WSIM: A software platform to simulate all-optical

security operations
Antonis Krithinakis∗ , Lubomir Stroetmann∗† ,
Elias Athanasopoulos∗ , Georgios Kopidakis∗ , and Evangelos P. Markatos∗ ,
∗ Institute
of Computer Science, FORTH
Greece
Email: {krithin, lubomir, elathan, kopidaki, markatos}@ics.forth.gr
† University of Aachen
Germany

Abstract—Network throughput rates increase every day modelled. We discuss the software API, which we refer
in contrast to electronic chip processing speed and elec- to as SAPI (Security Application Programming Inter-
tronic I/O. Today’s firewalls operate by using traditional face), which is the mini operating system for the initial
electronic circuits just like any common PC. However, hardware prototype. SAPI is described in Section V.
performing these operations in a fast fiber optics network
Finally we conclude in Section VI.
on the scale of 40Gbps is impossible. In this paper, we
propose a novel system that is currently being researched II. BACKGROUND
and tries to perform the security operations of a firewall
In this section we discuss the challenges which appear
using optical components. We describe the basic limitations
of the optical domain that make this project difficult to
in the optical domain and present information needed as
implement. We outline the basic software platform called a background to understand the algorithm used by the
WSIM which is a simulator that offers theoretical support simulator platform.
of the project’s feasibility. The marriage of an all-optical A. Optical Algorithms
firewall with the traditional digital systems’ architecture
can offer significant benefits to the network from both a Operations such as pattern-matching are considered
security and a performance perspective. fundamental for security-oriented applications like fire-
walls and Intrusion Detection Systems. Thus, it is vital
I. I NTRODUCTION for the community to investigate new ways of performing
these tasks for high speed links like the ones provided
This novel system is called WISDOM[6] (Wirespeed
by optical systems.
Security Domains using Optical Monitoring) and is
The simulator software is made to simulate an all-
designed to develop optical processing modules which
optical pattern recognition system. The components of
will be placed at the front end of a node firewall to
this system are able to detect and indicate the position
provide high-speed information filtering purely inside
of a specified pattern of bits in a high-speed optical data
the optical domain. These photonic firewalls will operate
signal. The target pattern only needs to be generated at
using novel algorithms and protocols, to extract and
a much lower speed, readily achievable with standard
process security information at wire speed.
electronics. This pattern matching component is what
The main challenge of this project is to demonstrate we call a pattern matching box.
that it is possible to bridge the gap between the very Every box in the system runs the pattern matching
fast (at least 40 Gbps) optical data transmission and the algorithm whose complexity is proportional to the length
much slower electronic data security checks by pushing of the pattern. The algorithm is implemented using
critical security functions all the way down to the optical optical components only which we are not going to
domain. discuss in this paper but are explained in detail in [10].
The paper is structured in the following order. We
present the background in Section II. In Section III B. Optical Limitations
we present in detail a software modelling platform, its One of the fundamental constraints of the optical
architecture and some application scenarios that can be domain is the absence of state[8]. This is due to the
fact that building a memory storage device in the optical core of the system; there are several of options currently
domain is not as trivial as it is in the electronic domain. on the market for simulating optical devices[7]. Instead,
More precisely, the only notion of memory in the optical our initial goal was to produce a software environment
domain is to use serial, time-of-flight storage which that illustrates the operation of our architecture as a
delays the light pulses inside a loop for a relatively short whole system.
period of time. By using the framework, we are able to reproduce
Optical memory capacity is thus severely limited application scenarios in a controlled software environ-
compared to electronic memory, with integrated optical ment. We can estimate time costs and verify the pattern
devices being able to store a few hundreds of bits of matching optical algorithm.
information (albeit at extremely high data rates). The This section is organized as follows: First, we present
difficulty in having a flexible storage medium in the the framework’s features through a quick guide using
optical domain results in a system that almost completely limited screen shots of the software environment, due
lacks the notion of state. to space constraints. We proceed to explain the system
Almost all systems and algorithms developed in the architecture and then depict some possible usage config-
electronic domain reside to a great extent in having a urations and application scenarios.
controllable state. Therefore, developing security algo-
rithms in the optical domain requires a new method of A. Overview
thinking and learning time in order to understand how One of our first major concerns during the develop-
these algorithms can be implemented. ment of the framework was that it had to target a mixed
The lack of memory in the optical domain also results scientific audience and not just computer scientists. This
in very limited flexibility in the configuration of a device is, mainly, because our collaborative project is composed
and the dynamic re-adjustment of its setup. Since there of physicists, optical engineers, electrical engineers and
is no memory - in the sense of the term used in the computer scientists. Thus, we took the decision to de-
electronic domain - to hold a system’s state, it is hard velop a graphical and user friendly application for the
to modify a system’s behavior by altering its properties Microsoft Windows operating system. The framework
at run-time. As far as the implementation of a security can be used by anyone without requiring deep technical
device in the optical domain is concerned, the limited knowledge of computer software.
configurability reduces the flexibility in implementing With the assistance of the graphical environment the
