KR101109874B1 - Multi-processing system for high efficient unified thread management device and method thereof - Google Patents

Abstract

Disclosed are a multiple processing system and method for high performance UTM equipment. The multi-processing system includes two or more cores in charge of arithmetic processing in a central processing unit, and processes a plurality of operations on packets introduced by a network driver according to a predetermined procedure through the cores. The cores are divided according to their functions to process corresponding tasks through each core.

Unified Thread Management (UTM), Symmetric Multi Processing (SMP), Core, Multicore Processor

Description

MULTI-PROCESSING SYSTEM FOR HIGH EFFICIENT UNIFIED THREAD MANAGEMENT DEVICE AND METHOD THEREOF

Embodiments of the present invention provide a software structure for guaranteeing the performance of the equipment against the continuous change of threat in the unified thread management (UTM) equipment that responds to multiple security functions as a single device in preparation for the threat caused by the Internet connection A multiple processing system and method thereof for UTM equipment.

Recently, the computational processing speed of the CPU has sharply increased, and the storage capacity of the memory has increased exponentially, which greatly improves the performance of the computer. However, unlike memory performance improvement, the processing speed of the central processing unit is difficult to increase linearly.

Recently, two or more CPUs can be connected to one computer, or two or more cores in one CPU, without depending on the processing speed of one CPU. A Symmetric Multi Processing (SMP) system with embedded architecture was used.

On the other hand, the hacking on the Internet is becoming more and more diversified and complex, and the existing single function security equipment is connected in series to prevent threats, which increases management costs and security problems. Therefore, UTM (Unified Thread Management) that supports multiple security functions (firewall, intrusion prevention system (IPS), virtual private network (VPN), Anti-Virus, Anti-Spam, Anti-DDoS, etc.) as a single device Requires equipment. However, due to the variety of threats, heterogeneity, and continuous changes, hardware accelerators cannot be applied, must be handled by software, and software processing inevitably has performance limitations.

With the advent of multicore processors with multiple cores in the central processing unit, SMP system performance continues to improve, enabling high-performance UTM products based on SMP systems. In SMP systems, however, kernel-based software suffers from a structural problem called synchronization, and as the number of cores increases, the severity of the problem increases and performance decreases due to resource acquisition overhead.

1 illustrates an example of a conventional UTM software architecture in an SMP system and illustrates an example of a quad core two-way SMP system.

Referring to FIG. 1, each core core # 0 to core # 7 processes a packet introduced by the network driver 110 according to a predetermined procedure. In each security module, for example, the session table 130 of the firewall module 120, the DPI table 150 for deep packet inspection of the IPS module 140, and the security of the VPN module 160. The SA table 170 for processing is set as a global variable, and since such a global variable accesses several processors, a synchronization problem occurs.

In other words, the global variable being updated is only allowed to one processor and the other processor waits in the "busy-wait" state.

Number of processors 2 ^ n n / 2 ^ n (success rate) 2 4 0.5 4 16 0.25 6 64 0.09375 8 256 0.03125

As Table 1 shows, if there are n processors competing for resource acquisition, it succeeds when there is one request processor. In other cases, two, three,… In case of n, all fail.

This is a typical SMP operating system synchronization method, which is effective when the number of processors is relatively small (less than 4 processors) or as the number of processors increases, the resource acquisition failure rate increases exponentially, resulting in a significant drop in the overall system performance. .

One embodiment of the present invention provides a multi-processing system and method for a UTM software architecture that can effectively respond to the diversity, heterogeneity, and continuous change of threats caused by Internet connectivity.

One embodiment of the present invention provides a multiple processing system and method having a hybrid model software structure that mitigates the synchronization problem in the SMP system to improve the performance of the UTM equipment.

A multi-processing system according to an embodiment of the present invention includes two or more cores in charge of arithmetic processing in a central processing unit, and determines a plurality of operations on packets introduced by a network driver through the cores. Process according to the procedure, the core is divided by function of the task to process the task through each core.

In the multi-processing method according to an embodiment of the present invention, in the multi-processing method of a multi-processing system including two or more cores in charge of arithmetic processing in a central processing unit, a plurality of operations on packets introduced by a network driver are performed. And processing according to a predetermined procedure through the cores, wherein the cores are classified according to the function of the job and a queue is added between the divided cores. The processing of the plurality of jobs includes: The task is processed through the core, but the work result processed through the previous core is stored in the queue added between the cores, and then the work of the next procedure is processed according to the stored work result through the core.

