Packet Filtering Circuits for Smart PhonesTomoaki SATOC&C Systems Center, Hirosaki UniversityHirosaki 036-8561 JapanPhichet MOUNGNOULFaculty of Engineering, King Mongkut's Institute of Technology LadkrabangBangkok 10520 ThailandandMasa-aki FUKASEGraduate School of Science and Technology, Hirosaki UniversityHirosaki 036-8561 JapanABSTRACTSecurity measures for smart phones are important.Anti-virus software for smart phones can be used and theprocess consumes CPU resources. The CPUs of them arepowerless CPU for an embedded system and thoseoperations consume battery power. In this paper, theauthors propose packet filtering circuits for smart phones.The packet filtering circuits are a firewall. Using thefirewall is a means to protect smart phones from computerviruses and unauthorized access. In addition, they are used tocontrol the power consumption and to reduce of detectingunits for unauthorized access. The features of the circuits areto achieve those functions without reconstructing circuits.The operations of the circuits are verified by gate-levelsimulations.Keywords: Packet Filtering, Firewall, Mobile Devices,Smart phones, Network Security1.INTRODUCTIONThe number of users of smart phones increases rapidly.The smart phones use iOS or Android OS based on UNIX.They enables sending and receiving of a large size file andaccessing a web page that has been created for viewing ona PC. Additionally, the users input personal informationsuch as telephone numbers and contents of a mail to them.These mean that security countermeasures of smart phoneusers are more important than that of PC users.In case of Android phones, computer viruses havealready been generated. We must take preventive measuresagainst the computer viruses. Anti-virus software forAndroid phones can be used and the process consumesCPU resources. The CPUs of them are powerless CPU foran embedded system and those operations consume batterypower. Therefore, detection capability with anti-virussoftware for Android phones is not enough. A firewall isused to protect computer operations from computer virusand unauthorized computer access. In general, a host-basedfirewall is implemented in software. The processing of thehost-based firewall consumes CPU power. To use it in thesmart phones is not appropriate.On the other hand, Reconfigurable Firewall Unit had been developed. Its future is that the processing doesn'tneed the CPU. It had been implemented in logical basis onan FPGA (Field-Programmable Gate Array) and theoperations of it are very efficient. However, the circuits forfirewall processing must be provided for each applicationof network computing. It means the combination ofinfinity.In this paper, the authors propose packet filteringalgorithm that can be used sustainably without having torewrite the circuit information. The circuits for packet
filtering algorithm can be achieved with a custom designLSI. In general, FPGA circuits consume power than thecircuits of custom design LSI and the operations of customdesign LSI are faster than that of FPGA.This paper is organized as follows. Section 2 presentsthe outlines of firewall and packet filtering circuits. Then,Section 3 describes development of the filtering circuit.In Section 4, the conclusions are made.TABLE ICONTROLLED PORTSFunctionPort 31100000000001101110HTTPS44300000001101110112. FIREWALL AND PACKET FILTERLING CIRCUITSA. Firewall CircuitsFirewall circuits - are logic-based firewall andconstructed with reconfigurable circuits. The example thatuses reconfigurable circuits is . The outline of them isshown in Figure 1. The controlled ports are for using amobile computing, and they are at least needed. Table I isthe controlled ports. Because the firewall unit is developedby FPGA, the change of ports is very easy.Destination port number checking53 (DNS)，80 (WWW), ･･････Packets to the Internet / LANFirewallInternet /LANFigure 2 shows synthesized circuits by using AlteraCyclone EP1C20F400C7 which is an FPGA. Maximumdelay time of the circuits is 17.9 ns. The circuits canoperate at 50 MHz by conventional operations. And,Minimum delay time is 12.3 ns. They can operate at100MHz by wave-pipelined operations -. Thegate-level simulations confirm wave-pipelined operations.The weak points of firewall circuits are as follows. When changing of the firewall composition, it isnecessary to synthesize the circuits again. The circuits need an FPGA.Therefore, they cannot use in custom-designed LSI.B. Filtering CircuitsPackets from the Internet / LANTo improve the weak points of firewall circuits,filtering circuits are proposed. The processing procedure ofpacket filtering algorithm is shown figure 3 and as follows. When the smart phone has made a communicationrequest to a server computer, the source port numberSource port number checking53 (DNS)，80 (WWW), ･･････Figure 1. Firewall for H-HIPS.LUTLUTLUTLUTLUTLUTLUTLUTFigure 2. Firewall Unit.LUT
