Computer Science Department
School of Computer Science, Carnegie Mellon University


Towards a Low-Memory-Footprint,
Container-Based IoT Security Gateway

Sanjay Chandrasekaran

M.S. Thesis

August 2019


Keywords: IoT, Containers, Software Defined Networks, Network Function Virtualization, Docker, Snort

Securing IoT devices is a challenge, as some devices have long deployment lives and lack an intrinsic method for updating their firmware. Vulnerabilities in IoT devices' software continue to be found, and patching each individual device's firmware is unscalable, as the number of deployed IoT devices is steadily rising. Rather than directly securing the software shipped on the device, we adopt an alternative approach by securing these devices at the network layer. Our goal is to enable an IoT Security Gateway that can provide the fine-grained, device-specific security policies that are currently missing in IoT network security, using virtualized Network Functions (vNFs). We envision (1) separate vNFs for each device to allow us to implement devicespecific functionality, as well as (2) isolation between each of these vNFs. However, naively deploying separate vNFs for each device will come at the cost of additional computing resources. We analyze the memory footprint of running different vNFs and develop specific optimizations for an open-source memory-intensive vNF, Snort. We observe that significant memory goes toward large socket buffers as well as processing unnecessary rules for detecting malicious activity. We proceed by exploring both Snort-specific solutions that take advantage of Snort's open-source codebase, and generic solutions that can be applied to other types of NFs. Combining these solutions, we ultimately demonstrate the ability to increase the number of Snort instances that can simultaneously run on a low-cost gateway by at least ten-fold.

52 pages

Thesis Committee:
Vyas Sekar (Chair)
David A. Eckhardt

Srinivasan Seshan, Head, Computer Science Department
Martial Hebert, Dean, School of Computer Science

Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by