In an embodiment of the present invention, the plurality of operations are operations for security processing, such as a firewall module, an intrusion prevention system (IPS) module, a virtual private network (VPN) module, an anti-virus (Anti-Virus) module, This may mean an operation for security processing corresponding to two or more modules among an anti-spam module and an anti-DDoS module.

In an embodiment of the present invention, the plurality of operations are implemented to be processed in the kernel layer so that the lock scheme for the kernel is fine-grained lock in coarse-grained lock. Is implemented in a way.

According to an embodiment of the present invention, the UTM software structure that divides cores by function of the security module can effectively prepare for the diversity, heterogeneity, and continuous change of threats caused by the Internet connection, thereby improving UTM performance.

According to one embodiment of the present invention, by reducing the number of cores competing for resource acquisition to alleviate the synchronization problem in the SMP system can implement a high-performance UTM equipment to secure the UTM market.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the present invention is not limited or limited by the embodiments. Like reference numerals in the drawings denote like elements.

The multi-processing system of the UTM device according to an embodiment of the present invention provides a software structure in which cores are divided according to functions of various security modules. The multiple processing method according to an embodiment of the present invention may be executed by a multiple processing system having a software structure in which cores are divided according to functions.

2 is a diagram for describing a configuration of a multiple processing system.

Referring to FIG. 2, a computer system may use a method of connecting two or more CPUs 201 to one system. This multiple processing system includes two or more central processing units 201, a memory 203 accessible from the central processing unit 201, and an I / O (input / output) device 205 shared by the central processing unit 201. And a bridge 207 connecting the central processing unit 201 and the memory 203 and the I / O device 205.

In the multiple processing system of the above-described configuration, two or more central processing units 201 are controlled by one operating system and perform symmetrical assignments.

Basically, processor performance gains can be achieved by increasing the dynamic clock speed, but as the clock speed increases, the power consumption of the system becomes an issue. Thus, lowering the operating voltage in a manner that increases the directivity of the processor improves processor performance.

3 is a diagram for describing a configuration of a multicore-based multiprocessing system.

Referring to FIG. 3, a computer system may use a method of using a central processing unit 301 including two or more cores 310 that perform arithmetic processing in a central processing unit. Multicore is the same as the multiprocessing system in that two or more cores 310 are contained within a single CPU 301.

Similarly, the multiple processing system of the above-described configuration symmetrically assigns two or more cores 310 in the central processing unit 301 by one operating system and assigned by the operating system.

Computer systems require an operating system to effectively operate internal resources such as memory, I / O devices, and processors. As shown in Figs. 2 and 3, since the multiple processing systems share memory, an operating system, that is, a kernel, may also be executed simultaneously by multiple processors. Kernel-based software in multiprocessing systems introduces synchronization problems and requires a kernel that can reduce synchronization overhead and improve system performance in proportion to the number of processors.

Multicore is a core that contains many cores in a single central processing unit. It is structurally identical to a multiprocessing system, and from a kernel perspective, the number of processors in a multiprocessing system is the same.

In a multiprocessing system, two central processing units (the first and second central processing units) share a single operating system's kernel so that the first central processing unit is the same as the main kernel variables used within the kernel. When accessing critical parts of the system, use a lock to prevent the second central processor from accessing the critical parts (more than one core in a single CPU) The same is true for built-in software). The operation may be delayed because the second central processing unit must wait until the first central processing unit completes the operation in order to access the important portion. Therefore, the coarse prevention mechanism for the kernel can be used to more effectively use the system in a multiple processing system using two or more central processing units or a single central processing unit with two or more cores. Design in fine-grained lock mode.

As the Internet is connected to computer systems, the role of security is becoming more diversified, including access control, service security, and prevention of illegal hacking from the outside. As Internet-based services are advanced, they need software platforms that support them, and these softwares are so complex that they have potential vulnerabilities, which raises the need for various security. In other words, there is a need for UTM equipment that integrates defense and prevention of multiple threats in application-specific security modules such as firewalls, IPS, and VPNs.

When equipment lacks security features, specialized hardware accelerators are used to solve the problem (for example, hardware-based encryption / decryption accelerators for cryptographic operations). Hazardous traffic is complex, diverse, and persistent. Because of this change, hardware accelerators cannot be applied. Therefore, security functions must be handled in software, and implementation methods can be divided into two types (user area implementation and kernel area implementation).

FIG. 4 is a diagram illustrating a user region implementation method, and FIG. 5 is a diagram illustrating a kernel region implementation method.

