Infrastructure. SIGOPS Operating Systems Review, 45:112--125, February 2011. Google ScholarDigital Library
- N. Foster et al. Frenetic: A High-Level Language for OpenFlow Networks. In Proc. PRESTO, 2010. Google ScholarDigital Library
- R. Franklin, D. Carver, and B. Hutchings. Assisting Network Intrusion Detection with Reconfigurable Hardware. In Proc. FCCM, 2002. Google ScholarDigital Library
- N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker. NOX: Towards an Operating System for Networks. ACM SIGCOMM Computer Communication Review, 38:105--110, 2008. Google ScholarDigital Library
- P. Gupta and N. McKeown. Algorithms for Packet Classification. http://yuba.stanford.edu/ nickm/papers/classification_tutorial_01.pdf, 2001.Google Scholar
- S. Han, K. Jang, K. Park, and S. Moon. PacketShader: A GPU-accelerated Software Router. In Proc. ACM SIGCOMM, 2010. Google ScholarDigital Library
- M. Handley, C. Kreibich, and V. Paxson. Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In Proc. USENIX Security, 2001. Google ScholarDigital Library
- S. Ioannidis, K. Anagnostakis, J. Ioannidis, and A. Keromytis. xPF: Packet Filtering for Lowcost Network Monitoring. In Proc. IEEE HPSR, pages 121--126, 2002.Google ScholarCross Ref
- R. Jones, A. Hosking, and E. Moss. The Garbage Collection Handbook: The Art of Automatic Memory Management. Cambridge University Press, 2011. Google ScholarDigital Library
- K. Kennedy and J. R. Allen. Optimizing Compilers for Modern Architectures. Morgan Kaufmann, 2002. Google ScholarDigital Library
- E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click Modular Router. ACM Transactions on Computer Systems, 18:263--297, August 2000. Google ScholarDigital Library
- T. Koponen et al. Onix: A Distributed Control Platform for Large-Scale Production Networks. In USENIX OSDI, 2010. Google ScholarDigital Library
- C. Lattner and V. Adve. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proc. Symposium on Code Generation and Optimization, 2004. Google ScholarDigital Library
- Z. Li et al. NetShield: Massive Semantics-Based Vulnerability Signature Matching for High-Speed Networks. In Proc. ACM SIGCOMM, 2010. Google ScholarDigital Library
- S. McCanne and V. Jacobson. The BSD Packet Filter: A New Architecture for User-level Packet Capture. In Proc. USENIX Winter 1993 Conference. Google ScholarDigital Library
- N. McKeown et al. OpenFlow: Enabling Innovation in Campus Networks. ACM SIGCOMM Computer Communication Review, 38:69--74, 2008. Google ScholarDigital Library
- C. Monsanto, N. Foster, R. Harrison, and D. Walker. A Compiler and Run-time System for Network Programming Languages. In Proc. POPL, 2012. Google ScholarDigital Library
- O. Morandi, G. Moscardi, and F. Risso. An Intrusion Detection Sensor for the NetVM Virtual Processor. In Proc. ICOIN, 2009. Google ScholarDigital Library
- R. Pang, V. Paxson, R. Sommer, and L. Peterson. binpac: A yacc for Writing Application Protocol Parsers. In Proc. ACM Internet Measurement Conference (IMC), 2006. Google ScholarDigital Library
- V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23--24), 1999. Google ScholarDigital Library
- V. Paxson, K. Asanovic, S. Dharmapurikar, J. Lockwood, R. Pang, R. Sommer, and N. Weaver. Rethinking Hardware Support for Network Analysis and Intrusion Prevention. In Proc. USENIX Hot Security Workshop, August 2006. Google ScholarDigital Library
- M. Pettersson, K. Sagonas, and E. Johansson. The HiPE/x86 Erlang Compiler: System Description and Performance Evaluation. In Proc. FLOPS, 2002. Google ScholarDigital Library
- F. Risso and M. Baldi. NetPDL: An Extensible XML-based Language for Packet Header Description. Computer Networks, 50:688--706, April 2006. Google ScholarDigital Library
- N. Schear, D. Albrecht, and N. Borisov. High-Speed Matching of Vulnerability Signatures. In Proc. Recent Advances in Intrusion Detection (RAID), 2008. Google ScholarDigital Library
- R. Sidhu and V. K. Prasanna. Fast Regular Expression Matching using FPGAs. In Proc. IEEE FCCM, Apr. 2001. Google ScholarDigital Library
- R. Sommer, V. Paxson, and N. Weaver. An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention. Concurrency and Computation: Practice and Experience, 21(10):1255--1279, 2009. Google ScholarDigital Library
- M. Vallentin, R. Sommer, J. Lee, C. Leres, V. Paxson, and B. Tierney. The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware. In Proc.\ Recent Advances in Intrusion Detection (RAID), 2007. Google ScholarDigital Library
- G. Vasiliadis, S. Antonatos, M. Polychronakis, E. P. Markatos, and S. Ioannidis. Gnort: High Performance Network Intrusion Detection Using Graphics Processors. In Proc. Recent Advances in Intrusion Detection (RAID), 2008. Google ScholarDigital Library
- D. Zaparanuks, M. Jovic, and M. Hauswirth. Accuracy of Performance Counter Measurements. In IEEE ISPASS, 2009.Google ScholarCross Ref
Index Terms
- HILTI: an Abstract Execution Environment for Deep, Stateful Network Traffic Analysis
Recommendations
Towards vulnerability-based intrusion detection with event processing
DEBS '11: Proceedings of the 5th ACM international conference on Distributed event-based systemComputer systems continue to be breached despite substantial investments in defense mechanisms to stop attacks from propagating. The accuracy of current intrusion detection systems (IDSes) is hindered by the limited capability of regular expressions (...
Design and analysis of a multipacket signature detection system
Worm epidemics in the last few years have shown that manual defences against worm epidemics are not practical. Recently, various automatic worm identification methods have been proposed to be deployed at high-speed network nodes to respond in time to ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Comments