Leveraging Software-Defined Networking and Virtualization for a One-to-One Client-Server Model

Taylor, Curtis R

30 April 2014

Modern computer networks allow server resources to be shared. While this multiplexing is the unsung hero of scalability and performance, the fact that clients are sharing resources and each client’s network traffic is transmitted in a larger pool of the total network traffic, poses distinct challenges for security. By adopting multiplexing so broadly, the networking and systems communities have implicitly favored performance over security. When servers multiplexing clients are compromised, the attack is able to spread by exploiting unsuspecting clients sharing the resource. Drive-by-downloads are an example of an attack where a Web server is compromised and begins distributing malware to connecting clients. As a result of using today’s many-to-one client-server network model, current approaches are inadequate at protecting the network and its resources. We propose a redesign of the modern network infrastructure. Our approach involves moving from the current many-to-one client-server model to a one-to-one client-server model. In redesigning the network, we provide a means of better accountability for traffic between clients and servers. With accountability, we enable the ability to quickly determine which client is responsible for an attack. This allows us to quickly repair the affected entities. To accomplish this accountability, we separate each client’s communication into separate flows. A flow is identified by various network features, such as IP addresses and ports. Further, instead of allowing multiple clients to be multiplexed at the same server, we use a technique that allows each client to communicate with a server that is logically separate from all other clients. Accordingly, a server compromise only effects a single client. We create a one-to-one client-server model using virtualization techniques and OpenFlow, a software-defined network (SDN) protocol. We complete our model in three phases. In the first, we deploy a physical SDN using physical machines and a commodity network switch that supports OpenFlow to gain an initial understanding of SDNs. The next phase involves implementation of Choreographer, a DNS access control mechanism, in a virtualized SDN environment for better scalability over our physical configuration. Finally, we leverage Choreographer to dynamically instantiate a server for each client and create network flows that allow a client to reach the requested server.

one-to-one client-server model

virtualization

security

software-defined networks

networking

A cooperative and incentive-based proxy-and-client caching system for on-demand media streaming.

January 2005

Ip Tak Shun. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2005. / Includes bibliographical references (leaves 95-101). / Abstracts in English and Chinese. / Abstract --- p.i / Acknowledgement --- p.iv / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Background --- p.1 / Chapter 1.1.1 --- Media Streaming --- p.1 / Chapter 1.1.2 --- Incentive Mechanism --- p.2 / Chapter 1.2 --- Cooperative and Incentive-based Proxy-and-Client Caching --- p.4 / Chapter 1.2.1 --- Cooperative Proxy-and-Client Caching --- p.4 / Chapter 1.2.2 --- Revenue-Rewarding Mechanism --- p.5 / Chapter 1.3 --- Thesis Contribution --- p.6 / Chapter 1.4 --- Thesis Organization --- p.7 / Chapter 2 --- Related Work --- p.9 / Chapter 2.1 --- Media Streaming --- p.9 / Chapter 2.2 --- Incentive Mechanism --- p.11 / Chapter 2.3 --- Resource Pricing --- p.14 / Chapter 3 --- Cooperative Proxy-and-Client Caching --- p.16 / Chapter 3.1 --- Overview of the COPACC System --- p.16 / Chapter 3.2 --- Optimal Cache Allocation (CAP) --- p.21 / Chapter 3.2.1 --- Single Proxy with Client Caching --- p.21 / Chapter 3.2.2 --- Multiple Proxies with Client Caching --- p.24 / Chapter 3.2.3 --- Cost Function with Suffix Multicast --- p.26 / Chapter 3.3 --- Cooperative Proxy-Client Caching Protocol --- p.28 / Chapter 3.3.1 --- Cache Allocation and Organization --- p.29 / Chapter 3.3.2 --- Cache Lookup and Retrieval --- p.30 / Chapter 3.3.3 --- Client Access and Integrity Verification --- p.30 / Chapter 3.4 --- Performance Evaluation --- p.33 / Chapter 3.4.1 --- Effectiveness of Cooperative Proxy and Client Caching --- p.34 / Chapter 3.4.2 --- Robustness --- p.37 / Chapter 3.4.3 --- Scalability and Control Overhead --- p.38 / Chapter 3.4.4 --- Sensitivity to Network Topologies --- p.40 / Chapter 4 --- Revenue-Rewarding Mechanism --- p.43 / Chapter 4.1 --- System Model --- p.44 / Chapter 4.1.1 --- System Overview --- p.44 / Chapter 4.1.2 --- System Formulation --- p.47 / Chapter 4.2 --- Resource Allocation Game --- p.50 / Chapter 4.2.1 --- Non-Cooperative Game --- p.50 / Chapter 4.2.2 --- Profit Maximizing Game --- p.52 / Chapter 4.2.3 --- Utility Maximizing Game --- p.61 / Chapter 4.3 --- Performance Evaluation --- p.74 / Chapter 4.3.1 --- Convergence --- p.76 / Chapter 4.3.2 --- Participation Incentive --- p.77 / Chapter 4.3.3 --- Cost effectiveness --- p.85 / Chapter 5 --- Conclusion --- p.87 / Chapter A --- NP-Hardness of the CAP problem --- p.90 / Chapter B --- Optimality of the Greedy Algorithm --- p.92 / Bibliography --- p.95

