Loading [MathJax]/jax/output/SVG/jax.js
  • 中国精品科技期刊
  • CCF推荐A类中文期刊
  • 计算领域高质量科技期刊T1类
高级检索

域名系统递归解析服务安全技术综述:风险、防护和测量

李沁心, 武文浩, 王兆华, 李振宇

李沁心, 武文浩, 王兆华, 李振宇. 域名系统递归解析服务安全技术综述:风险、防护和测量[J]. 计算机研究与发展. DOI: 10.7544/issn1000-1239.202440158
引用本文: 李沁心, 武文浩, 王兆华, 李振宇. 域名系统递归解析服务安全技术综述:风险、防护和测量[J]. 计算机研究与发展. DOI: 10.7544/issn1000-1239.202440158
Li Qinxin, Wu Wenhao, Wang Zhaohua, Li Zhenyu. DNS Recursive Resolution Service Security: Threats, Defenses, and Measurements[J]. Journal of Computer Research and Development. DOI: 10.7544/issn1000-1239.202440158
Citation: Li Qinxin, Wu Wenhao, Wang Zhaohua, Li Zhenyu. DNS Recursive Resolution Service Security: Threats, Defenses, and Measurements[J]. Journal of Computer Research and Development. DOI: 10.7544/issn1000-1239.202440158
李沁心, 武文浩, 王兆华, 李振宇. 域名系统递归解析服务安全技术综述:风险、防护和测量[J]. 计算机研究与发展. CSTR: 32373.14.issn1000-1239.202440158
引用本文: 李沁心, 武文浩, 王兆华, 李振宇. 域名系统递归解析服务安全技术综述:风险、防护和测量[J]. 计算机研究与发展. CSTR: 32373.14.issn1000-1239.202440158
Li Qinxin, Wu Wenhao, Wang Zhaohua, Li Zhenyu. DNS Recursive Resolution Service Security: Threats, Defenses, and Measurements[J]. Journal of Computer Research and Development. CSTR: 32373.14.issn1000-1239.202440158
Citation: Li Qinxin, Wu Wenhao, Wang Zhaohua, Li Zhenyu. DNS Recursive Resolution Service Security: Threats, Defenses, and Measurements[J]. Journal of Computer Research and Development. CSTR: 32373.14.issn1000-1239.202440158

域名系统递归解析服务安全技术综述:风险、防护和测量

基金项目: 国家重点研发计划项目(2022YFB3103000).
详细信息
    作者简介:

    李沁心: 2000年生. 硕士研究生. 主要研究方向为网络测量和网络空间安全

    武文浩: 2000年生. 硕士研究生. 主要研究方向为网络测量和网络安全

    王兆华: 1994年生. 博士,博士后. 主要研究方向为网络测量和数据中心网络

    李振宇: 1980年生. 博士,研究员,博士生导师. 主要研究方向为网络传输、网络测量和网络人工智能

    通讯作者:

    王兆华(wangzh@cnic.cn

  • 中图分类号: TP311

DNS Recursive Resolution Service Security: Threats, Defenses, and Measurements

Funds: This work was supported by the National Key Research and Development Program of China (2022YFB3103000).
More Information
    Author Bio:

    Li Qinxin: born in 2000. Master candidate. Her main research interests include network measurement and cyberspace security

    Wu Wenhao: born in 2000. Master candidate. His main research interests include network measurement and network security

    Wang Zhaohua: born in 1994. PhD, Postdoctoral Fellow. Her main research interests include Internet measurement and data center networks

    Li Zhenyu: born in 1980. PhD, professor, PhD supervisor. His main research interests include network transmission, network measurement and artificial intelligence in network

  • 摘要:

    在域名系统(domain name system, DNS)中,DNS递归解析服务消除了用户与根域名服务器等上游DNS服务器之间的复杂交互,使得互联网用户可以方便地通过本地DNS服务器完成全球范围的域名解析. 作为直接与用户通信的第一门户,DNS递归解析服务过程已成为互联网基础设施攻击的一个重要目标. 由于DNS递归解析服务规模庞大且部署方式繁多,现有的DNS安全拓展机制在DNS递归解析服务器中存在部署复杂、兼容性差等问题,但是目前还缺少对安全防护机制的部署测量方法的研究与总结工作,缺乏针对DNS递归解析服务安全风险的系统全面的评估工作. 针对上述现状,将DNS递归解析服务存在的安全风险分为5大类,对DNS递归解析服务安全威胁,DNS安全拓展机制和DNS递归解析服务安全风险评估与测量等方面的现状与最新研究成果进行了归纳与总结,并对DNS递归解析服务安全监测与治理的潜在研究方向进行了展望.

    Abstract:

    The Domain Name System (DNS) recursive resolving service acts as a bridge between users and upstream DNS authoritative servers to enable users conveniently resolving domain names through local DNS servers. However, as the first gateway for communication with users, DNS recursive resolving services have become a significant target for attacks on Internet infrastructure. Given the vast scale and variety of DNS recursive service deployments, current DNS security enhancements struggle with implementation complexity and compatibility issues. Despite its importance, there is a noticeable lack of research focused on the deployment of security protection mechanisms for DNS recursive services, as well as the comprehensive assessment of the associated security threats. To bridge this gap, we categorize the security risks associated with DNS recursive services into five main types: cache poisoning, DNS hijacking, direct attacks on recursive servers, leveraging recursive servers to target other servers, and exploiting software vulnerabilities. Additionally, we provide a summary of the latest research on DNS recursive service security threats and DNS security enhancement mechanisms. Our review also summarizes measurement methods for assessing the security risks. Finally, we analyze the current state of DNS recursive service security and offer insights into future research directions for improving the security monitoring and governance of DNS recursive services.