even trivial features, enabled by default in all similar de- user is able to construct instances of all-optical pattern
vices of the electronic domain, such as adding, deleting matching boxes. We will further refer to such an instance
or modifying the rule-set of the device. as a filter or rule.
Aside from the lack of memory in the optical domain, Each filter is configured using a dialog box. First you
it is also quite difficult to perform logic operations, give the box a unique name. Then you select the target
which again is trivial in the electronic domain. The WIS- properties (protocol and service) that the box will search
DOM hardware architecture uses Semiconductor Optical for (e.g. ICMP[4], TCP[5], UDP[2], PORT number of
Amplifiers (SOAs)[9] in order to implement simple required service) and then the source of the packets.
operations like AND, XOR and other gates expressing In the beginning, the only source available is the trace
Boolean logic. file captured from the network, but after the creation
However, they are not as functional as digital gates, of each new box you can additionally select as source
and they can be used only in certain combinations. the matched or unmatched packets of any of the other
Using SOAs we have managed to implement the pattern- boxes, thus creating processing chains. Optionally, you
matching algorithm we described in Section II-A. can put an extra time delay for a box. In addition, if
you choose the PORT target you will be asked to select
III. S OFTWARE M ODELING between source port and destination port and put in the
In this section we present the software platform we port number as shown in Figure 1.
have developed for modelling the optical firewall. It is a After a new box has been set up, an iconic represen-
custom framework developed specifically for the needs tation of an all-optical pattern matching box is displayed
of our architecture. It runs on any PC equipped with on the program’s workspace. The user may construct
a network interface and a Microsoft Windows operating an unlimited amount of filters in this fashion. However,
system. The framework does not aim to model the optical the actual system’s capacity is limited. The real optical
 After the user configuration is made and the simulation
is started, the Sniffer thread is created. The Sniffer is
initialized with a trace file from the user. Then the file
is processed and internal structures that represent the
packet header are created. Each packet from the trace
is processed and translated to a sequence of bits rep-
resenting its header. At present, the system architecture
deals with the IP protocol[3] for the packets’ network
layer and the TCP[5] and UDP[2] protocols for the
packets’ transport layer. Packets in the trace file using
other protocols are excluded.
When all internal structures have been created the
Fig. 1. Search for a specific port number
global timer described above begins and starts counting
the time spent on all operations until there are no
unprocessed packets remaining in the stack.
firewall is expected to be able to serve simultaneously Each packet is processed using the complete optical
only a few filters. algorithm for pattern matching and not using simple
Upon having set the preferred filters, the framework equality relations of computer programming.
can inject traffic into the simulated system. This can Every box keeps basic information like its name, the
be achieved either by passively capturing the traffic target and several counters that build the state of the
experienced by the host, which runs the framework, or by box and tree lists. The first list contains the source of
processing already captured traces. Each filter, depicted the packets to capture. The other two lists contain the
in the user’s desktop as an optical firewall instance, up- IDs of boxes whose source list has to be refreshed with
dates its statistics in real-time. Statistics include packets the packet being currently processed after the box has
captured, packets which matched the filter and packets finished with it. There is one list for matched packets and
that did not. one list for unmatched packets for every pattern matching
In addition, a global tick counter accounts for the box.
cost of the whole session in terms of spent processing After a box has captured a packet and finished pro-
time. We define a tick as the amount of time spent for cessing it and there is a match, then the packet feeds the
processing one bit of information in the optical domain. source list of the boxes that the matched list refers to.
For every tick, each pattern matching box performs the The same happens with packets that do not match the
pattern matching algorithm on one bit of the data. From target. The source of the boxes can be fed with packets
an algorithmic view we can imagine this operation as from a trace depending on the user’s configuration.
an iteration by the main processing loop of the system If the box is still in operation and its source list is
where each box operates separately from the others in a fed with a new packet, the packet gets dropped. The
pseudo-parallel way. source list must be empty when the pattern matching
box operates on a packet otherwise we have a packet
However, the tick described above corresponds to real
drop. If a box has finished with a packet and its source
time, which in the optical domain is on the scale of tens
list is empty, the box will be in an idle state until its
of picoseconds. For example, if we operate in 40Gbps
1 source list is refreshed.
then the one bit time is: 40∗10 9 = 25 picoseconds.
The simulation ends when all packets from the trace
This correlation of the one bit operation and the
have been processed through all the pattern matching
physical time is a configurable feature of our application
boxes. Then the user can examine the log files generated
so the user can change the virtual network throughput.
which contain all the information on the packets of
IV. S YSTEM A RCHITECTURE the trace including timestamps. We depict the system’s
architecture in Figure 2.
The Simulator process has two threads. The first one is
the graphical interface of the application and the second A. Application Scenarios
one is the main processing unit that consists of the sniffer We use a small trace containing 131 packets for the
and the pattern matching box component. examples. The scenarios represent an optical firewall that
 Fig. 2. WSIM Architecture