Cache memory

Client/server computing

A research in SQL injection.

January 2005

Leung Siu Kuen. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2005. / Includes bibliographical references (leaves 67-68). / Abstracts in English and Chinese. / Abstract --- p.i / Acknowledgement --- p.iii / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Motivation --- p.1 / Chapter 1.1.1 --- A Story --- p.1 / Chapter 1.2 --- Overview --- p.2 / Chapter 1.2.1 --- Introduction of SQL Injection --- p.4 / Chapter 1.3 --- The importance of SQL Injection --- p.6 / Chapter 1.4 --- Thesis organization --- p.8 / Chapter 2 --- Background --- p.10 / Chapter 2.1 --- Flow of web applications using DBMS --- p.10 / Chapter 2.2 --- Structure of DBMS --- p.12 / Chapter 2.2.1 --- Tables --- p.12 / Chapter 2.2.2 --- Columns --- p.12 / Chapter 2.2.3 --- Rows --- p.12 / Chapter 2.3 --- SQL Syntax --- p.13 / Chapter 2.3.1 --- SELECT --- p.13 / Chapter 2.3.2 --- AND/OR --- p.14 / Chapter 2.3.3 --- INSERT --- p.15 / Chapter 2.3.4 --- UPDATE --- p.16 / Chapter 2.3.5 --- DELETE --- p.17 / Chapter 2.3.6 --- UNION --- p.18 / Chapter 3 --- Details of SQL Injection --- p.20 / Chapter 3.1 --- Basic SELECT Injection --- p.20 / Chapter 3.2 --- Advanced SELECT Injection --- p.23 / Chapter 3.2.1 --- Single Line Comment (--) --- p.23 / Chapter 3.2.2 --- Guessing the number of columns in a table --- p.23 / Chapter 3.2.3 --- Guessing the column name of a table (Easy one) --- p.26 / Chapter 3.2.4 --- Guessing the column name of a table (Difficult one) . --- p.27 / Chapter 3.3 --- UPDATE Injection --- p.29 / Chapter 3.4 --- Other Attacks --- p.30 / Chapter 4 --- Current Defenses --- p.32 / Chapter 4.1 --- Causes of SQL Injection attacks --- p.32 / Chapter 4.2 --- Defense Methods --- p.33 / Chapter 4.2.1 --- Defensive Programming --- p.34 / Chapter 4.2.2 --- hiding the error messages --- p.35 / Chapter 4.2.3 --- Filtering out the dangerous characters --- p.35 / Chapter 4.2.4 --- Using pre-complied SQL statements --- p.36 / Chapter 4.2.5 --- Checking for tautologies in SQL statements --- p.37 / Chapter 4.2.6 --- Instruction set randomization --- p.38 / Chapter 4.2.7 --- Building the query model --- p.40 / Chapter 5 --- Proposed Solution --- p.43 / Chapter 5.1 --- Introduction --- p.43 / Chapter 5.2 --- Natures of SQL Injection --- p.43 / Chapter 5.3 --- Our proposed system --- p.44 / Chapter 5.3.1 --- Features of the system --- p.44 / Chapter 5.3.2 --- Stage 1 - Checking with current signatures --- p.45 / Chapter 5.3.3 --- Stage 2 - SQL Server Query --- p.45 / Chapter 5.3.4 --- Stage 3 - Error Triggering --- p.46 / Chapter 5.3.5 --- Stage 4 - Alarm --- p.50 / Chapter 5.3.6 --- Stage 5 - Learning --- p.50 / Chapter 5.4 --- Examples --- p.51 / Chapter 5.4.1 --- Defensing BASIC SELECT Injection --- p.52 / Chapter 5.4.2 --- Defensing Advanced SELECT Injection --- p.52 / Chapter 5.4.3 --- Defensing UPDATE Injection --- p.57 / Chapter 5.5 --- Comparison --- p.59 / Chapter 6 --- Conclusion --- p.62 / Chapter A --- Commonly used table and column names --- p.64 / Chapter A.1 --- Commonly used table names for system management --- p.64 / Chapter A.2 --- Commonly used column names for password storage --- p.65 / Chapter A.3 --- Commonly used column names for username storage --- p.66 / Bibliography --- p.67