  • 存储模块与计算模块相分离的冯·诺伊曼体系结构存在“存储墙”问题[1],严重制约了处理器的性能提升,并伴随着较大的能量消耗. 为彻底突破该“瓶颈”,需要在体系结构层次上进行突破,研究新型存内计算架构[2-4]. 忆阻状态逻辑为存内计算提供了电路基础. 通过融合布尔逻辑和非易失性存储的功能,忆阻状态逻辑可以消除计算过程中的数据移动(消除访存延时和能耗),实现存储与计算的细粒度融合. 目前,通过理论推导(仿真)和实测实验已经有诸如IMP,FALSE,NOR等多个忆阻状态逻辑门得到验证,功能覆盖布尔逻辑完备集,为实现复杂逻辑计算提供了可行基础. 然而,从复杂计算功能到忆阻存储阵列内状态逻辑门级联序列转换的自动化设计研究仍处于萌芽阶段,一些挑战亟待解决.

    一是“门单元类型单一”. 目前大多数针对复杂计算功能状态逻辑实现的研究都集中在使用功能完备的单个状态逻辑门级联,如IMP,NOR,NAND等,缺少对多个兼容状态逻辑门的使用,极大地限制了复杂状态逻辑计算过程的优化空间. 在综合策略中加入多种状态逻辑门,能够为复杂逻辑功能的实现提供更多的基本功能选择,有效减少最终的映射规模、操作数量以及执行延迟. 因此,有必要探索面向存内计算的多状态逻辑门综合映射方法.

    二是“综合映射目标单一”. 当前大多数面向复杂计算功能的状态逻辑实现的研究皆以计算延时为优化目标,鲜有针对其他设计目标的探讨. 忆阻状态逻辑门实际是在外加电压控制下的“条件写”过程,根据相应的输入数据,门的成功执行必然伴随一次擦写过程(状态翻转). 在当前的工艺成熟度下,实际忆阻器产品的可擦写次数相较于传统的动态随机存取存储器(DRAM)和静态随机存取存储器(SRAM)仍有不足. 在状态逻辑计算过程中,多次擦写可能导致器件磨损而失效,在设备维修维护不便的边缘计算场景下值得重点关注. 因此,有必要研究减少状态逻辑计算过程中器件磨损的方法来提高边缘计算设备的使用寿命,从而降低维护和更换成本.

    针对以上2个问题,本文研究面向低磨损存内计算的多状态逻辑门综合,探索采用多种状态逻辑门的综合映射过程来降低复杂存内状态逻辑计算过程的翻转率.

    沿用CMOS逻辑中门的定义,状态逻辑门是用来表示基于忆阻器电路和相应的逻辑功能的概念[5]. 状态逻辑门操作过程中信息的载体为忆阻器的电阻状态,逻辑操作的过程即为各个忆阻器在电压激励下的条件转变过程. 这种由电阻代表逻辑信息,通过电阻变化过程来映射逻辑函数的逻辑实现体系被称为状态逻辑[6].

    通常,用于构建状态逻辑门的忆阻器具有2个稳定的电阻状态,分别为高电阻状态(HRS,通常定义为逻辑0)和低电阻状态(LRS,通常定义为逻辑1). 对于双极型忆阻器,高电阻状态和低电阻状态之间的转换是由极性相反的外部工作电压触发的,它们被称为SET和RESET电压[7]. 当让高电阻状态和低电阻状态分别表示数字信号0和1时,对忆阻器构成的电路施加一组特定的电压信号序列,忆阻器的状态信息会相应地发生改变,这样就可以在忆阻器初始状态和最终状态之间映射一个逻辑函数. 状态逻辑门通过外围电路施加的控制电压信号触发“条件写”过程,在操作后的输出器件与输入器件之间映射逻辑关系,完成布尔逻辑功能.

    目前的研究工作已经通过改变电路结构或者针对同种电路结构来改变控制电压信号大小的方法实现了多种不同状态逻辑门,其逻辑功能覆盖IMP,NOR,NAND,NOT等完备集合. 本文沿用Xu等人[5]使用的状态逻辑门命名规则,使用符号“结构-N-n功能”表示一种状态逻辑门. 其中“结构”表示电路连接的类型,“N”表示逻辑输入的数量,“n”表示所包含的忆阻器件的数量,“功能”表示实现的逻辑功能. 图1中给出了2种典型的实现NOR功能的状态逻辑门结构,分别为“PMR-two-3NOR”和“PMASM-two-3NOR”.

