International Journal of Research

As the Internet becomes integrated into nearly all aspects of everyday life, its reliability grows in importance. This vitalcommunication resource, which has become an inviting target for attackers, must be protected with the same vigor as the end-systemsit interconnects. Recent trends in network router architecture towards programmability and flexibility have increased the susceptibility ofcommunication hardware to software attacks which modify intended data processing and forwarding functions. Contemporary routerstypically feature network processors, whose protocol processing functions are determined via software. Prior work has shown thatthese general-purpose software-based processing systems can be attacked with data packets sent through the Internet. As a defensemechanism, the correct functionality of a network processor can be verified by a hardware monitor that observes processor operationand compares it to expected behavior. In the event of an attack, the monitor can interrupt the network processor, suppress maliciousbehavior, and reset the processor to a usable state for processing of subsequent traffic. In this work, we present several significantadvances in hardware monitoring for network processors. A low-overhead monitor architecture that evaluates correct networkprocessor operation in real-time on an instruction-by-instruction basis is described and tested. The monitor is shown to effectivelyprevent stack smashing attacks on processors that use Harvard architecture, a widely used network processor configuration.Through experimentation, we show that our approach to hardware monitoring does not affect data plane packet throughput. In theevent of an attack, malicious packets are dropped while packets of regular network traffic proceed through the network unaffected. Afull evaluation of monitor architectural parameters is provided to create an optimized monitor design.