drops all incoming ICMP packets before they manage to Fig. 3. First scenario interface layout
reach any router operating in the digital domain. After
that we need to separate the traffic and search for specific
source or destination ports that may corresponds to well- packet’s IP header) and the target of the third rule is
known attacks. 16-bit (destination port field in packet’s transport layer
1) First Scenario: We are going to set up 3 pattern header), so the algorithm in the third box needs twice
matching boxes. The first one is called icmpBox and the time to complete processing each packet.
searches for ICMP protocol packets. The source of the Target Packet Source Packets
packets is the trace file. Dropped
Secondly, we want to filter out the unmatched packets icmpBox ”ICMP” ”Trace” 17
produced from the first box and keep only the TCP tcpBox ”TCP” ”icmpBox unmatched” 0
port 25Box ”PORT” ”tcpBox matched” 11
protocol. So the second box is called tcpBox and the
source of the packets is the icmpBox unmatched field.
All matched packets from the tcpBox will go through
Packets Packets Matched Packets
the last pattern matching box that is called port 25Box Captured Unmatched
and is searching for destination port 25. icmpBox 112 26 86
Then we start the simulation and see the results in tcpBox 86 48 38
Figure 3 and Table I below. port 25Box 37 3 34
Our trace contains 131 packets, but as we can see
from the table of results in Table I below, the first box
Network throughput 40 Gbits per second
has dropped 17 packets because of time issues and has Bit Operations 716,809
captured 112 packets, a total of 129. That means that Time (picoseconds) 17,920,225
2 packets are not of IP protocol and were not captured TABLE I
by the filter. 26 packets matched the icmpBox target and F IRST SCENARIO RESULTS OPERATING IN 40G BPS
got dropped because we assumed that the optical firewall
drops all incoming ICMP packets.
The rest of the packets went through the second rule Now we are going to simulate the same scenario but
without any dropping and then the matched packets of change the network throughput to 80Gbps so that each
this rule through the last pattern matching box which bit operation lasts 12.5 picoseconds. The number of
dropped 11 packets. That can be easily explained be- dropped packets increases and the time for completing
cause the first 2 rules need the same time to complete the total operation is approximately 25% of the initial
processing a packet according to the complexity of the one. Results are shown in Table II.
pattern matching algorithm. This is because the target 2) Second scenario: Now we are going to set up 5
of the first two rules is 8-bit long (protocol field in pattern matching boxes. The network throughput is set to
 Target Packet Source Packets
Dropped
icmpBox ”ICMP” ”Trace” 22
tcpBox ”TCP” ”icmpBox unmatched” 0
port 25Box ”PORT” ”tcpBox matched” 14