    图  1  状态逻辑门电路结构图及其真值表
    Figure  1.  Circuit structure diagram of the stateful logic gates and their truth tables

    为方便描述,本文使用简单门(simple gate)和复合门(composite gate)来指代状态逻辑门[8]. 其中,简单门是指逻辑输入和输出映射到不同忆阻器件的逻辑门,如图1中的“PMR-two-3NOR”和“PMASM-two-3NOR”. 在这类逻辑门中,逻辑输出器件的初始状态一般设置为常数0或者1,状态逻辑门的执行过程就是对输出器件的“条件写”过程,逻辑操作完成后,将产生逻辑输出并保存在逻辑输出器件中. 复合门是指逻辑输出与其中一个逻辑输入共用同一个器件的状态逻辑门,其可由简单门扩展而来. 若将简单门的输出器件的初始值不设为常数0或1,而是作为第3个逻辑输入,那么简单门的逻辑功能将会扩展为由原始简单门功能与第3个逻辑输入的“或”(原始简单门基于输出器件的“条件置位”构建)或者“与”(原始简单门基于输出器件的“条件复位”构建). 例如,对于图1(a)中的“PMR-two-3NOR”门,若将其输出器件的初始值作为第3个逻辑输入,那么其实现的逻辑功能为ONOR(¯P+Q+Y),我们将此复合门命名为“PMR-three-3ONOR”;类似地,对于图1(b)中的“PMASM-two-3NOR”门,其实现的复合门为“PMASM-three-3ANOR”(¯P+QY). 由此,我们看到,每种简单状态逻辑门都对应一个由其扩展而来的复合门. 复合门的功能为对应的简单门的功能与“或逻辑”或者“与逻辑”的级联. 因此,复合门的功能可以拆分成“简单门的功能 + 或逻辑(与逻辑)”;反过来,“简单门的功能 + 或逻辑(与逻辑)”可以构成复合门的功能. 简单门和复合门的相互转化为本文后续逻辑网表后处理的理论基础.

    仅仅采用状态逻辑门完成单步逻辑无法满足实现复杂计算,复杂计算过程的执行需要对状态逻辑门进行灵活级联,即将前一级状态逻辑门的输出连接到下一级状态逻辑门的输入. 与CMOS逻辑门的级联不同,状态逻辑门中的逻辑信息由电阻状态表示,逻辑信息不能通过物理金属线进行传输. 然而,归功于忆阻交叉阵列的灵活性,忆阻状态逻辑门可以通过在忆阻交叉阵列中对器件的交叠使用来实现门的级联.

    依托忆阻交叉阵列完成状态逻辑门级联的前提条件是状态逻辑门要能在忆阻交叉阵列中灵活配置. 通过前期调研发现,可级联状态逻辑门主要为3种电路结构:PMR[9],PMASM[10],APMR[11]. 其中,前2种电路结构适合在2维忆阻交叉阵列中配置,如图2所示. 第3种电路结构适合在3维忆阻交叉阵列的层间器件之间配置.

    图  2  状态逻辑门在2维忆阻交叉阵列中的配置
    Figure  2.  Configuration of stateful logic gates in a 2D memristor-based crossbar array

    对于可在忆阻阵列中灵活配置的状态逻辑门,可以通过时空级联的方式实现复杂的逻辑计算[12]. 图3展示了在2维忆阻交叉阵列中级联2个“PMR-two-3NOR”状态逻辑门的步骤. 可以看到,状态逻辑门的级联不仅需要协调忆阻阵列中的忆阻器单元(空间维度),还需要按顺序触发这些门(时间维度). 因此,依托忆阻交叉阵列完成复杂状态逻辑计算的过程就是通过施加操作电压序列将一个个状态逻辑门配置到忆阻交叉阵列中完成逻辑门功能的级联过程.

    图  3  2维忆阻交叉阵列中2个“PMR-two-3NOR”状态逻辑门的级联
    Figure  3.  Cascade of two “PMR-two-3NOR” stateful logic gates in a 2D memristor-based crossbar array

    尽管存内状态逻辑计算系统消除了数据加载和存储的过程,但其时空级联特性使得状态逻辑在计算过程本身上难以超越CMOS组合逻辑电路[5,11]. 然而,根据研究表明,在忆阻交叉阵列中通过并行执行多个计算实例可以弥补这一弱点[13-15]. 但是,在较少步骤内实现复杂计算功能的状态逻辑操作仍然值得深入研究,因为它直接关系到存内状态逻辑计算系统的效率. 而针对复杂计算过程,如何准确找到最优状态逻辑门级联序列就是状态逻辑综合映射问题.

    在状态逻辑研究的早期阶段,大多研究工作都是通过手动设计状态逻辑门的级联序列来实现复杂计算实例. 例如,Talati等人[10]使用“PMASM-two-3NOR”逻辑门,通过12步级联实现了1位全加器操作;Adam等人[16]使用“PMR-two-2IMP”“APMR-two-2IMP”逻辑门级联实现了3维忆阻阵列中的1位全加器,其中由于涉及许多读取和写入操作,级联需要35个步骤;Huang等人[9]使用“PMR-two-3NAND”状态逻辑门,通过10步级联实现了1位全加法器;Xu等人[11]级联6个APMR状态逻辑门,通过14步级联完成1位全加器的操作;Sun等人[17]采用多输入复合状态逻辑门将1位全加器的实现步数减小为2步. 这种手动设计的策略能够应用于小规模电路功能的固定设计,但对于复杂的大规模电路功能,手动设计是耗时并且容易出错的. 因此,需要研发自动化的逻辑综合工具,以实现复杂计算.