Computer security

SQL (Computer program language)

Application software--Security measures

Supporting multiple output devices on an ad-hoc basis in visualisation

Zha, Xi

January 2010

In recent years, new visualisation techniques and devices, such as remote visualisation and stereoscopic displays, have been developed to help researchers. In a remote visualisation environment the user may want to see visualisation on a different device, such as a PDA or stereo device, and in different circumstances. Each device needs to be configured correctly, otherwise it may lead to an incorrect rendering of the output. For end users, however, it can be difficult to configure each device without a knowledge of the device property and rendering. Therefore, in a multiple user and multiple display environment, to obtain the correct display for each device can be a challenge. In this project, the focus on investigating a solution that can support end users to use different display devices easily. The proposed solution is to develop an application that can support the ad-hoc use of any display device without the system being preconfigured in advance. Thus, end users can obtain the correct visualisation output without any complex rendering configuration. We develop a client-server based approach to this problem. The client application can detect the properties of a device and the server application can use these properties to configure the rendering software to generate the correct image for subsequent display on the device. The approach has been evaluated through many tests and the results show that using the application is a useful in helping end users use different display devices in visualisation.

visualisation

multiple display devices

client-server based application

MCapture; An Application Suite for Streaming Audio over Networks

Claesén, Daniel

January 2005

<p>The purpose of this thesis is to develop software to stream input and output audio from a large number of computers in a network to one specific computer in the same network. This computer will save the audio to disk. The audio that is to be saved will consist mostly of spoken communication. The saved audio is to be used in a framework for modeling and visualization.</p><p>There are three major problems involved in designing a software to fill this purpose: recording both input and output audio at the same time, efficiently receiving multiple audio-streams at once and designing an interface where finding and organizing the computers to record audio from is easy.</p><p>The software developed to solve these problems consists of two parts; a server and a client. The server captures the input (microphone) and output (speaker) audio from a computer. To capture the output and input audio simultaneously an external application named Virtual Audio Cable (VAC) is used. The client connects to multiple servers and receives the captured audio. Each one of the client’s server-connections is handled by its own thread. To make it easy to find available servers an Automatic Server Discovery System has been developed. To simplify the organization of the servers they are displayed in a tree-view specifically designed for this purpose.</p>

Audio streaming

audio capture

client/server architecture

programming

software development.