Packets Packets Matched Packets

Captured Unmatched
icmpBox 107 21 86
tcpBox 86 48 38
port 25Box 34 3 31

Network throughput 80 Gbits per second

Bit Operations 358,405
Time (picoseconds) 4,480,062.5
TABLE II
F IRST SCENARIO RESULTS OPERATING IN 80G BPS

40Gbps. The first pattern matching box is called tcpBox

and searches for TCP protocol packets. The second one
is called udpBox and searches for UDP protocol packets.
The source of the packets of both boxes is the trace.

Target Packet Source Packets

Dropped Fig. 4. Second scenario interface layout
tcpBox ”TCP” ”Trace” 17
udpBox ”UDP” ”Trace” 17
port 25Box ”PORT” ”tcpBox matched” 11
port 80Box ”PORT” ”tcpBox matched” 11 last pattern matching box which is called port 53Box
port 53Box ”PORT” ”udpBox matched” 0 and is searching for destination port 53.
Then we start the simulation and see the results in
Figure 4 and Table III above.
Packets Packets Matched Packets
Captured Unmatched V. S OFTWARE API
tcpBox 112 48 64
udpBox 112 38 74 The SAPI (Security Application Programming
port 25Box 37 3 34 Interface) is the mini operating system of the WISDOM
port 80Box 37 12 25 firewall and will be used together with the first
port 53Box 38 19 19
WISDOM hardware prototype developed by our project
partners. It creates an interface between the low-level
hardware controls and the user by providing an easy
Network throughput 40 Gbits per second
Bit Operations 717,001 to use API for creating new sets of filter rules. The
Time (picoseconds) 17,925,025 SAPI uses an object-oriented design and provides
TABLE III
several classes: SAPI Init, SAPI Filter and its three
S ECOND SCENARIO RESULTS OPERATING IN 40G BPS subclasses SAPI IPv4 Filter, SAPI TCP Filter and
SAPI UDP Filter. For a simplified UML diagram of
the SAPI, see Figure 5.
All matched packets from the tcpBox will go through SAPI Init is used to initialize the hardware and per-
the next two pattern matching boxes that are called forms various low-level tasks such as turning on heater
port 25Box and port 80Box and are searching for desti- and peltier controls on the circuit board and resetting any
nation port 25 (default for mail processing) and destina- previously set filter rule. SAPI Filter provides a structure
tion port 80 (default for HTTP traffic) respectively. Then for a general packet filter. The WISDOM hardware only
all matched packets from the udpBox will go through the deals with simple bit patterns on which it performs its
bit-by-bit optical pattern matching. In order to create a
filter rule for the firewall, one can use SAPI Filter which
then translates a human-readable rule to a bit pattern to
be passed on to the hardware. Additionally, one can use
the more specific SAPI IPv4 Filter, SAPI TCP Filter or
SAPI UDP Filter which are aware of the packet header
structure of their respective protocol types in order to
create more specific filter rules.
For example, in order to create a rule that will filter out
any outgoing e-mail traffic, one creates a new instance of
SAPI TCP Filter with destination_port="25".
(Port 25 is the one used by the SMTP protocol used to Fig. 5. Simplified UML diagram of the SAPI architecture
send email). Another very common firewall rule example
would be to create an ICMP filter. ICMP is very often
abused and by blocking ICMP ping packets one can also
hide the status of internal hosts from the outside. To in network links experiencing throughput greater than 40
do this using the SAPI, you create a SAPI IPv4 Filter Gbps.
object with protocol="ICMP". The SAPI knows that In this paper we have presented a novel idea which
ICMP has the protocol number 0x01[1] and knows the suggests the creation of a system architecture that deals
offset of the ”protocol” field inside an IP packet[3]. with security operations in the optical domain. We have
