Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting Data Parallelism in SELinux Using a Multicore Processor Bodhisatta Barman Roy National University of Singapore, Singapore Arun Kalyanasundaram,

Published byMorgan Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "Exploiting Data Parallelism in SELinux Using a Multicore Processor Bodhisatta Barman Roy National University of Singapore, Singapore Arun Kalyanasundaram,"— Presentation transcript:

1 Exploiting Data Parallelism in SELinux Using a Multicore Processor Bodhisatta Barman Roy National University of Singapore, Singapore Arun Kalyanasundaram, Shrisha Rao International Institute of Information Technology Bangalore, India Computer Society of India, CSI 2012, Kolkata, India

2 Motivation One of the major drawbacks of Security:

3 Motivation One of the major drawbacks of Security: – Reduction in Efficiency

4 Motivation Similarly, performance overhead due to Security features in software is considerable.

5 Motivation Similarly, performance overhead due to Security features in software is considerable. However, with the proliferation of multicore processors, we can introduce parallelism in software security validations.

6 Goal Our aim is to optimize and evaluate the performance of SELinux (Security Enhanced Linux) on a multicore processor.

7 Goal Our aim is to optimize and evaluate the performance of SELinux (Security Enhanced Linux) on a multicore processor. – SELinux is a Linux operating system feature that provides fine grain access control over system resources.

8 Goal Our aim is to optimize and evaluate the performance of SELinux (Security Enhanced Linux) on a multicore processor. – SELinux is a Linux operating system feature that provides fine grain access control over system resources. – We propose several techniques to introduce parallelism in the SELinux architecture.

9 Goal Our aim is to optimize and evaluate the performance of SELinux (Security Enhanced Linux) on a multicore processor. – SELinux is a Linux operating system feature that provides fine grain access control over system resources. – We propose several techniques to introduce parallelism in the SELinux architecture. – We evaluate our approach using a Cell Broadband Engine (CBE) multicore processor.

10 Background - SELinux SELinux implements the Mandatory Access Control (MAC) security paradigm. MAC operates on a set of rules to constrain a ‘process’ from performing an operation on a resource (e.g. file). Each process/resource is assigned a label called security context, which eases the task of writing security policy rules.

11 Background – SELinux Architecture Subject: Process xyz Policy database Security Server: Makes Decision Allowed ? LSM Hooks Policy Enforcement AVC Object: File: xyz.txt Linux DAC Deny No Access: Read Yes SELinux MAC Access Vector Cache Security Context

12 Identifying SELinux Performance Bottlenecks The decision to allow or deny an operation is a two step process, – Validation of the security contexts (SC) of the source (Process) and target (resource). – Determining the presence of a security policy rule corresponding to the requested operation. We found the validation step to be a major cause for performance overhead.

13 Hardware Setup - CBE The CBE is a master-slave based multicore processor consisting of one Power Processing Element (PPE) and eight Synergistic Processing Elements (SPE). Execution on SPE is initiated by PPE and data is transferred using DMA controllers. We used a Sony Play Station 3 console powered by a CBE processor, with Yellow Dog Linux 6.1 installed.

14 Our Approach We implement a parallel search using SIMD programming paradigm in the validation of security contexts (SC).

15 Our Approach We implement a parallel search using SIMD programming paradigm in the validation of security contexts (SC). Since the SC has three components, the validation requires traversing 3 linked list data structures.

16 Our Approach We implement a parallel search using SIMD programming paradigm in the validation of security contexts (SC). Since the SC has three components, the validation requires traversing 3 linked list data structures. We use either 3 SPEs (3U) or 6 SPEs (6U) to perform the search with one or two SPEs per component respectively.

17 Our Approach We implement a parallel search using SIMD programming paradigm in the validation of security contexts (SC). Since the SC has three components, the validation requires traversing 3 linked list data structures. We use either 3 SPEs (3U) or 6 SPEs (6U) to perform the search with one or two SPEs per component respectively. We also evaluate a busy wait strategy on the SPE, where the SPE is not freed between node lookups.

18 Our Approach – Different Number of SPEs

19 SPE Busy Wait Loading Strategy Keep the SPE waiting till the data for next node in the linked list is available.

20 SPE Busy Wait Loading Strategy Keep the SPE waiting till the data for next node in the linked list is available. Pros – Improves performance by eliminating load time.

21 SPE Busy Wait Loading Strategy Keep the SPE waiting till the data for next node in the linked list is available. Pros – Improves performance by eliminating load time. Cons – Other processes which require the SPE may be blocked. – Requires continuous polling on main memory which impede data access operations.

22 Optimizing DMA Transfers for Matching Strings DMA double buffering for null terminated Strings.

23 Performance Measurement Evaluation based on two configurable parameters,

24 Performance Measurement Evaluation based on two configurable parameters, – Number of rules in security policy. This determines the number of valid security contexts We evaluate with policies contining 0 – 4000 rules.

25 Performance Measurement Evaluation based on two configurable parameters, – Number of rules in security policy. This determines the number of valid security contexts We evaluate with policies contining 0 – 4000 rules. – Size of Access Vector Cache (AVC). Helps accurately measure overhead due to decision making logic in the Security server. Two different AVC size – 512 entries (Optimal) and 1 entry (Minimal).

