Feeling Insecure about your DNS server? Try SourceT from Secure64
Threats such as the UDP (for User Datagram Protocol) sessionless networking protocol “flood” attacks, in which a large number of UDP packets are sent to random ports in an attempt to break into a system, have joined TCP SYN attacks (in which a sender sends a large volume of connections that cannot be completed because of sheer numbers) as some of the most serious such concerns to today’s mission-critical DNS servers.
There is not a perfect solution to protect systems from such external assaults. However, the SourceT micro operating system solution from Secure64 comes very close. Secure64 is an Itanium Solutions Alliance member and software company that combines a novel and brilliant software architecture approach of its own with the Itanium® processor’s unique security features.
How does it work? At the system level, Secure64 starts by incorporating a fully authenticated boot process, so that the software that launches when a system is brought up is exactly what is expected. Special cryptography features in the SourceT micro OS automatically check that the system software has not been compromised.
Next, unlike many systems where there is a tremendous amount of code operating at the highest levels of “privilege” (which control everything from I/O drivers to memory addressability), Secure64 keeps this code base very small — less than 10,000 lines of code. Keeping the code base small makes it both easier to protect and harder to attack.
Secure64 also pays careful attention to the structure and nature of authenticating calls that allow system hardware modifications to take place. Special crypto keys are integrated in multiple locations to prevent unauthorized users from entering the system.
The system is designed to eliminate the possibility of allowing “code injection” into the system from outside intruders by providing a special “secured runtime environment” that isolates memory from access by unauthorized code. This blocks unauthorized code from reading or writing any executable images.
And finally, there are tight controls on how system administrators are authenticated.
In building such a system, Secure64 leverages not only the speed of the Itanium processor, something that is critical when “overhead” functions such as security must be managed, but also several security features that are unique to the Itanium processor. Bill Worley, Secure64’s CTO, described the most important of these in the Itanium Solutions Podcast interview Spring 2007 where he highlighted the following critical and important areas:
- A “Protection Key” — The Itanium processor allows a unique 24-bit value to be assigned to any subset of pages required, as a “key” to be tested when an outside agent wishes to access and/or modify those pages. If an outside agent submits such a “key” when attempting to access that data — and it matches the preassigned key stored as part of the machine control state — then it can access those pages. If the key doesn’t match, the agent is blocked. This unique Itanium processor feature effectively enables a degree of memory compartmentalization unmatched by other approaches.
- An ability to authorize access to memory with a wide variety of combinations of read/write privileges. This provides a very powerful approach to Authenticating calls from outside the system.
- A unique “Register Save Engine”, which puts sensitive control information where no outside agent can touch it.
How does the SourceT solution perform in practice? In a test conducted by Secure64, a test DNS application running on the SourceT OS processed 102,000 queries/second — a great accomplishment in itself. However, when the same system was subjected to a 200,000 packet/second UDP reflected flood attack; SourceT was able to handle 96,000 queries per second successfully. And in a TCP SYN flood of 40,000 packets/second, SourceT was able to respond to 95,000 queries per second, only a 1% degradation.
It’s a great example of how the unique architecture of Itanium processors — in the hands of Secure64’s innovative software architects — can enable technology breakthroughs not even imagined in the past.
