Risk Assessment on Hardware Offloading Architecture of Network Security Protocols with Linux-based Control Plane

Oscar Gotor Bermejo; Daniel Dik; Michael Stubert Berger

doi:10.1109/DRCN57075.2023.10108289

Risk Assessment on Hardware Offloading Architecture of Network Security Protocols with Linux-based Control Plane

Oscar Gotor Bermejo, Daniel Dik, Michael Stubert Berger

Comcores ApS

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

Abstract

The Linux Operating System is used worldwide in communication devices hosting multipurpose applications. With the evolving communication infrastructure, such as 5G cellular networks, critical applications with strict high-performance requirements will be developed and also rely on Linux. Due to the nature of these applications, security needs to be ensured in addition to performance. Linux provides softwarebased implementations of network security protocols. However, their performance is limited by the CPUs they are running on. To meet higher performance, the data plane of security protocols needs to be offloaded to dedicated hardware, such as FPGAs and ASICs, with the control plane kept in software. The resulting system architecture introduces a new attack surface where vulnerabilities can be exploited that threaten the control plane. This can reveal sensitive control information or cause a Denial-of-Service attack. This paper presents a risk assessment of the hardware offloading system architecture of security protocols with Linux-based control plane. The data link layer security protocol MACsec was chosen as a reference use case, however, the assessment framework can be applied to other security protocols as they share a similar architecture. Twelve risks were identified during the analysis, which elucidates the urgent need of security measures to protect this type of architecture from possible threats and attacks. Additionally, this paper proposes a set of control recommendations to reduce the impact of the identified threats.

Original language	English
Title of host publication	Proceedings of 19^th International Conference on the Design of Reliable Communication Networks
Number of pages	8
Publisher	IEEE
Publication date	2023
Pages	1-8
ISBN (Print)	978-1-6654-7598-3
DOIs	https://doi.org/10.1109/DRCN57075.2023.10108289
Publication status	Published - 2023
Event	19^th International Conference on the Design of Reliable Communication Networks - Vilanova i la Geltrú, Barcelona, Spain Duration: 17 Apr 2023 → 20 Apr 2023

Conference

Conference	19^th International Conference on the Design of Reliable Communication Networks
Location	Vilanova i la Geltrú
Country/Territory	Spain
City	Barcelona
Period	17/04/2023 → 20/04/2023

Keywords

Linux
MACsec
Risk assessment
Security

Access to Document

10.1109/DRCN57075.2023.10108289

OpenUrl availability

Full text

Cite this

@inproceedings{bceb05a912274666bdb19205867bd885,

title = "Risk Assessment on Hardware Offloading Architecture of Network Security Protocols with Linux-based Control Plane",

abstract = "The Linux Operating System is used worldwide in communication devices hosting multipurpose applications. With the evolving communication infrastructure, such as 5G cellular networks, critical applications with strict high-performance requirements will be developed and also rely on Linux. Due to the nature of these applications, security needs to be ensured in addition to performance. Linux provides softwarebased implementations of network security protocols. However, their performance is limited by the CPUs they are running on. To meet higher performance, the data plane of security protocols needs to be offloaded to dedicated hardware, such as FPGAs and ASICs, with the control plane kept in software. The resulting system architecture introduces a new attack surface where vulnerabilities can be exploited that threaten the control plane. This can reveal sensitive control information or cause a Denial-of-Service attack. This paper presents a risk assessment of the hardware offloading system architecture of security protocols with Linux-based control plane. The data link layer security protocol MACsec was chosen as a reference use case, however, the assessment framework can be applied to other security protocols as they share a similar architecture. Twelve risks were identified during the analysis, which elucidates the urgent need of security measures to protect this type of architecture from possible threats and attacks. Additionally, this paper proposes a set of control recommendations to reduce the impact of the identified threats.",

keywords = "Linux, MACsec, Risk assessment, Security",

author = "Bermejo, {Oscar Gotor} and Daniel Dik and Berger, {Michael Stubert}",

year = "2023",

doi = "10.1109/DRCN57075.2023.10108289",

language = "English",

isbn = "978-1-6654-7598-3",

pages = "1--8",

booktitle = "Proceedings of 19th International Conference on the Design of Reliable Communication Networks",

publisher = "IEEE",

address = "United States",

note = "19<sup>th</sup> International Conference on the Design of Reliable Communication Networks, DRCN 2023 ; Conference date: 17-04-2023 Through 20-04-2023",

