CMU-CS-19-117 Computer Science Department School of Computer Science, Carnegie Mellon University
Towards a Low-Memory-Footprint, Sanjay Chandrasekaran M.S. Thesis August 2019
Securing IoT devices is a challenge, as some devices have long deployment lives and lack an intrinsic method for updating their firmware. Vulnerabilities in IoT devices' software continue to be found, and patching each individual device's firmware is unscalable, as the number of deployed IoT devices is steadily rising. Rather than directly securing the software shipped on the device, we adopt an alternative approach by securing these devices at the network layer. Our goal is to enable an IoT Security Gateway that can provide the fine-grained, device-specific security policies that are currently missing in IoT network security, using virtualized Network Functions (vNFs). We envision (1) separate vNFs for each device to allow us to implement devicespecific functionality, as well as (2) isolation between each of these vNFs. However, naively deploying separate vNFs for each device will come at the cost of additional computing resources. We analyze the memory footprint of running different vNFs and develop specific optimizations for an open-source memory-intensive vNF, Snort. We observe that significant memory goes toward large socket buffers as well as processing unnecessary rules for detecting malicious activity. We proceed by exploring both Snort-specific solutions that take advantage of Snort's open-source codebase, and generic solutions that can be applied to other types of NFs. Combining these solutions, we ultimately demonstrate the ability to increase the number of Snort instances that can simultaneously run on a low-cost gateway by at least ten-fold. 52 pages
Thesis Committee:
Srinivasan Seshan, Head, Computer Science Department
| |
Return to:
SCS Technical Report Collection This page maintained by reports@cs.cmu.edu |