    目前,研究者们已经开发了多种状态逻辑综合工具,能够在忆阻交叉阵列中以较少的时间成本(或其他目标)找到实现复杂逻辑功能的状态逻辑门执行序列[8,15,18-26]. 对状态逻辑自动化综合工具的研究主要分为2个阶段:

    第1个阶段考虑复杂计算功能到状态逻辑门功能的分解,并未过多地考虑阵列映射的约束[27-30]. 如Chakraborti等人[27]提出了一种采用忆阻器有效实现2-1多路复用器的方法,并提出了一种综合方法,该方法将给定的布尔逻辑表示为简化有序二进制决策图(ROBDD);Chattopadhyay等人[28]对传统的综合算法进行了扩展,提出了新的启发式算法. 此外,Bürger等人[18]提出了一种使用面向CMOS的综合工具(如ABC工具)将复杂逻辑功能分解为状态逻辑门的基本功能的方法.

    第2个阶段是利用CMOS综合工具自动化地完成逻辑综合,然后考虑阵列约束,完成状态逻辑门到阵列的位置映射. 该阶段的研究大体又可以分为2类:一类是面向全阵列范围映射的状态逻辑综合映射工作,此类工作主要以状态逻辑门数最少和最大限度门级并行为综合映射的优化目标,少数工作探讨了面积(器件个数)的约束. 例如,Hur等人[19]提出了一种通用的综合映射流程(SIMPLE MAGIC),该流程使用了“PMASM-two-3NOR”“PMASM-one-2NOT”逻辑门,面向全阵列范围优化状态逻辑门的执行,并考虑所涉及的阵列约束.Bhattacharjee等人[21]提出的综合映射流程(CONTRA)使用基于查找表(LUT)的输入函数映射到忆阻交叉阵列上,最大限度地实现并行操作,并使用一种新的搜索技术在忆阻交叉阵列内以最佳方式移动数据. 然而,面向全阵列范围的综合映射方法多数需要依赖求解器遍历求解空间,是一个耗时的过程,从降低求解时间的角度考虑,出现了另一类面向单行/列映射的综合映射方法. 这类方法的代表性工作为Hur等人[15]提出的改进的自动综合和映射方法,称为SIMPLER MAGIC.该综合映射流程的优化目标是从以前的最小延迟(操作步骤数)转换为最小面积(使用的器件数量),在需要时重用单元以节省面积[5].

    可以看到,当前的多数状态逻辑综合映射工作的研究皆以计算延时为优化目标,少数工作针对阵列面积(器件数目)的约束进行了讨论,鲜有针对其他目标,特别是器件磨损的研究和探讨. 因此,本文以降低状态逻辑计算过程的器件磨损为目标,探索新的状态逻辑综合映射方法,提高边缘计算设备的使用寿命,从而降低维护和更换成本.

    如1.2节所述,复杂状态逻辑计算过程的自动化设计实现需要2个方面的内容:一是有功能完备且可在同一忆阻交叉阵列中配置的状态逻辑门;二是有自动化综合映射方法的支持. 因此,在进行状态逻辑综合映射研究之前,首先需要对综合映射中所要使用的多种状态逻辑门进行功能和兼容性验证,保证逻辑功能的正确性和阵列可配置性. 本文使用SPICE电路仿真工具对6种PMR结构的状态逻辑门进行功能验证,包括COPY,NOT,NOR,OR共4种简单门和IMP,ONOR共2种复合门. 验证过程中使用Stanford大学的开源ReRAM器件模型(metal oxide resistive random access memory Verilog-A models, Version 1.0.0)[31],仿真使用的器件参数如表1所示.

    表  1  器件参数
    Table  1.  Device Parameters
    参数 解释 默认值
    T_ini /K 温度 298
    F_min /(V/m) 促进隧穿间隙形成的最小场强 1.4E9
    Tox /nm 氧化层厚度 12
    gap_ini /nm 初始隧穿间隙 1.8
    gap_min /nm 最小隧穿间隙 0.2
    gap_max /nm 最大隧穿间隙 1.8
    下载: 导出CSV 
    | 显示表格

    在所采用的忆阻器模型中,离子和空穴迁移的复杂过程被简化为1维导电细丝的生长/溶解,并保留了基本的转变物理特性. 隧穿间隙(gap distance)的大小,即导电细丝尖端与顶部电极之间的距离,是决定器件电阻的主要变量[31]. 因此,在实际功能验证过程中,通过设置间隙距离将器件的初始状态设置为高阻态(HRS)或低阻态(LRS),选择1.7 nm的间隙距离所对应的电阻状态作为HRS,0.3 nm的间隙距离所对应的电阻状态作为LRS.通过尝试,我们取置位电压为 1.4 V,复位电压为 −1.0 V,作为状态逻辑门操作条件的求解参数.

