2005 Articles

The Case for Crypto Protocol Awareness Inside the OS Kernel

Burnside, Matthew Spindel; Keromytis, Angelos D.

Separation of control and data plane is a principle increasingly used to improve the performance of network protocols and applications, such as the Web. Use of security mechanisms, such as the SSL/TLS protocol, can negate these performance gains, since such mechanisms need to be located on the data path. We argue that the same principle of separation can be applied to security mechanisms, by removing the web server from the secure data path.We present a minimal operating system extension that can improve the performance of web servers using SSL/TLS by up to 27%. Our intuition is that protocol framing and cryptographic transforms can be applied to incoming and outgoing data frames by the operating system under a policy specified by the web server. In this way, we can reduce the number of system calls and context switches to a small constant number, and the amount of data copying that involves the web server by 100%. We describe our prototype implementation for the OpenBSD operating system and quantify its performance implications.