SafeCard: a Gigabit IPS on the network card
Willem de Bruijn†, Asia Slowinska†, Kees van Reeuwijk†, Tomas Hruby†,
Li Xu∗, and Herbert Bos†
†Vrije Universiteit Amsterdam
∗Universiteit van Amsterdam
Abstract. Current intrusion detection systems have a narrow scope.
They target flow aggregates, reconstructed TCP streams, individual pack-
ets or application-level data fields, but no existing solution is capable of
handling all of the above. Moreover, most systems that perform payload
inspection on entire TCP streams are unable to handle gigabit link rates.
We argue that network-based intrusion detection systems should consider
all levels of abstraction in communication (packets, streams, layer-7 data
units, and aggregates) if they are to handle gigabit link rates in the face
of complex application-level attacks such as those that use evasion tech-
niques or polymorphism. For this purpose, we developed a framework for
network-based intrusion prevention at the network edge that is able to
cope with all levels of abstraction and can be easily extended with new
techniques. We validate our approach by making available a practical
system, SafeCard , capable of reconstructing and scanning TCP streams
at gigabit rates while preventing polymorphic buffer-overflow attacks, us-
ing (up to) layer-7 checks. Such performance makes it applicable in-line
as an intrusion prevention system. SafeCard merges multiple solutions,
some new and some known. We made specific contributions in the im-
plementation of deep-packet inspection at high speeds and in detecting
and filtering polymorphic buffer overflows.
1 Introduction
Network intruders are increasingly capable of circumventing traditional Intru-
sion Detection Systems (IDS). Evasion and insertion techniques blind the IDS
by spoofing the datastream, while polymorphism cloaks malicious code to slip
past the filter engine [1,2]. Besides hiding the attack, however, attackers employ
another weapon to thwart network defence systems: raw speed [3]. Less sophis-
ticated attacks travelling over Gigabit links may be as difficult to stop as more
complex attacks spreading more slowly. This leads to an interesting dilemma.
On the one hand, systems that handle evasion and polymorphism are either too
slow for in-line deployment (and are often host-based) or not sufficiently accu-
rate (e.g. [4]). On the other hand, fast in-line solutions are not able to detect and
stop sophisticated attacks (e.g., [5]). Our goal is to build a network card that
can be deployed in the datastream as an Intrusion Prevention System (IPS) at
the edge of the network and that handles many forms of attack at Gigabit rates.

Like [6], we advocate distributed firewalls. Briefly, centralised firewalls do not
protect against attacks from inside an organisation, and are less able to analyse
in detail complete TCP streams at link rate and to exploit knowledge about
specific configurations of end-hosts. Host-based solutions are problematic also,
because they depend on correct configuration of users’ PCs, which has proved
elusive in the past.
As a result, we prefer network administrators to have full control and security
measures to be physically removed from users. A network device (such as a
switch, or a router) close to the users’ machines is the sweet spot for positioning
the IPS system. The firewall could even reside in the network card of an end-
host [7]. However, physically removing safety measures from the user’s machine
has the advantage that they cannot be tampered with, which from a security
viewpoint may be preferred by administrators.
Unlike much existing work on distributed firewalls, the focus of our work
is on enforcing security policies on all levels of the protocol stack, rather than
specification of policies, distribution of rules, etc., for which we intend to build
on existing solutions like [6]. SafeCard provides a single IPS solution that consid-
ers many levels of abstraction in communication: packets, streams, higher-level
protocol units, and aggregates (e.g., flow statistics). We selected state-of-the-art
methods for the most challenging abstractions (streams and application data
units) and demonstrate for the first time the feasibility of a full IPS on a net-
work card containing advanced detection methods for all levels of abstraction
in digital communication. To support in-depth analysis in higher-level protocol
layers and still achieve performance at Gigabit rates, we target specialised hard-
ware as might be found in common router line cards. In particular, we aim for
a truly low-level implementation on network processors. For the same reason as
in [7] we evaluated the system on a slightly outdated processor to make it price
competitive1.
Besides combining many levels of abstraction in our IPS, we also make
contributions to individual components. In particular, we developed a high-
performance pattern matching language, Ruler, that offers functionality simi-
lar to that of Snort but is amenable to implementation on low-level hardware.
In addition, we developed a protocol-specific detector, Prospector . Finally, we
developed fast, zero-copy TCP reassembly that proves crucial for performance.
We offer a full network IPS implemented as a pipeline on a single network
card. Each stage in the pipeline drops traffic that it perceives as malicious. Thus,
the compound system works as a sieve, applying orthogonal detection vectors
to maximise detection rate. In stage 1, we filter packets based on header fields
(e.g., protocol, ports). Stage 2 is responsible for reconstructing and sanitising
TCP streams. In stage 3, we match the streams against Snort-like patterns us-
ing Ruler. Unmatched traffic is inspected further in stage 4 by Prospector , an
innovative protocol-specific detection method capable of stopping polymorphic
buffer overflow attacks. This method is superior to pattern-matching for the de-
tection of exploits in known protocols. Against other types of malicious traffic,
1
In terms of manufacturing costs, not necessarily in current retail prices