    根据1.1节所使用的状态逻辑门命名规则,本文所使用的6个状态逻辑门可分为4类:第1类是“PMR-one-2x”,包括“PMR-one-2NOT”“PMR-one-2COPY”;第2类是“PMR-two-2x”,包括“PMR-two-2IMP”;第3类是“PMR-two-3x”,包括“PMR-two-3NOR”“PMR-two-3OR”;第4类是“PMR-three-3x”,包括“PMR-three-3ONOR”. 在上述分类中,第1,2类状态逻辑门的电路结构相同,如图4(a)所示. 其中,“PMR-two-2IMP”是由“PMR-one-2NOT”扩展而来的复合门;第3,4类状态逻辑门的电路结构相同,如图4(b)所示,且“PMR-three-3ONOR”是由“PMR-two-3NOR”扩展而来的复合门. 以下分2个小节对上述4类状态逻辑门的仿真验证进行阐述.

    图  4  状态逻辑门电路结构图
    Figure  4.  The circuit structure diagram of the stateful logic gates

    “PMR-one-2NOT”“PMR-one-2COPY”“PMR-two-2IMP”的电路结构由2个并联的忆阻器M1M2和1个串联的电阻RS(50 Ω)构成. 在仿真验证时,根据逻辑门的状态转换,通过在VinVout端口施加特定的操作电压,使忆阻器获得相应分压,由此实现不同的逻辑功能. 仿真结果如图5所示,对于每一个分图,最上方第1幅图展示了施加的电压激励,其他的图展示了各种逻辑状态变化情况下间隙距离的变化曲线.

    图  5  COPY,NOT,IMP门的仿真验证结果
    Figure  5.  Simulation verification results of COPY, NOT, and IMP gates

    “PMR-two-3NOR”“PMR-two-3OR”“PMR-three-3ONOR”的电路结构由3个并联的忆阻器M1M2M3和1个串联的电阻RS(50 Ω)构成,仿真结果如图6所示.

    图  6  OR,NOR,ONOR门的仿真验证结果
    Figure  6.  Simulation verification results of OR, NOR, and ONOR gates

    由于所有状态逻辑门的仿真皆基于相同参数的忆阻器模型,且它们的结构皆为兼容于忆阻交叉阵列的电路结构. 因此,可以认为这6种状态逻辑门可在由该参数忆阻器构成的交叉阵列中成功执行. 接下来,将介绍采用这6种状态逻辑门,依托忆阻交叉阵列完成复杂状态逻辑计算的低磨损综合映射方法.

    本节介绍面向低磨损存内计算的多状态逻辑门综合映射方法. 该方法采用包含多种状态逻辑门的综合映射过程来降低复杂存内状态逻辑计算过程的翻转率(toggle rate),综合映射流程如图7所示.

    图  7  低磨损状态逻辑综合与映射流程
    Figure  7.  Stateful logic synthesis and mapping flow for low wear

    首先,我们使用商用逻辑综合工具将复杂逻辑功能综合为由“PMR-one-2NOT”“PMR-two-3NOR”“PMR-two-3OR”逻辑功能构成的网表,在此过程中以门的总翻转率最小为优化目标. 然后,对该网表进行后处理,按照合并规则将可合并的简单门功能合并为复合门功能,从而进一步引入“PMR-two-2IMP”“PMR-three-3ONOR”“PMR-one-2COPY”(解决循环依赖[8])功能,合并过程同样以降低翻转率为判断条件. 最后,将经过后处理的网表功能与对应的状态逻辑门一一映射并将状态逻辑门按执行顺序配置到单行忆阻交叉阵列上,得到相应的状态逻辑门级联顺序和位置,并计算得到其翻转率.

    状态逻辑门的翻转率是其逻辑状态转变的平均概率. 以“PMR-two-3NOR”为例,输出忆阻器M3的初始状态为逻辑0(HRS),在经过逻辑操作后,4种情况中仅有1种情况的状态会发生改变,如图1中真值表所示. 因此,“PMR-two-3NOR”在进行逻辑操作时状态发生转变的平均概率为0.25.同理,“PMR-three-3ONOR”的翻转率为0.125. 表2列出了各个状态逻辑门的翻转率,该翻转率可以衡量门的磨损程度.

    表  2  本文使用到的6种状态逻辑门的翻转率
    Table  2.  Toggle Rates of the Six Stateful Logic Gates Used in This Paper
    状态逻辑门翻转率
    COPY0.5
    NOT0.5
    NOR0.25
    OR0.25
    IMP0.25
    ONOR0.125
    下载: 导出CSV 
    | 显示表格

    复杂逻辑综合过程使用商用CMOS逻辑电路的综合工具完成复杂逻辑功能到状态逻辑门功能的分解. 具体综合过程如下:

    首先,根据所使用的状态逻辑门功能定义单元库,即.lib文件. 从标准单元库中定义NOT,NOR,OR门作为一个新的自定义单元库. 然后,修改所定义门的面积(area)参数为对应状态逻辑门的翻转率. 最后,设置面积最小为综合目标,完成综合过程,得到由3种简单门功能构成的低翻转率的网表.

    上一步得到的简单门功能网表中,可能存在{NOT,OR},{NOR,OR},{NOT,NOR},{NOR,NOR},{NOT,NOT}这些功能团组. 根据1.1节中描述的简单门和复合门对应关系以及逻辑等价性变换关系,可对网表进行后处理变换.

    值得注意的是,为避免输入覆盖造成错误,在对简单门进行合并时,要遵循2个规则[8]

    1) 若合并后的复合门覆盖的输入同时也是其他状态逻辑门的输入时,则2个简单门不能合并;

    2) 若第2个简单门的输入是其他复合门的被覆盖输入,则2个简单门不能合并.

