3. Background
• Regexp-based data processing:
– Powerful technique to analyze data
– Several possible application fields (e.g NIDS).
• Rule sets must be transformed in automata (in
our case NFAs)
• NFAs can then be used to parse data by using a
packet processor
– iNFAnt, a GPU-based packet processor
• Processing throughput is critical
2/10
Main: • • • • Sec: • • •
4. Main research directions
There is a technique, called multi-stride:
•Based on transforming the NFA into a more efficient form
•Multiplies the processing throughput by a factor of 2n
But: For these reasons:
• “n” depends on the size •A new, faster multistride
of the rule set, and is algorithm has been developed
usually very small •Test cases have been
• Obtaining a 4x NFA of a
developed by applying
medium ruleset requires multistride to huge rule sets
several months of
computation
• Inapplicable to big
rulesets 3/10
Main: • • • • Sec: • • •
5. Main research directions
• The new multistride algorithm pushes forwards the limits
of the previous algorithms
But: For these reasons:
• Even with faster •A new technique, called
algorithms, multi stride multi-map multistride has
still have limits been developed
• It should be possible to •It exploits GPU architecture
optimize NFAs to
•It allows to further push
achieve better results
when using GPU-based forward the limits of the
processors original multistride
4/10
Main: • • • • Sec: • • •
6. Obtained results
• With the new “Multi-Stride” algorithm it is now possible to quadruple
the processing throughput of medium-sized NFAs while the previous
algorithms did not allow to achieve more than a 2x boost on the
same NFAs
– M. Avalle, F. Risso, R. Sisto, “Efficient Multistriding of Large Non-
deterministic Finite State Automata for Deep Packet Inspection”, in Proc. of
the IEEE International Conference on Communications (ICC) 2012 –
Communication and Information Systems Security Symposium.
• The new “Multi-Map Multistride” technique further extends the
previous limits by multiplying the processing throughput of bigger
NFAs and with higher coefficients
– A paper is under development to present results of this algorithm
5/10
Main: • • • • Sec: • • •
7. Secondary research topic:
Design and implementation of
Security protocols with javaSPI
Outline
• Background
• Our solution: JavaSPI
• Results
8. Background
• Developing a security protocol is an hard, error-
prone task even for experts
• Formal methods can be the key to simplify this
process
– Mathematical demonstration of the claimed security
properties
– Semi-automated generation of the implementation
code to reduce the presence of bugs
• Anyway, using formal methods is still a complex
task as the formal languages are usually
unknown to the developers
7/10
Main: • • • • Sec: • • •
10. Results
• The javaSPI tool has been developed
• A case study, regarding a particular configuration of the SSL 3.0 handshake
protocol, has been developed
– M. Avalle, A. Pironti, R. Sisto D. Pozza, “The Java SPI Framework for Security Protocol
Implementation”, in Proc. of the Sixth International Conference on Availability, Reliability
and Security (ARES), Vienna, Austria, pp. 746-751, IEEE, 2011.
• Moreover, there is an article under development to present the
mathematical Soundness proofs of javaSPI.
• A survey regarding the state of the art of formal methods applied to security
protocols have been written
– M. Avalle, A. Pironti, R. Sisto, “Formal Verification of Security Protocol
Implementations: A Survey”, accepted for publication in Formal Aspects of Computing,
Springer.
9/10
Main: • • • • Sec: • • •
11. Future work
• The first, short-term objective is to finish the
actual work by publishing the papers under
development regarding both the research topics
• Moreover, there should still be room to improve
the performance of actual techniques by
implementing new GPU-specific optimization
techniques.
10/10