By moving network functionality from dedicated hardware to software running on end-hosts, Network Functions Virtualization (NFV) pledges the benefits of cloud computing to packet processing. While ...most of the NFV frameworks today rely on kernel-bypass approaches, no attention has been given to kernel packet processing, which has always proved hard to evolve and to program. In this article, we present Polycube, a software framework whose main goal is to bring the power of NFV to in-kernel packet processing applications, enabling a level of flexibility and customization that was unthinkable before. Polycube enables the creation of arbitrary and complex network function chains, where each function can include an efficient in-kernel data plane and a flexible user-space control plane with strong characteristics of isolation, persistence, and composability. Polycube network functions, called Cubes, can be dynamically generated and injected into the kernel networking stack, without requiring custom kernels or specific kernel modules, simplifying the debugging and introspection, which are two fundamental properties in recent cloud environments. We validate the framework by showing significant improvements over existing applications, and we prove the generality of the Polycube programming model through the implementation of complex use cases such as a network provider for Kubernetes.
Network softwarization is paving the way for the design and development of Next-Generation Networks (NGNs), which are demanding profound improvements to existing communication infrastructures. Two of ...the fundamental pillars of NGNs are flexibility and intelligence to create elastic network functions capable of managing complex communication systems in an efficient and cost-effective way. In this sense, the extended Berkeley Packet Filter (eBPF) is a state-of-the-art solution that enables low-latency traffic processing within the Linux kernel in commodity hardware. When combined with Machine Learning (ML) algorithms, it becomes a promising enabler to perform smart monitoring and networking tasks at any required place of the fog-edge-cloud continuum. In this work, we present a solution that leverages eBPF to integrate ML-based intelligence with fast packet processing within the Linux kernel, enabling the execution of complex computational tasks in a flexible way, saving resources and reducing processing latencies. A real implementation and a series of experiments have been carried out in an Internet of Things (IoT) scenario to evaluate the performance of the solution to detect attacks in a 6LowPAN system. The performance of the in-kernel implementation shows a considerable reduction in the execution time (-97%) and CPU usage (-6%) of a Multi-Layer Perceptron (MLP) model in comparison with a user space development approach; thus positioning our proposal as a promising solution to embed ML-powered fast packet processing within the Linux kernel.
Data Stream Processing engines have recently emerged as powerful tools for simplifying the analysis of network telemetry data. Motivated by the ever-growing volume of data requiring analysis, ...cutting-edge approaches integrate them with programmable switches to filter out less relevant traffic and enhance their processing capabilities.
In this paper, we propose an alternative solution: leveraging SmartNICs as high-performance accelerators for stream processing operations. SmartNICs are commonly deployed in datacenter networks, and their architecture is often characterized by numerous low-power processors that align seamlessly with the highly parallelizable computational requirements of standard streaming analysis frameworks.
Starting from WindFlow, a state-of-the-art stream processor, we present an innovative architecture that enables the offloading of a portion of its computation to a commodity Netronome SmartNIC. We implemented the offload logic using eBPF, making our solution compatible with any NIC supporting this programming paradigm. We developed a diverse range of applications (i.e., flow metering, port scan detection and SYN flood attack detection) and show that our solution can analyze up to 40% more traffic compared to a pure software approach.
EZIOTracer Islam Naas, Mohammed; Trahay, François; Colin, Alexis ...
Operating systems review,
07/2021, Letnik:
55, Številka:
1
Journal Article
Odprti dostop
Tracing is a popular method for evaluating, investigating, and modeling the performance of today's storage systems. Tracing has become crucial with the increase in complexity of modern storage ...applications/systems, that are manipulating an ever-increasing amount of data and are subject to extreme performance requirements. There exists many tracing tools focusing either on the user-level or the kernel-level, however we observe the lack of a unified tracer targeting both levels: this prevents a comprehensive understanding of modern applications' storage performance profiles. In this paper, we present EZIOTracer, a unified I/O tracer for both (Linux) kernel and user spaces, targeting data intensive applications. EZIOTracer is composed of a userland as well as a kernel space tracer, complemented with a trace analysis framework able to merge the output of the two tracers, and in particular to relate user-level events to kernel-level ones, and vice-versa. On the kernel side, EZIOTracer relies on eBPF to offer safe, low-overhead, low memory footprint, and flexible tracing capabilities. We demonstrate using FIO benchmark the ability of EZIOTracer to track down I/O performance issues by relating events recorded at both the kernel and user levels. We show that this can be achieved with a relatively low overhead that ranges from 2% to 26% depending on the I/O intensity.
