Modern routers need to perform many advanced packet processing functions in their data path. To support these expanding requirements, high-performance multi-core embedded systems are used for packet processing. Unlike traditional ASIC-based forwarding engines, these programmable processors are in principle vulnerable to attacks where intruders can attempt to change the operation of the router. This problem is particularly pressing since network processors typically do not have the same level of protection from malware as current end-systems (e.g., virus scanners).
In this talk, I will discuss security vulnerabilities in network processors as well as defense mechanisms. I will present an attack example where a software vulnerability in the packet processing code of a router can be exploited to launch a devastating denial-of-service attack from within a network. I will introduce the design of a hardware system that can monitor the operation of packet processors and stop the execution of malicious code before it can lead to an attack. I will also present a brief overview of my research group’s other work, which includes integrating data plane programmability into the future Internet architecture, resource management on network processors, and network virtualization.
