Aludel: transparent crypto-offloading for enhanced legacy application security

Abstract

This dissertation explores the essential role of Transport Layer Security (TLS) in securing web applications. Our focus is on exploring the potential of kernel TLS (kTLS) offloading to alleviate resource usage, including CPU time, power consumption, and communication speed. Our main objective is to assess the viability of kTLS offloading, both in software and hardware configurations, to enhance resource efficiency in securing web applications. A variety of offloading strategies are analyzed, such as software-based kTLS implementation that brings cryptographic tasks closer to the Kernel and cutting-edge hardware-accelerated modes such as TOE (TCP Offload Engine) and coprocessor configurations, where we used the Chelsio T6 SmartNIC. We highlight the immense potential of kTLS and network adapters in reshaping performance and efficiency dynamics for some network environments, considering each approach's benefits and potential drawbacks. One challenge identified is the complexity of implementing kTLS in the current context. The discussion digs into the implications of this challenge and its potential impact on the broader adoption of kTLS in real-world applications. To address the difficulty of implementing kTLS and to ease legacy applications in taking advantage of the benefits of hardware offloading, the dissertation introduces Aludel. This solution provides a mechanism for legacy applications to seamlessly support kTLS, even without such support, giving interesting results on resource usage.