NFV and SDN enable flexibility and programmability at the data plane. In addition, offloading packet processing to a hardware saves processing resources to compute other workloads. However, ...fulfilling requirements such as high throughput and low latency with a flexible and programmable data plane is challenging. This paper introduces eBPFlow, a platform for seamlessly accelerating network computation. It builds upon eBPF. eBPFlow combines flexibility and programmability in software with high performance using an FPGA. We implemented our system on the NetFPGA SUME, performing tests on a physical testbed. We built a range of NFs. Our results show that the eBPFlow supports offloading of NFs with throughput at the line rate, latency between <inline-formula> <tex-math notation="LaTeX">20~\mu \text{s} </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">40~\mu \text{s} </tex-math></inline-formula>, communication with host, and consumption of 22 W. Moreover, eBPFlow processes 12.05 Mpps more than the kernel. eBPFlow has a throughput of 2.59 Gbps higher than the hXDP, a system similar to eBPFlow.
Virtual Machines are the key technology in cloud computing. In order to upgrade, repair or service the physical machine where a Virtual Machine is hosted, a common practice is to live-migrate the ...Virtual Machine to a different server. This involves copying all the guest memory over the network, which may take a non-negligible amount of time. In this work, we propose a technique to speed up the migration time by reducing the amount of guest memory to be transferred with the help of the guest OS. In particular, during live-migration, an eBPF program is injected in the guest kernel to obtain, and send to the Virtual Machine Monitor, the list of guest page frames that are currently unused. The VMM can then safely skip these pages during the copy. We have integrated this technique in the live-migration implementation of QEMU (Bellard, 2005), and we show the effects of our work in some experiments comparing the results against the QEMU default implementation.
In-memory key-value stores are widely used in modern web services to support large-scale user requests by caching popular data. Their performance is critical, and BMC, the state-of-the-art work, ...builds an in-kernel cache and processes requests before the stack using eBPF to reduce the overhead of the kernel network stack. However, BMC fails to support stateful protocol TCP because pre-stack processing creates TCP state bias between the client and server.TCP is widely used by in-memory key-value stores, is even the only choice for some applications (e.g., Redis), and also suffers from performance issues. In this work, we present MiddleCache, a TCP-enabled in-memory key-value store acceleration design. Our key observation is that the TCP state bias of the client and server can be inferred and eliminated with packet length. The design of MiddleCache has two key parts: (i) A compact TCP state maintenance mechanism that accumulates packet lengths and applies corrections to the packet header, which realize TCP support within the constrains of eBPF. (ii) Lock-free accumulation counters that support high-performance concurrent access by utilizing Receive Side Scaling (RSS). Our experiments show that, compared with Memcached, MiddleCache reduces 56% processing latency on cache hit and achieves a 3.8× throughput improvement on Facebook-like small-size requests workload.
According to a 2019 Radware report, guarding sensitive data is the highest priority area for investment in cyber security. This is no surprise given the high number of reported data breach incidents ...annually, and the implication of these on the individuals or organisations targeted. Data exfiltration is a key stage in this form of cyber-attack, and the use of the Domain Name System protocol for data exfiltration is popular due to the essential nature of the protocol for network communication. This paper presents a DNS data exfiltration Protection (DNSxP) security architecture leveraging Software-Defined Networking and Data Plane Programmability. The solution is developed based on analysis of different malicious use cases for transmitting data over the DNS protocol. By performing coarse-grained packet filtering and analysis in the data plane, clear benign or malicious traffic can be identified quickly, while suspicious traffic is passed to additional security controls at the SDN controller for classification. As the results demonstrate, this approach offers the combined benefit of reducing data loss during an exfiltration attack and reducing network resource consumption.
Modern malware is becoming hard to spot since attackers are increasingly adopting new techniques to elude signature- and rule-based detection mechanisms. Among the others, steganography and ...information hiding can be used to bypass security frameworks searching for suspicious communications between processes or exfiltration attempts through covert channels. Since the array of potential carriers is very large (e.g., information can be hidden in hardware resources, various multimedia files or network flows), detecting this class of threats is a scarcely generalizable process and gathering multiple behavioral information is time-consuming, lacks scalability, and could lead to performance degradation.
In this paper, we leverage the extended Berkeley Packet Filter (eBPF), which is a recent code augmentation feature provided by the Linux kernel, for programmatically tracing and monitoring the behavior of software processes in a very efficient way. To prove the flexibility of the approach, we investigate two realistic use cases implementing different attack mechanisms, i.e., two processes colluding via the alteration of the file system and hidden network communication attempts nested within IPv6 traffic flows. Our results show that even simple eBPF programs can provide useful data for the detection of anomalies, with a minimal overhead. Furthermore, the flexibility to develop and run such programs allows to extract relevant features that could be used for the creation of datasets for feeding security frameworks exploiting AI.
PDF