    在满足上述规则的情况下,可以进行的合并如表3所示.

    表  3  状态逻辑门的合并
    Table  3.  Merges of Stateful Logic Gates
    情况 功能团组 合并后
    1 {NOR,OR} ONOR
    2 {NOT,OR} IMP
    3 {NOT,NOR} IMP,NOT
    4 {NOR,NOR} ONOR,NOT
    5 {NOT,NOT} NOT
    下载: 导出CSV 
    | 显示表格

    由合并前后的翻转率计算可知,进行情况3合并后翻转率保持不变(0.5+0.25 = 0.25 + 0.5),进行情况4合并后翻转率会上升(0.25+0.25 < 0.125 + 0.5). 在以低磨损为目标的综合映射方法中,还需分别对情况3和情况4进行处理.

    为使得翻转率进一步降低,应取消情况3的合并,保留下来的NOR门和NOT门可以进行其他使得翻转率降低的合并.

    对于情况4的处理,单纯地像情况3那样取消合并,并不能得到预期的优化效果. 这是由于情况4中第2个NOR分解为OR和NOT门后,会出现2个NOT门相连的情况,满足情况5. 可以同时考虑情况4和情况5合并使得翻转率进一步降低,新的合并过程为:

    NOR+ NOR+ NOT=>

    NOR+ OR+ NOT+ NOT=>

    ONOR+ NOT.

    综上所述,后处理阶段状态逻辑门的合并规则为:

    1) NOR(0.25)+ OR(0.25)=> ONOR(0.125);

    2) NOT(0.5)+ OR(0.25)=> IMP(0.25);

    3) NOR(0.25)+ NOR(0.25)+ NOT(0.5)=>

    NOR(0.25)+ OR(0.25)+ NOT(0.5)+ NOT(0.5)=>

    ONOR(0.125)+ NOT(0.5);

    4) NOT(0.5)+ NOT(0.5)=> NOT(0.5).

    其中,前3种变换,式子左右逻辑功能等价,前一个简单门的输入可直接指向复合门. 而第4种变换,前一个NOT门的输入即为正确的输出,直接连向其他状态逻辑门即可.

    完成后处理过程后,得到新的包含复合门功能的网表,进一步需要基于该网表的级联关系,完成状态逻辑门到忆阻交叉阵列的映射. 本文遵循LOSSS中的映射方法[8],以单指令多数据(single instruction multiple data,SIMD)计算场景为背景,采用了面向行/列的映射模式,允许同时执行复杂逻辑的多个实例,每个实例都压缩到交叉阵列的一行中. 通过修改现有的SIMPLER MAGIC映射工具[15],以满足对多状态逻辑门映射的需求.

    首先,读入经过后处理的网表文件,识别所使用的逻辑功能并根据逻辑功能匹配到相应的状态逻辑门,提取相应逻辑结构以及节点信息.

    其次,确定状态逻辑门的执行顺序. 状态逻辑门的执行顺序与该门所代表的节点的单元使用值(cell usage,CU)有关. 在SIMPLER MAIGC的算法中,该值为执行一个门所需要的内存单元(作为输入的节点)的估计值[15]. 单元使用值较大的门应该先执行,由此作为该门的输入节点所占用的忆阻器单元可以尽早地被释放,重新分配新的节点. 此外,为保证逻辑功能的正确性,复合门所代表的节点应在其所有兄弟节点中最后被映射和执行.

    最后,根据设定的阵列宽度(row size)为每个节点分配内存单元,得到整个逻辑执行的延迟和重用单元数. 其中,每一个节点包含3个状态:1)可使用(available)状态;2)已使用(used)状态;3)尚未初始化(uninitialized)状态. 处于状态3)的节点经过初始化转变为状态1);处于状态1)的节点可以被分配使用,并转为状态2);当处于状态2)的节点不再参与后续执行时,可以释放并重用该节点. 此外,在对映射后结果统计时,重用单元的平均翻转率记为0.5,需要计入总翻转率.

    为评价优化的效果,我们采用提出的低磨损综合映射方法对EPFL[32],LGSynth91[33]基准电路测试集进行实验测试.LGSynth91是一个在集成电路(IC)设计和测试领域广泛使用的基准电路集合,包含了多种用于评估和设计优化算法的标准电路. 相较于LGSynth91,EPFL测试集的电路规模更大,对逻辑优化工具提出了更高的要求. 本文分别选取EPFL,LGSynth91中的10个测试电路,经过综合映射后,统计最终状态逻辑门映射序列的延迟和翻转率,并与采用当前2种典型的状态逻辑综合映射工具SIMPLER MAGIC[15],LOSSS[8]得到的结果进行对比.

    为了公平比较,3个综合映射流程的CMOS逻辑综合阶段均使用相同的商用CMOS逻辑电路综合工具. 本文的方法和LOSSS的自定义单元库中包含OR,NOR,NOT门,而SIMPLER MAGIC中仅包含NOR,NOT门. 本文所提出的低磨损综合映射方法的自定义单元库中各个门的面积参数设置为其对应的翻转率,而LOSSS,SIMPLER MAGIC的自定义单元库中各个门的面积参数设置为相同的值. 除自定义单元库不同之外,综合环境、综合约束等均与原流程保持一致.