Referring to FIG. 4, a method of implementing a UTM security function in a user area is a method used in an initial proxy-based firewall as a method of creating each security function of a UTM device in an application area 401. The user area implementation method is easy to develop and debug, but it is difficult to expect high performance due to the overhead of copying all packets received through the network driver from the kernel to the application area 401.

Referring to FIG. 5, a method of implementing UTM security in a kernel area is a method of implementing each security module (for example, a firewall, an IPS, etc.) 501 in a kernel layer, and does not require a packet copy for each memory. Suitable for equipment

As described above, when a kernel-based security module is designed in a multiprocessing system, synchronization problems occur.

Synchronization includes all global variables that are accessed by each security module as targets, so the protection against the kernel should be designed from a coarse-grained to a fine-grained one. In particular, as the number of cores in a single CPU increases in a multiple processing system, the frequency of collisions between cores according to resource acquisition increases as the square of the number of cores.

Accordingly, a multiple processing system according to an embodiment of the present invention proposes a UTM software structure that can alleviate synchronization problems.

6 illustrates a UTM software structure in a multiple processing system according to an embodiment of the present invention. One embodiment of the present invention proposes a hybrid model for high performance UTM equipment by mitigating synchronization problems in a multiple processing system.

Referring to FIG. 6, a multiple processing system according to an embodiment of the present invention may include a security module (firewall, IPS module, VPN module, Anti-Virus, Anti-Spam, Anti-DDoS, etc.) 630 operated in a computer system. It provides a software structure that divides the core 610 by function of the. The divided core 610 processes the packets flowing into the computer system according to a predetermined procedure.

The core 610 further configures a queue 650 between the cores because the security functions are divided according to the security module 630. One producer and one consumer can be implemented as a lock-less queue, so that the cost of acquiring resources due to the addition of the queue 650 can be ignored.

Queue 650 takes the form of a list in a data structure that is easy to store and manage one or more pieces of data. Since one end of the list of queues can only be enqueued and the other end can only be dequeue, the first inserted data is extracted first. Thus, it is suitable to use queue 650 in transferring job results processed sequentially between cores 610.

According to the above software structure, the multi-processing system of the present invention processes the received packet by the network driver according to a predetermined procedure and then processes the corresponding task through a core (previous core) assigned to the task of the first procedure. The result of the operation is transferred to the queue 650. Subsequently, the task of the next procedure is processed according to the task result stored in the queue 650 through the core (hereinafter, the core) assigned to the task of the next procedure.

That is, the core 610 is divided according to the function of the job, so that the result of the job processed through the previous core is recorded in the queue 650 by using the queue 650. Then, the job of the next procedure is sequentially executed through the core. Can be processed.

FIG. 7 relates to a UTM software structure in a multi-processing system according to an embodiment of the present invention, and illustrates an example of a software structure of a quad core two-way SMP system.

Referring to FIG. 7, a group (# 0 to # 3) of the cores 701 is allocated to the firewall module 720 among the security modules in the computer system, and the IPS module 740, the VPN module 760, and the QoS module 780 are allocated. ) And other groups # 4 to # 7 of the core 701. Each core 701 according to the above software structure processes the packet introduced by the network driver 710 according to a predetermined procedure. As can be seen in FIG. 7, one embodiment of the present invention can reduce the difficulty of resource acquisition by reducing the number of cores 701 competing for resource acquisition through the UTM software structure in which the core 701 is divided by function. have. In one example, the firewall module 720 has eight cores competing in the existing software architecture (see FIG. 1) in obtaining the session table 730, while four cores in the software architecture according to one embodiment of the invention. As it competes only, the resource acquisition success rate is 8 times higher from 3% to 25%.

8 is a diagram for describing a process of using an interrupt in executing a firewall module in a multiple processing system according to an embodiment of the present invention.

In general, an interrupt means informing the central processing unit to solve the problem when an unexpected problem occurs in the computer system. When an interrupt occurs, the central processing unit stops the work it was processing and processes the work corresponding to the interrupt first. Basically, it is used to solve a problem in the system, but it is also widely used as a method for transmitting a message to the central processing unit.

Referring to FIG. 8, in one embodiment of the present invention, a network interface card (NIC) interrupt or a timer interrupt is used.

In response to the NIC interrupt, the firewall module receives the packet from the network driver (S801). If the received packet is an IP packet, the firewall module determines whether the corresponding packet is a packet registered in the session table (S802 to S803). In this case, whether the received packet is an IP packet may be determined by calculating a hash value from 5-tuple information (protocol, Src IP, Src Port, Dest IP, Dest Port). Since the hash value is used as an index value of the session table, it is also possible to determine whether or not the session table is registered for the received packet when the hash value is used.