Computer science

Datalogi

Client-Server-Backup fuer dezentrale Filesysteme auf Basis von rse

Naumann, Torsten

11 October 1996

Ziel der Arbeit war es, eine Client-Server-basierte Loesung zu entwickeln, welche eine Backupfunktionalitaet in einer heterogenen Workstationumgebung mit dezentralen Filesystemen bereitstellt. Das System sollte mit Hilfe einer Scriptsprache implemetiert werden, um die Systemunabhaengigkeit der Komponenten zu gewaehrleisten. Zu diesem Zwecke wurde als Grundlage das ¨Remote Scripting Environment¨, welches Gegenstand der Diplomarbeit von Andre Glaesz am Lehrstuhl Betriebssysteme war, gewaehlt.

denzentrales Filesystem

Remote Scripting Environmet

rse

Backup

Client-Server

ddc:004

Ablaufszenarien fuer Client-Server Anwendungen mit CORBA 2.0

Falk, Edelmann

12 November 1997

Die Common Object Request Broker Architecture (CORBA) der Object Management Group (OMG) bietet die Chance, nicht nur eine Plattform fuer neue verteilte Anwendungen zu sein, sondern erlaubt es auch, bestehende Anwendungen und Altsoftware hersteller- und systemuebergreifend zu integrieren. Diese Eigenschaft hebt CORBA von anderen Programmierplattformen ab und gibt CORBA das Potential, eine aussichtsreiche Basis fuer kuenftige Anwendungssysteme zu sein. Das Ziel dieser Studienarbeit besteht darin, die Umsetzbarkeit verschiedener Interaktionsarten in CORBA zu untersuchen und an Beispielen praktisch auszuprobieren. Moegliche Ablaufformen aus der Literatur, aus den Systemen DCE und MPI und anhand eigener Ueberlegungen werden im ersten Teil dieser Arbeit systematisch zusammengefasst. Danach folgt eine ausfuerliche Behandlung der Architektur von CORBA und der hier moeglichen Ablaufformen und Interaktionsszenarien. Abschliessend werden acht verschiedene Versionen eines einfachen verteilten Woerterbuches vorgestellt, um einige der in CORBA realisierten Konzepte am praktischen Beispiel zu verdeutlichen. Als CORBA-Plattform stand Orbix-MT 2.0.1 (multi-threaded) der Firma IONA Technologies Ltd. unter Solaris 2.x zur Verfuegung.

CORBA

OMA

DCE

MPI

verteilte Systeme

parallele Systeme

Client-Server-Anwendungen

Ablaufformen

Interaktionsszenarien

ddc:004

Fileserving für die TU Chemnitz

Müller, Thomas

15 April 1998

Vortrag zur Inbetriebnahme des File- und Archivserversystems im Universitätsrechenzentrum der TU Chemnitz. Ausgehend von der Entwicklung der Filesystem-Kapazitäten wird das Betriebskonzept der neu beschafften Technik vorgestellt. Dieses Konzept basiert auf Migrationsverfahren, die in den Filesystem-Implementationen MR-AFS und SAM-FS enthalten sind.

Fileserving

Fileserver

Archivserver

ddc:004

AFS <Test>

Client-server-Konzept

Migration <Informatik>

Nachrichtenklassifikation als Komponente in WEBIS

Krellner, Björn

29 September 2006

In der Diplomarbeit wird die Weiterentwicklung eines Prototyps zur Nachrichtenklassifikation sowie die Integration in das bestehende Web-orientierte Informationssystem (WEBIS) beschrieben. Mit der entstandenen Software vorgenommene Klassifikationen werden vorgestellt und mit bisherigen Erkenntnissen verglichen.

Client/Server-Prinzip

Trend Mining

WEBIS

ddc:000

Informationssystem

Klassifikator <Informatik>

Text Mining

Distributed Occlusion Culling for Realtime Visualization

Domaratius, Uwe

14 March 2007

This thesis describes the development of a distributed occlusion culling solution for complex generic scenes. Moving these calculations onto a second computer should decrease the load on the actual rendering system and therefore allow higher framerates. This work includes an introduction to parallel rendering systems and discussion of suitable culling algorithms. Based on these parts, a client-server system for occlusion culling is developed. The test results of a prototypical implementation form the last part of this thesis.

ddc:004

Client-Server-Konzept

Culling <Computergraphik>

Histogramm

Parallelverarbeitung

Sichtbarkeitsverfahren