26 Results : Single Core PPE Performance The increase in running time is about 64%, 112% between 2500 - 4000 rules with optimal and minimal AVC respectively. Establishes the fact that security context validations are computationally intensive.

27 Results : Comparing Different Techniques Counter-intuitive results showing multicore performance lower than single core with Optimal AVC size. However, with Minimal AVC size and busy wait strategy, there is an efficiency gain of up to 43%.

28 Conclusion The gain in efficiency of optimizing security validations depend on the architecture of the software and the hardware platform. However, software applications designed for a uniprocessor system cannot be easily optimized for parallel computing. The problem is especially prominent in securityrelated applications, since the priority is robustness rather than efficiency.

29 Future Work One extension of our work is to apply the proposed techniques to other security features / applications like TOMOYO Linux, SMACK5, and compare their performances. Evaluating our approach on different multicore architectures like GPGPUs, could give greater insights into its effectiveness. Analyze the proposed techniques in distributed platforms like Beowulf clusters and grid networks.

30 Questions?

Download ppt "Exploiting Data Parallelism in SELinux Using a Multicore Processor Bodhisatta Barman Roy National University of Singapore, Singapore Arun Kalyanasundaram,"

Similar presentations

PARMON A Comprehensive Cluster Monitoring System PARMON Team Centre for Development of Advanced Computing, Bangalore, India Contact: Rajkumar Buyya

PARMON A Comprehensive Cluster Monitoring System PARMON Team Centre for Development of Advanced Computing, Bangalore, India Contact: Rajkumar Buyya
Systems and Technology Group © 2006 IBM Corporation Cell Programming Tutorial - JHD24 May 2006 Cell Programming Tutorial Jeff Derby, Senior Technical Staff.

Systems and Technology Group © 2006 IBM Corporation Cell Programming Tutorial - JHD24 May 2006 Cell Programming Tutorial Jeff Derby, Senior Technical Staff.
JENNIS SHRESTHA CSC 345 April 22, 2014. Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
An OpenCL Framework for Heterogeneous Multicores with Local Memory PACT 2010 Jaejin Lee, Jungwon Kim, Sangmin Seo, Seungkyun Kim, Jungho Park, Honggyu.

An OpenCL Framework for Heterogeneous Multicores with Local Memory PACT 2010 Jaejin Lee, Jungwon Kim, Sangmin Seo, Seungkyun Kim, Jungho Park, Honggyu.
Instructor Notes We describe motivation for talking about underlying device architecture because device architecture is often avoided in conventional.

Instructor Notes We describe motivation for talking about underlying device architecture because device architecture is often avoided in conventional.
Scalable Multi-Cache Simulation Using GPUs Michael Moeng Sangyeun Cho Rami Melhem University of Pittsburgh.

Scalable Multi-Cache Simulation Using GPUs Michael Moeng Sangyeun Cho Rami Melhem University of Pittsburgh.
SLA-Oriented Resource Provisioning for Cloud Computing

SLA-Oriented Resource Provisioning for Cloud Computing
Parallelizing GIS applications for IBM Cell Broadband engine and x86 Multicore platforms Bharghava R, Jyothish Soman, K S Rajan International.

Parallelizing GIS applications for IBM Cell Broadband engine and x86 Multicore platforms Bharghava R, Jyothish Soman, K S Rajan International.
Ido Tov & Matan Raveh Parallel Processing (361-1-3621) January 2014 Electrical and Computer Engineering DPT. Ben-Gurion University.

Ido Tov & Matan Raveh Parallel Processing ( ) January 2014 Electrical and Computer Engineering DPT. Ben-Gurion University.
Study of Hurricane and Tornado Operating Systems By Shubhanan Bakre.

Study of Hurricane and Tornado Operating Systems By Shubhanan Bakre.
Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.

Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.
Praveen Yedlapalli Emre Kultursay Mahmut Kandemir The Pennsylvania State University.

Praveen Yedlapalli Emre Kultursay Mahmut Kandemir The Pennsylvania State University.
Distributed Processing, Client/Server, and Clusters

Distributed Processing, Client/Server, and Clusters
Chapter 16 Client/Server Computing Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 16 Client/Server Computing Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.
User Level Interprocess Communication for Shared Memory Multiprocessor by Bershad, B.N. Anderson, A.E., Lazowska, E.D., and Levy, H.M.

User Level Interprocess Communication for Shared Memory Multiprocessor by Bershad, B.N. Anderson, A.E., Lazowska, E.D., and Levy, H.M.
Figure 1.1 Interaction between applications and the operating system.

Figure 1.1 Interaction between applications and the operating system.
Synergistic Processing In Cell’s Multicore Architecture Michael Gschwind, et al. Presented by: Jia Zou CS258 3/5/08.

Synergistic Processing In Cell’s Multicore Architecture Michael Gschwind, et al. Presented by: Jia Zou CS258 3/5/08.
1 I/O Management in Representative Operating Systems.

1 I/O Management in Representative Operating Systems.
CS 7810 Lecture 24 The Cell Processor H. Peter Hofstee Proceedings of HPCA-11 February 2005.

CS 7810 Lecture 24 The Cell Processor H. Peter Hofstee Proceedings of HPCA-11 February 2005.

Similar presentations

Ads by Google