If the received packet is a new packet that is not registered in the session table, a check is made to determine if the packet is allowed in the policy. If the packet is allowed in the policy, a session is created. (S804 to S806). On the other hand, if the received packet is a packet registered in the session table, the security information (NAT, content filtering, log processing) registered in the session table is applied to the packet and then the session information is updated (session re-registration, usage update). (S807 ~ S808). Subsequently, it is determined whether the packet to which the security function of the session table is applied is a termination packet, and if it is a termination packet, the security step of the IPS module is performed, and if it is not a termination packet, the session for the corresponding packet is deleted (S809 to S810).

In addition, when the timer interrupt occurs, the firewall module operates the session timer and deletes the session after generating a session timeout (S811 ~ S812, S810).

That is, the session table of the firewall module is a dynamic data structure, thereby creating a session (S806). In the process of updating the session information (S808) and deleting the session (S810), it should be protected by a synchronization operation such as a spinlock.

One embodiment of the present invention provides a UTM software structure that divides cores by functions of security modules, which can effectively prepare for the continuous change of threats caused by Internet connection, and alleviate synchronization problems in multiple processing systems.

Embodiments of the present invention include computer readable media including program instructions for performing various computer implemented operations. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. The media may be program instructions that are specially designed and constructed for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks. Magneto-optical media, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.

As described above, the present invention has been described by specific embodiments such as specific components and the like. For those skilled in the art to which the present invention pertains, various modifications and variations are possible.

Therefore, the spirit of the present invention should not be limited to the described embodiments, and all of the equivalents or equivalents of the claims as well as the claims to be described later will belong to the scope of the present invention. .

1 illustrates an example of a conventional UTM software architecture in an SMP system and illustrates an example of a quad core two-way SMP system.

2 is a diagram for describing a configuration of a multiple processing system.

3 is a diagram for describing a configuration of a multicore-based multiprocessing system.

4 is a diagram for describing a method of implementing a UTM security function in a user area.

5 is a diagram for describing a method of implementing a UTM security function in a kernel region.

6 illustrates a UTM software structure in a multiple processing system according to an embodiment of the present invention.

FIG. 7 relates to a UTM software structure in a multi-processing system according to an embodiment of the present invention, and illustrates an example of a software structure of a quad core two-way SMP system.

8 is a diagram for describing a process of using an interrupt in executing a firewall module in a multi-processing system according to an embodiment of the present invention.

<Explanation of symbols for the main parts of the drawings>

610: core

630: security module

650: queue

Claims (12)

At least two cores in the central processing unit responsible for the processing, Process a plurality of tasks for the packet introduced by the network driver in accordance with a predetermined procedure through the core, the core is divided by function of the task to process the corresponding task through each core, The plurality of jobs, A multi-processing system implemented to be processed at the kernel layer such that the lock scheme for the kernel is implemented in a fine-grained lock scheme from a coarse-grained lock. The method of claim 1, The operation is, Multiprocessing system, which is a task for secure processing. The method of claim 1, The operation is, Firewall module, intrusion prevention system (IPS) module, virtual private network (VPN) module, anti-virus module, anti-spam module, anti-DDoS (anti-DDoS) A multiprocessing system, a task for secure processing of two or more modules of a module. The method of claim 1, The central processing unit, Adding a queue to store work results processed through previous cores between the separated cores. delete delete In the multiple processing method of a multiple processing system including two or more cores in the central processing unit for processing, Processing a plurality of operations on packets introduced by a network driver according to a predetermined procedure through the core, The core is divided by the function of the job and the queue is added between the divided cores, Processing the plurality of jobs, Processing the corresponding job through each of the divided cores, storing the job result processed through the previous core in a queue added between the cores, and then processing the job in the following procedure according to the stored job result through the subsequent cores, The plurality of jobs, A processing method implemented at the kernel layer such that the protection against the kernel is implemented from coarse-grained to fine grained. The method of claim 7, wherein The operation is, A multiprocessing method, which is a task for secure processing. The method of claim 7, wherein The operation is, Firewall module, intrusion prevention system (IPS) module, virtual private network (VPN) module, anti-virus module, anti-spam module, anti-DDoS (anti-DDoS) A multiprocessing method, which is an operation for security processing corresponding to two or more modules of a module. delete delete A computer-readable recording medium having recorded thereon a program for performing the method of any one of claims 7 to 9.

Images