Recent malicious attacks to many research/commercial servers have made protection and security essential requirements in all computer systems. There are two types of possible attacks: software and physical attacks. Software attacks exploit software vulnerabilities of the operating system (OS) and server applications such as web and database services. Physical attacks capture or modify data from the system memory or system bus through external devices physically attached to the system. To mitigate the physical attacks, memory encryption and authentication have been widely investigated for uniprocessor systems. However, the uniprocessor security models are not sufficient to design secure multiprocessor/cluster systems due to the absence of efficient cache-to-cache/node-to-node communication protection. Hence, we explore various security issues possible in multiprocessor/cluster systems and propose mechanisms for architectural support to enhance security.

Security Enhanced Shared Memory Multiprocessor Systems Protection and security are becoming essential requirements in commercial servers. We present a fast and efficient method for providing secure memory and cache-to-cache communications in shared memory multiprocessor systems that are becoming enormously popular in designing servers for various applications. Since our scheme is independent of underlying interconnects and cache coherence protocols, we refer to it as Interconnects-Independent Security Enhanced Shared Memory Multiprocessor Systems (I2SEMS). The main challenge in designing I2SEMS is how to precompute keystreams in a timely manner, which is critical to minimize performance overhead. We achieve this goal by adopting a single system-wide Global Counter Controller (GCC) and three additional components for each processor: a keystream queue, a keystream cache, and a keystream pool. Simulation results show that the overall performance slowdown is 4% on average and the keystream hit rate is as high as 78%. The stable keystream hit rate shows that I2SEMS works well with both memory-read and memory-write dominant applications. Therefore, we expect I2SEMS to enhance security of shared memory multiprocessor systems with marginal performance overhead.

Security Model	I2SEMS Prediction Correctness

Security Framework for InfiniBand Architecture The InfiniBand Architecture (IBA) is a promising communication standard for building clusters and system area networks. However, the IBA specification has left out security aspects, resulting in potential security vulnerabilities, which could be exploited with moderate effort. In this research, we provide a comprehensive security framework for IBA by first looking into these vulnerabilities from three classical security aspects (confidentiality, authentication, and availability. Then, we investigate the following security issues. First, as groundwork for secure services in IBA, we present partition-level and queue-pair-level key management schemes, both of which can be easily integrated into IBA. Second, for confidentiality and authentication, we present a method to incorporate a scalable encryption and authentication algorithm into IBA, with little performance overhead. Third, for better availability, we propose a stateful ingress filtering mechanism to block denial-of-service (DoS) attacks. Finally, to further improve the availability, we provide a scalable packet marking method tracing back DoS attacks. Simulation results of an IBA network show that the security performance overhead due to encryption/authentication on network latency ranges from 0.7 percent to 12.4 percent. As a pioneering work in architectural support for secure cluster systems, the security frame for IBA is expected to be used as a guideline to develop general secure cluster systems.

Partition-Level Key Management Scheme	Network Delay for Stateful Ingress Filtering

• "I2SEMS: Interconnects-Independent Security Enhanced Shared Memory Multiprocessor Systems," M. Lee, M. Ahn, and E.J. Kim, in the Proceedings of the 16th International Conference on Parallel Architectures and Compilation Techniques (PACT), Brasov, Romania, 2007.

• "A Comprehensive Framework for Enhancing Security in InfiniBand Architecture," M. Lee, and E.J. Kim, IEEE Transactions on Parallel and Distributed Systems (TPDS) Vol. 18, No. 10, pp. 1393-1406, Oct. 2007.

• "An Overview on Security Issues in Cluster Interconnects," M. Lee, E.J. Kim, K. H. Yum and M. Yousif, In the Proceedings of the Cluster-Sec 2006 Workshop (Cluster-Sec, CCGrid Workshops) 2006, Singapore, 2006.

• "Security Enhancement in InfiniBand Architecture," M. Lee, E.J. Kim, and M. Yousif, in the Proceedings of the 19th IEEE International Parallel & Distributed Processing Symposium (IPDPS), Denver, 2005.

• "Instant Attack Stopper in InfiniBand Architecture," M. Lee, E.J. Kim, K. H. Yum and M. Yousif, in the Proceedings of the Cluster-Sec 2005 Workshop (Cluster-Sec, CCGrid Workshops) 2005, Cardiff, UK, 2005.

• "A Source Identification Scheme against DDoS Attacks in Cluster Interconnects," M. Lee, E.J. Kim, and C. W. Lee, in International Workshop on Network Design and Architecture (IWNDA) in conjunction with ICPP 2004, pp.354-362.