STARTStore the source port number from the client,Start (Timer)The time of the timer NoThe set timeYesDelete the source port numberStore the destination port number of a packet from a serverYesThe destination port number White listsNoThe destination port number The source port numberProtectNoENDYesNormal packetFigure 3. Packet Filtering Algorithmof the TCP header of the packet is stored. The time of the packet is record. When the smart phone receive a packet, thedestination port number of the packet is stored. The source port number is matched against thedestination port number.If the source port number and the destination portnumber are matched, it is judged that the packet to thesmart phone is normal communications. Excluding anormal packet is discarded. In addition, when a certainperiod of time has elapsed from the recorded time, somepackets are discarded.IPS ProcessorPHYH-HIPSLUT- Bus Shift RegistersbasedPacketMACFilteringUnitMIPS CPUCORELUT forIntrusionPreventionClockControlFigure 4. H-HIPS with Packet Filtering Unit.On the other hand, the authors have developed H-HIPS(Hardware- and Host-based Intrusion Prevention System). H-HIPS is shown in Figure 4. The target of the system
is smart phones and mobile PCs. It has been implementedon an FPGA, and its detection units have been achieved bylogic circuits that can be reconfiguration. The system needsa firewall function. The firewall function is indispensablefor not only the function of firewall but also the reductionof power consumption and detection units. The packetfiltering circuits on the FPGA can be applied to H-HIPSfor these reasons.The circuits of packet filtering algorithm are simulatedby gate-level simulations. The simulations are shown inFigure 6. As a result, the operations of 100MHz areconfirmed. Because it is easy to verify the actual behavior,we chose the FPGA. The circuits don’t have a peculiarfunction to an FPGA.Non-correspondedTimeSource PortDestination PortJudgmentTo verify packet filtering algorithm, the authorsimplement packet filtering algorithm to an FPGA. TheFPGA is Cyclone of Altera. The hardware structure isshown in Figure 1TimeTime over01Set time00 : Initial01 : Normal10 : Time over11 : Protect10Figure 6. Simulation ResultsD CLKPacket Filtering UnitCLKCorresponded with a white listCorresponded3. DEVELOPMENT AND VERIFICATIONS OFCIRCUITSdiv CLKPacket Filtering Circuits2 statusComparingS in4. CONCLUDING REMARKSjudgeD inS PN16D PN16PortNum&TimePortNum&Time(a)DataControlIn this paper, the authors proposed packet filteringalgorithm for smart phones. Then, the algorithm wasimplemented to an FPGA and operations of the algorithmwere confirmed by gate-level simulations. According to theresults, 100 MHz operations were shown. Future works arean evaluation by the measurement of the FPGA and averification of the packet level.CLKRESETACKNOWLEDGMENTD in16D PNjudge16LPN.D CLKS in16PortNumPortNum&Time Unit16LPT8.S PNLPNLPTComparingUnit2status8Packet Filtering CircuitsThis work has been supported in part by Grant-in-Aidfor Young Scientists (B) (23700068) from Japan Societyfor the Promotion of Science (JSPS), Japan.REFERENCES(b)Figure 5. The Hardware Structure of Packet Filtering Unit.(a) Packet Filtering Unit. (b) Packet Filtering Circuits. Tomoaki Sato, Phichet Moungnoul, and Masa-akiFukase, "Delay Time Analysis of Reconfigurable FirewallUnit," Proc. of the 4th International Multi-Conference on
Engineering and Technological Innovation, Vol. II, pp.109-114, 2011.Tomoaki Sato, Syuya Imaruoka, and Masa-aki Fukase,“ReconFigureurable Firewall Unit by Wave-PipelinedOperations,” proc. of ISPACS 2008, pp. 449-452, 2009. Tomoaki Sato, Kei Ito, Keisuke Saito, PhichetMoungnoul and Masa-aki Fukase, "Development of a shiftregister for Firewall Circuits by Wave-PipelinedOperations," Proc. of 2010 International Workshop c-1-4, 2010. David V. Schuehler and John W. Lockwood, “TCPSplitter: A TCP/IP Flow Monitor in ReconfigureurableHardware,” IEEE Micro, Vol. 23, No. 1, pp. 54-59, 2003. L. Cotton, “Maximum rate pipelining systems,” Procs.AFIPS Spring Joint Computer Conference, pp. 581-586,1969. F. Klass and M. J. Flynn, “COMPARATIVE STUDIESOF PIPELINED CIRCUITS,” Stanford UniversityTechnical Report, No. CSL-TR-93-579, July 1993. W. P. Burleson, M. Ciesielski, F. Klass, and W. Liu,“Wave-Pipelining: A Tutorial and Research Survey,” IEEETrans. on Very Large Scale Integration (VLSI) Systems,Vol. 6, No. 3, pp. 464-474, Sept. 1998. Tomoaki Sato, Syuya Imaruoka, and Masa-aki Fukase,"Hardware-Based IPS for Embedded Systems," Proc. ofWMSCI 2009, Proc. of WMSCI 2009 ol. III, pp. 74-79,2009. Keisuke Sito, Shuya Imaruoka, Tomoaki Sato, andMasa-aki Fukase, “Evaluation of Packet Filtering Unit,”Proc. of FIT 2009, Vol. 8, No. 4, pp. 129-130, 2009.
Keywords: Packet Filtering, Firewall, Mobile Devices, Smart phones, Network Security 1. INTRODUCTION The number of users of smart phones increases rapidly. The smart phones use iOS or Android OS based on UNIX. They enables sending and receiving of a large size file and access