Compilers: principles, techniques, and tools
Compilers: principles, techniques, and tools
The packer filter: an efficient mechanism for user-level network code
SOSP '87 Proceedings of the eleventh ACM Symposium on Operating systems principles
An efficient method of computing static single assignment form
POPL '89 Proceedings of the 16th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Journal of the ACM (JACM)
Constant propagation with conditional branches
ACM Transactions on Programming Languages and Systems (TOPLAS)
The X-Kernel: An Architecture for Implementing Network Protocols
IEEE Transactions on Software Engineering
Avoiding unconditional jumps by code replication
PLDI '92 Proceedings of the ACM SIGPLAN 1992 conference on Programming language design and implementation
Safe kernel extensions without run-time checking
OSDI '96 Proceedings of the second USENIX symposium on Operating systems design and implementation
DPF: fast, flexible message demultiplexing using dynamic code generation
Conference proceedings on Applications, technologies, architectures, and protocols for computer communications
Improving performance by branch reordering
PLDI '98 Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation
High-speed policy-based packet forwarding using efficient multi-dimensional range matching
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
A Fast and Usually Linear Algorithm for Global Flow Analysis
Journal of the ACM (JACM)
Coalescing Conditional Branches into Efficient Indirect Jumps
SAS '97 Proceedings of the 4th International Symposium on Static Analysis
Register allocation & spilling via graph coloring
SIGPLAN '82 Proceedings of the 1982 SIGPLAN symposium on Compiler construction
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Characterizing processor architectures for programmable network interfaces
Proceedings of the 14th international conference on Supercomputing
Packet types: abstract specification of network protocol messages
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
mmdump: a tool for monitoring internet multimedia traffic
ACM SIGCOMM Computer Communication Review
Programming language optimizations for modular router configurations
Proceedings of the 10th international conference on Architectural support for programming languages and operating systems
A protocol-adaptive monitoring tree for efficient design of traffic monitoring probes
Computer Networks: The International Journal of Computer and Telecommunications Networking
Efficient manipulation of binary data using pattern matching
Journal of Functional Programming
Sampling time-dependent parameters in high-speed network monitoring
Proceedings of the ACM international workshop on Performance monitoring, measurement, and evaluation of heterogeneous wireless and wired networks
Flexible network monitoring with FLAME
Computer Networks: The International Journal of Computer and Telecommunications Networking - Active networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Ourmon and network monitoring performance
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Protecting Grid Data Transfer Services with Active Network Interfaces
GRID '05 Proceedings of the 6th IEEE/ACM International Workshop on Grid Computing
High-Speed Dynamic Packet Filtering
Journal of Network and Systems Management
Running a Java VM inside an operating system kernel
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Swift: a fast dynamic packet filter
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Fast Packet Classification Using Condition Factorization
ACNS '09 Proceedings of the 7th International Conference on Applied Cryptography and Network Security
Implementing Fast Packet Filters by Software Pipelining on x86 Processors
APPT '09 Proceedings of the 8th International Symposium on Advanced Parallel Processing Technologies
GPU packet classification using OpenCL: a consideration of viable classification methods
Proceedings of the 2009 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists
A formal logic approach to firewall packet filtering analysis and generation
Artificial Intelligence Review
Linear-tree rule structure for firewall optimization
CIIT '07 The Sixth IASTED International Conference on Communications, Internet, and Information Technology
Enabling high-speed and extensible real-time communications monitoring
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
SideCar: building programmable datacenter networks without programmable switches
Hotnets-IX Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
Parallel packet classification using GPU co-processors
SAICSIT '10 Proceedings of the 2010 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists
SPAF: stateless FSA-based packet filters
IEEE/ACM Transactions on Networking (TON)
Modeling Filtering Predicates Composition with Finite State Automata
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
Design and implementation of a fast dynamic packet filter
IEEE/ACM Transactions on Networking (TON)
Trusted multiplexing of cryptographic protocols
FAST'09 Proceedings of the 6th international conference on Formal Aspects in Security and Trust
FPL-3: towards language support for distributed packet processing
NETWORKING'05 Proceedings of the 4th IFIP-TC6 international conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communication Systems
CaptureFoundry: a GPU accelerated packet capture analysis tool
Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference
Software pipelining for packet filters
HPCC'07 Proceedings of the Third international conference on High Performance Computing and Communications
Towards a GPU accelerated virtual machine for massively parallel packet classification and filtering
Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference
Combinators for impure yet hygienic code generation
Proceedings of the ACM SIGPLAN 2014 Workshop on Partial Evaluation and Program Manipulation
| Hi-index | 0.00 |
A packet filter is a programmable selection criterion for classifying or selecting packets from a packet stream in a generic, reusable fashion. Previous work on packet filters falls roughly into two categories, namely those efforts that investigate flexible and extensible filter abstractions but sacrifice performance, and those that focus on low-level, optimized filtering representations but sacrifice flexibility. Applications like network monitoring and intrusion detection, however, require both high-level expressiveness and raw performance. In this paper, we propose a fully general packet filter framework that affords both a high degree of flexibility and good performance. In our framework, a packet filter is expressed in a high-level language that is compiled into a highly efficient native implementation. The optimization phase of the compiler uses a flowgraph set relation called edge dominators and the novel application of an optimization technique that we call "redundant predicate elimination," in which we interleave partial redundancy elimination, predicate assertion propagation, and flowgraph edge elimination to carry out the filter predicate optimization. Our resulting packet-filtering framework, which we call BPF+, derives from the BSD packet filter (BPF), and includes a filter program translator, a byte code optimizer, a byte code safety verifier to allow code to migrate across protection boundaries, and a just-in-time assembler to convert byte codes to efficient native code. Despite the high degree of flexibility afforded by our generalized framework, our performance measurements show that our system achieves performance comparable to state-of-the-art packet filter architectures and better than hand-coded filters written in C.