    在进行3种综合映射方法的比较时,每个测试样例映射的阵列宽度设置为3个综合映射流程能够进行综合映射的最小宽度的最大值. 表4中罗列了3个综合映射流程下各个测试集的最小阵列宽度,再对每个测试集取阵列宽度的最大值,即为最终的阵列宽度.

    表  4  阵列宽度选取
    Table  4.  Selection of Row Size
    EPFL
    测试电路 本文 LOSSS SIMPLER MAGIC 阵列宽度选取
    adder 510 463 390 510
    arbiter 2189 2147 1719 2189
    bar 636 636 399 636
    cavlc 168 169 124 169
    ctrl 54 56 45 56
    dec 371 371 267 371
    int2float 50 59 41 59
    max 870 854 783 870
    priority 250 191 194 250
    voter 1235 1110 1354 1354
    LGSynth91
    测试电路 本文 LOSSS SIMPLER MAGIC 阵列宽度选取
    alu2 74 80 78 80
    cm138a 30 30 17 30
    cm42a 22 25 16 25
    cmb 38 36 27 38
    cht 92 94 88 94
    term1 88 70 70 88
    f51m 37 42 32 42
    mux 31 31 31 31
    ttt2 64 67 57 67
    z4ml 18 16 20 20
    下载: 导出CSV 
    | 显示表格

    针对3种综合映射流程,分别得到各个测试样例的执行延迟和翻转率. 为进行更为直观的比较,选取SIMPLER MAGIC综合映射流程所得的结果为基准值,分别计算本文和LOSSS相较于SIMPLER MAGIC在执行延迟和翻转率2个指标上优化的比例(即数值下降的百分比),如图8~11所示.

    图  8  在执行延迟上相对于SIMPLER MAGIC减少的百分比(EPFL)
    Figure  8.  Percentage of reduced execution latency compared with SIMPLER MAGIC(EPFL)
    图  9  在翻转率上相对于SIMPLER MAGIC减少的百分比(EPFL)
    Figure  9.  Percentage of reduced toggle rate compared with SIMPLER MAGIC(EPFL)
    图  10  在执行延迟上相对于SIMPLER MAGIC减少的百分比(LGSynth91)
    Figure  10.  Percentage of reduced execution latency compared with SIMPLER MAGIC(LGSynth91)

    图8~11中数据可知:在执行延迟指标上,与SIMPLER MAGIC相比,本文所述综合映射流程在EPFL测试集上有最高45.35%和最低15.94%的降低,整体上平均有24.18%的降低;在LGSynth91测试集上有最高51.35%和最低21.74%的降低,整体上平均有34.67%的降低. 本文与LOSSS所得结果相差不大,在2个测试集下平均仅有不到1.20%的差距. 可以看到,虽然本文报道的综合映射方法是基于降低整个计算过程器件的总翻转率进行优化的,但是在计算延迟上相较于先前报道的LOSSS工具亦有改善. 这可能是由于目前所采用的商用CMOS综合映射工具基于启发式算法来进行优化,基于CMOS关键路径的延时优化是工具默认的优先级最高的综合优化属性. 而本文在基于CMOS的综合流程中,将门的面积设置为状态逻辑门翻转率的方法,或许产生了更好的起始网表,故而使得后处理和映射之后的状态逻辑门序列的总延时也有所降低.

    图  11  在翻转率上相对于SIMPLER MAGIC减少的百分比(LGSynth91)
    Figure  11.  Percentage of reduced toggle rate compared with SIMPLER MAGIC(LGSynth91)

    在翻转率指标上,与SIMPLER MAGIC相比,本文所述综合映射流程在EPFL测试集上有最高61.82%和最低21.94%的降低,整体上平均有35.55%的降低;在LGSynth91测试集上有最高65.52%和最低30.88%的降低,整体上平均有47.26%的降低. 同时,本文在2个测试集上相较于LOSSS综合映射流程平均分别有8.48%和6.72%的降低,与本文低磨损工具研发的初衷一致. 特别地,本文所述综合映射流程在mux测试电路上的总翻转率高于LOSSS.这是由于总翻转率的计算包含了单元重用部分,若仅考虑后处理结束后的结果,本文所述综合映射流程下的翻转率仍然低于LOSSS.

    综上所述,本文提出的综合流程与SIMPLER MAGIC 和 LOSSS相比,在翻转率和执行延迟上均得到了一定优化.

    在本文工作中,首先验证了多种状态逻辑门对同一忆阻存储阵列的兼容性. 然后以翻转率最优为约束,研究面向忆阻存储阵列内低磨损计算的状态逻辑综合映射方法,建立了包含多种状态逻辑门的复杂逻辑计算综合映射流程,可以针对任意给定计算功能,给出低磨损的状态逻辑门级联序列和位置,具有重要的理论意义. 后续的工作中可以考虑加入更多的状态逻辑门或是选择更优的状态逻辑门组合. 同时,可以综合考虑多个优化目标,在阵列规模、处理时效以及器件寿命上,取得更优的折中.

    作者贡献声明:赵安宁与许诺为共同第一作者,许诺提出了论文的总体框架和算法思路,赵安宁完善了想法和算法细节并完成了实验和结果分析;许诺和赵安宁撰写论文的主体部分;刘康和罗莉参与了想法和方案讨论;所有作者都参与了论文讨论和修改.