It uses this knowledge to create an appropriate binary also presented the mini operating system of the firewall
pattern that it can pass down to the hardware. Once an and the software platform which can be used to build
object with the desired filter rule has been created, all and model scenarios in a controlled environment. A
you have to do is call its apply() function and the user-friendly simulator of the optical firewall’s operation,
filter rule is converted and sent to the hardware. which uses actual network traffic traces, is useful for
Furthermore, the SAPI provides a set of predefined security algorithm design purposes as well. It is expected
functions for easily creating some of the most commonly that it will also provide a hardware validation tool later
used filter rules. Those include the aforementioned Mail in the project.
filter and ICMP filter and also feature a HTTP web traffic The bad news is that, as we have described, the
filter, FTP filter, IRC filter, DNS filter, Microsoft File & development of such a system has to deal with a lot of
Printer Sharing filter, a generic TCP filter to be used optical limitations and thus is a very challenging project.
to pre-filter TCP traffic and two IP address filters for The good news is that every day clever ideas come
filtering by source or destination IP address, respectively. along and solve fundamental problems. In addition, the
Not only do these functions simplify the filter creation current simulation platform results make us very hopeful.
process, they also act as ”wizards” for normal users so WISDOM is the beginning of all later optical based
that they do not need to know which ports are used hardware, which can perform sophisticated all-optical
by Microsoft’s File & Printer Sharing services or what processing for security purposes.
makes up an ICMP packet.
The SAPI will eventually be accompanied by a GUI
interface which is currently being developed. It will VII. ACKNOWLEDGEMENTS
allow filter rule creation at the click of a button, offer the
possibility to change the order of the set of rules before We would like to thank the anonymous reviewers
it’s written to the consecutive set of hardware devices and for their valuable feedback. Antonis Krithinakis, Elias
will make configuring and using the WISDOM firewall Athanasopoulos, Georgios Kopidakis and Evangelos P.
possible even for regular users not versed in the field of Markatos are also with the University of Crete. Lubomir
network administration. Stroetmann assisted to this work, while interning with
FORTH. This work is funded by the FP6 EU project
VI. C ONCLUSION WISDOM. Elias Athanasopoulos is also funded by the
Currently, important security operations such as pat- Microsoft Research PhD Scholarship project, provided
tern matching for filtering packets are difficult to perform by Microsoft Research Cambridge.
 R EFERENCES
[1] Iana assigned internet protocol numbers. http://www.iana.org/
assignments/protocol-numbers/.
[2] RFC768 - User Datagram Protocol. http://www.faqs.org/rfcs/
rfc768.html.
[3] RFC791 - Internet Protocol. http://www.faqs.org/rfcs/rfc791.
html.
[4] RFC792 - Internet Control Message Protocol. http://www.faqs.
org/rfcs/rfc792.html.
[5] RFC793 - Transmission Control Protocol. http://www.faqs.org/
rfcs/rfc793.html.
[6] The WISDOM Project. http://www.ist-wisdom.org.
[7] VPIphotonics. http://www.vpiphotonics.com/.
[8] C. C. Carroll. R68-40 sequential machines and automata theory.
IEEE Trans. Comput., 17(9):922–923, 1968.
[9] D. Cotter et al. Non-linear optics for high-speed digital
information processing. In Science 286, pages 1433-1636),
1999.
[10] R. P. Webb et al. 42gbit/s all-optical pattern recognition system.
In Proceedings of Optical Fibre Communications (OFC), 2008.