}

Bermejo, OG, Dik, D & Berger, MS 2023, Risk Assessment on Hardware Offloading Architecture of Network Security Protocols with Linux-based Control Plane. in Proceedings of 19^th International Conference on the Design of Reliable Communication Networks. IEEE, pp. 1-8, 19^th International Conference on the Design of Reliable Communication Networks, Barcelona, Spain, 17/04/2023. https://doi.org/10.1109/DRCN57075.2023.10108289

Risk Assessment on Hardware Offloading Architecture of Network Security Protocols with Linux-based Control Plane. / Bermejo, Oscar Gotor; Dik, Daniel; Berger, Michael Stubert.
Proceedings of 19^th International Conference on the Design of Reliable Communication Networks. IEEE, 2023. p. 1-8.

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

TY - GEN

T1 - Risk Assessment on Hardware Offloading Architecture of Network Security Protocols with Linux-based Control Plane

AU - Bermejo, Oscar Gotor

AU - Dik, Daniel

AU - Berger, Michael Stubert

PY - 2023

Y1 - 2023

N2 - The Linux Operating System is used worldwide in communication devices hosting multipurpose applications. With the evolving communication infrastructure, such as 5G cellular networks, critical applications with strict high-performance requirements will be developed and also rely on Linux. Due to the nature of these applications, security needs to be ensured in addition to performance. Linux provides softwarebased implementations of network security protocols. However, their performance is limited by the CPUs they are running on. To meet higher performance, the data plane of security protocols needs to be offloaded to dedicated hardware, such as FPGAs and ASICs, with the control plane kept in software. The resulting system architecture introduces a new attack surface where vulnerabilities can be exploited that threaten the control plane. This can reveal sensitive control information or cause a Denial-of-Service attack. This paper presents a risk assessment of the hardware offloading system architecture of security protocols with Linux-based control plane. The data link layer security protocol MACsec was chosen as a reference use case, however, the assessment framework can be applied to other security protocols as they share a similar architecture. Twelve risks were identified during the analysis, which elucidates the urgent need of security measures to protect this type of architecture from possible threats and attacks. Additionally, this paper proposes a set of control recommendations to reduce the impact of the identified threats.

AB - The Linux Operating System is used worldwide in communication devices hosting multipurpose applications. With the evolving communication infrastructure, such as 5G cellular networks, critical applications with strict high-performance requirements will be developed and also rely on Linux. Due to the nature of these applications, security needs to be ensured in addition to performance. Linux provides softwarebased implementations of network security protocols. However, their performance is limited by the CPUs they are running on. To meet higher performance, the data plane of security protocols needs to be offloaded to dedicated hardware, such as FPGAs and ASICs, with the control plane kept in software. The resulting system architecture introduces a new attack surface where vulnerabilities can be exploited that threaten the control plane. This can reveal sensitive control information or cause a Denial-of-Service attack. This paper presents a risk assessment of the hardware offloading system architecture of security protocols with Linux-based control plane. The data link layer security protocol MACsec was chosen as a reference use case, however, the assessment framework can be applied to other security protocols as they share a similar architecture. Twelve risks were identified during the analysis, which elucidates the urgent need of security measures to protect this type of architecture from possible threats and attacks. Additionally, this paper proposes a set of control recommendations to reduce the impact of the identified threats.

KW - Linux

KW - MACsec

KW - Risk assessment

KW - Security

U2 - 10.1109/DRCN57075.2023.10108289

DO - 10.1109/DRCN57075.2023.10108289

M3 - Article in proceedings

SN - 978-1-6654-7598-3

SP - 1

EP - 8

BT - Proceedings of 19th International Conference on the Design of Reliable Communication Networks

PB - IEEE

T2 - 19<sup>th</sup> International Conference on the Design of Reliable Communication Networks

Y2 - 17 April 2023 through 20 April 2023

ER -

Risk Assessment on Hardware Offloading Architecture of Network Security Protocols with Linux-based Control Plane

Abstract

Conference

Keywords

Access to Document

OpenUrl availability

Fingerprint

Cite this