How SmartNIC cards change the concept of server security in particular and the cloud in general
In an era when cyber threats lurk around every corner, with increasing attacks on data centers, security is evaluated for each machine that stores user data. However, the presence of malware in the operating system blocks most software protection tools. In addition, various antivirus and real-time protection programs consume computing resources of the processor and memory that should be allocated to users.
We already talked about SmartNIC concept and network card Mellanox BlueField, which has an array of ARM processor cores and an integrated network controller Mellanox ConnectX-5, which solves the problem of protecting data centers through its own network flow processing. SmartNIC works in an environment that is isolated from potential malware. Since security software runs on the arm processor of the network card, all server computing resources remain available to users and applications. Using an isolated environment, SmartNIC can safely access app data for introspection, preventing data tampering by malware, and working unnoticed by apps without leaving a trace.
There are several methods For obtaining data for analyzing malware activity.
Antivirus software works with files that are at rest, also called data-at-rest. The disk can be analyzed by an antivirus software scanner running on the same or another machine that is not compromised. For external analysis and when the disk is not encrypted, you can build a file system tree and scan the disk for known signatures. For example, by scanning the disk for a file, the file can be restored to calculate its hash value. In turn, various Internet resources can provide information if a given file is malicious, given its hash value. However, if the malware is not stored on the hard drive, it may not have any trace in the file system, and thus the antivirus scanner method will not be able to detect the compromised system.
Network Intrusion Detection system:
Most attacks leave some trace on the network. Consider the scenario of stealing secrets from a host machine and sending them to a remote attacker. Detecting such events will allow you to find out which IP could have carried out the attack, and what its purpose is. Today, most IDS and IPS solutions monitor the network to detect malicious activity. Network data can be collected locally on the same machine or remotely (for example, using a SmartNIC or switch).
Runtime Data provides the best visibility in the system, and there are two approaches for getting it: Intrusive and non-Intrusive for the operating system. An Intrusive option refers to privileged software that connects to events and triggers via functions in the operating system. For example, the file/socket open / close event will cause the collection of timestamps and data that is being opened / closed. Another example is creating a new process. Triggers for branching and executing a new process are used by the software to detect malicious actions (for example, this can help answer the question, is the new process malware? Is the running process expected to fork the new process?).
Ideally, we want to be able to collect data that reflects the state of the system and activity that comes from three main sources: disk, network, and memory.
Most detection methods use a network or disk approach. unfortunately, this is not enough to solve the problems of modern malware. For example, some malicious programs can attack the system without leaving a trace on the disk, thus hiding their presence and activity from detection methods based on scanning media. Malicious programs that use the network to work cannot completely hide. However, while network traffic may include several compromising features, in many cases the traffic volumes are too large, the packets are random and complex, so to understand the behavior of malware and understand network traffic, you need to take a closer look at the runtime environment.
Data built from a raw memory dump provides an abstraction for studying and detecting an attack. If an attack were to occur-whether by injecting code, manipulating process memory, branching a new process, opening a new network connection to a remote attacker-all this would manifest as a change in physical memory. The stronger the impact, the more artifacts will remain in the memory.
Out-of-band malware detection
To detect and analyze malware, the external device receives data that is completely transparent and invisible to any other applications. The hardware approach to data acquisition is considered the most reliable detection method, due to the fact that in most cases, using the PCIe Protocol, peripherals have direct access to memory (DMA) and can read/write from/to it without any side effects for any software running on the host computer. The PCI Express card can read from memory and write to memory at a speed of 8 GB / s (Gen3) or 16 GB / s per lane.
The node's physical memory is divided into several areas that are displayed at boot time and include system RAM, I / o space, and ROM. For the most part, the data and areas of the malicious attack are located in the system RAM, where the operating system kernel lives. To collect data, the hardware device performs a memory read transaction to get physical pages of the RAM area.The following image shows the Ubuntu Linux 16.04 memory card
The Transaction passes from the network card of the PCIe add-in via the PCIe bus to the memory controller, which in turn provides access to physical memory. All this happens without the use of software, and unlike soft-based solutions, this approach does not interfere with the software on the computer under study. In terms of speed, hardware approaches are superior to their software counterparts. For example, reading 64 GB of RAM from an antivirus program may take several minutes, and when using a separate card, a PCIe add-on card running on the PCI Express Gen4 bus, it may take about 2 seconds.
SmartNIC for malware detection
Using the volatility memory forensics framework used by developers of anti-malware tools, it was possible to analyze host memory by downloading its segments and analyzing them already on the computing cores of the "Mellanox Bluefield" Smart network card and in its local memory. It is important to note that this method usually works with memory files that can reach 64 GB and 128 GB. Using a memory dump image, the framework extracts information such as a list of processes, network connections, and loaded kernel modules that help experts identify a trace of malware, as well as understand its behavior.
Attacks are becoming more stealthy and complex, while the capabilities of modern intrusion detection and prevention methods are lagging far behind. Hardware data collection is considered the most reliable, and allows you to save machine resources by distributing the load on smart network cards such as Mellanox BlueField. This approach makes it easier not only to protect against intrusions, but also to investigate incidents.