Design And Implementation Of An Rdma-based Virtualized Security Gateway System

Remote Direct Memory Access(RDMA)technology achieves low latency and high bandwidth with its features such as zero data copy and kernel bypass,and it is widely used in data center applications.At the same time,with the introduction of virtualization solutions,RDMA is gradually deployed in the cloud environment.As such,given the sensitivity of data storage and computation in the cloud,this deployment would render the RDMA security as a critical part of protecting user data access.However,since the data transmission of RDMA bypasses the kernel,it makes security monitoring in the kernel a very difficult task,and modifying the network protocol requires a huge cost.Currently,the potential security problems of network communication based on RDMA have not been effectively solved.Specifically,the security problems of RDMA are mainly caused by the characteristics of protocol design and technology implementation,i.e.,the transmission of data packets in plain text,the cached data of the network card,and the bypassing of the kernel for data transmission.These characteristics reduce the communication latency,but can also cause problems such as unauthorized access to memory and Denial of Service attacks in RDMA networks,seriously threatening network security.At the same time,RDMA technology offloads the processing of network packets from the CPU core to the network card device,making it impossible to implement security mechanisms in the kernel protocol stack.To solve these problems,the vast majority of research works adopt the method of optimizing the protocol and redesigning the network card.Although these methods have achieved good results,they have high deployment costs.Therefore,how to reduce the deployment cost while ensuring the security of the RDMA network in the cloud environment is an urgent problem to be solved.Inspired by the network flow forwarding and control in the middle layer of virtualization,this thesis clarifies the security problems of RDMA network in terms of data transmission and resource occupation through the analysis of RDMA protocol and the experiment of simulated attack,and proposes a virtualized security gateway system based on RDMA.The system can not only achieve more flexible network security protection at the software level,but also provide comprehensive security protection from the control path and data path,effectively solving the difficulties and challenges encountered in the current RDMA security research.The specific works of this thesis are shown as follows:(1)Analyzed RDMA security issues in data transmission and resource occupation.This thesis analyzes the security risks caused by protocol defects such as plaintext transmission of memory keys,limited network card cache,and high regularity of data packet elements to RDMA data transmission,and clarifies unauthorized memory access,hardware resource Denial of Access attacks,and QQueue Pair state attacks through simulated attack experiments.(2)Explored hardware counter and its application to security.This thesis analyzes the specific meaning and influencing factors of RDMA hardware counters,uses the longneglected hardware counters to detect abnormal events in the data path,and realizes the security protection of the RDMA data path on the premise of ensuring that the data transmission is not disturbed.(3)Proposed a virtualized security gateway system.The gateway in the physical world is responsible for forwarding and control of network flows,and its concept can be mapped to the middle layer of the network virtualization(that is,the virtualization gateway).By imposing a security mechanism in the virtual gateway,the pain point of no effective monitoring can be solved in software,so that the security of the RDMA network control path can be more flexibly guaranteed and the deployment cost is low.Therefore,this thesis uses this idea to strengthen the security control of RDMA from the virtualization level,and provides a more comprehensive security mechanism combined with the data path detection.In addition,this thesis also proposes a hardware resource pre-allocation method to dynamically analyze resource requirements of instances and prevent malicious occupation.(4)Completed a prototype system based on an open-source RDMA virtualization framework.This thesis implements the sv RDMA system in the Docker container environment through the cooperation of various components of the system,shared memory,netlink,and other technologies,and conducts functional tests and performance tests on the proposed method and mechanism.The results show that the sv RDMA system can achieve second-level RDMA network anomaly event detection and defense,incurring only < 3% additional overhead.In short,this thesis aims at the problem that RDMA network security situation is severe but cannot be effectively monitored,and strengthens RDMA security protection on the virtualization middle layer from the perspective of software.Through the comprehensive protection of the control path and data path,this thesis implements an efficient,low-loss,and low-cost virtualized security gateway system,which provides a new idea to protect RDMA network.This work could more effectively promote the safe deployment and application of RDMA technology in the cloud computing environment,and has important application value for data center security under high-performance network transmission.