  • 图  1   DNS递归解析服务流程

    Figure  1.   DNS recursive resolution service process

    图  2   历史DNS安全扩展机制

    Figure  2.   Historical DNS security extension mechanism

    图  3   DNS递归解析服务系统安全漏洞与攻击类型

    Figure  3.   DNS recursive resolution service system security vulnerabilities and attack types

    图  4   DNS劫持与缓存污染攻击

    Figure  4.   DNS hijacking and cache poisoning attacks

    图  5   直接破坏递归解析服务器与利用递归解析服务器攻击其他服务器

    Figure  5.   Directly destroying a recursive resolution server and using a recursive resolution server to attack other servers

    图  6   DNS安全扩展机制

    Figure  6.   DNS security extension mechanisms

    图  7   DNSCrypt和DNSCurve

    Figure  7.   DNSCrypt and DNSCurve

    图  8   DNS cookie通信

    Figure  8.   DNS cookie communication

    图  9   QNAME最小化原理

    Figure  9.   QNAME minimization principle

    图  10   DNSSEC信任链

    Figure  10.   DNSSEC chain of trust

    图  11   安全扩展机制测量方法

    Figure  11.   Security extension mechanisms measurement methodology

    表  1   缓存污染攻击类型

    Table  1   Types of Cache Poisoning Attacks

    实现方法伪造字段代表性攻击
    TXID与源端口号去随机化ANSWER字段侧信道攻击
    伪造权威区和附加区的信息NS记录Kaminsky攻击
    MaginotLine攻击
    递归解析服务器中实现分片嫁接ANSWER字段分片重组攻击
    BGP前缀劫持ANSWER字段BGP劫持攻击
    下载: 导出CSV

    表  2   DNS软件漏洞类型

    Table  2   Types of DNS Software Vulnerabilities

    漏洞类型危害威胁
    任意代码执行攻击者能够在目标主机或目标进程中执行任意命令或代码
    访问控制绕过攻击者绕过身份验证,获得访问权限
    攻击提权获取系统或应用的额外权限
    信息泄露用户或系统敏感数据泄露
    程序崩溃扰乱服务器功能,致使其不能正常为用户提供服务
    下载: 导出CSV

    表  3   DNS软件漏洞详细信息

    Table  3   Details of DNS Software Vulnerabilities

    软件名称 漏洞总数
    (141个)
    漏洞攻击类型
    任意代码执行 访问控制绕过 攻击提权 信息泄露 程序崩溃
    最新版本 平均水平/% 最新版本 平均水平/% 最新版本 平均水平/% 最新版本 平均水平/% 最新版本 平均水平/%
    ISC BIND36-5.60-2.80-5.60-2.801, 7.583.20
    Unbound7--------2, 7.5100
    DNSmasq17-17.60-----5.90-76.50
    Knot DNS5--------1, 7.5100
    PowerDNS28---3.60-3.60-3.601, 7.589.20
    Mikrotik48-14.60---2.10---83.30
    软件名称漏洞分数
    高危漏洞占比/%中危漏洞占比/%低危漏洞占比/%
    ISC BIND45.2048.406.40
    Unbound70.0030.00-
    DNSmasq66.6033.40-
    Knot DNS78.6021.40-
    PowerDNS50.0048.501.50
    Mikrotik4357-
    注:漏洞攻击类型中,平均水平一栏中所示数字为该漏洞类型在所有漏洞类型中的分布比例. 最新版本一栏中所示数字为最新版本中该类型漏洞数量及平均漏洞分数(漏洞数量,平均漏洞分数);表格中标明“-”处代表软件在当前版本情况下不存在该类漏洞.
    下载: 导出CSV

    表  4   DNSCurve防御原理与相关攻击

    Table  4   DNSCurve Defense Principles and Related Attacks

    使用方法针对攻击
    加密DNS请求与响应DNS伪造、DNS信息窥探收集
    加密身份验证DNS记录伪造
    过滤攻击者伪造的恶意DNS数据包DNS拒绝服务攻击
    使用96位随机数、密文传输重放攻击
    下载: 导出CSV

    表  5   DNSSEC记录类型与密钥类型

    Table  5   DNSSEC Record Types and Key Types

    类型 标记 意义
    记录类型 DNSKEY 记录保存ZSK,KSK的公钥
    DS record 由父域ZSK私钥签名,用以保护子域
    KSK公钥完整性
    RRSIG KSK私钥对ZSK公钥的签名,
    保护ZSK公钥完整性
    密钥类型 ZSK 区域签署密钥,于对域内各类型数据进行签名
    KSK 密钥签署密钥,于对ZSK公钥签名
    下载: 导出CSV

    表  6   安全机制与DNS递归解析服务安全攻击的关系

    Table  6   The Relationship Between the Security Mechanism and the Security Attack of the DNS Recursive Resolution Service

    DNS安全扩展机制 攻击类型
    缓存污染 DNS劫持 直接破坏DNS
    递归解析服务器
    利用DNS递归解析服务器
    攻击其他服务器
    软件漏洞利用
    机密性DoT
    DoH
    DoQ
    DNSCurve
    DNSCrypt
    QNAME最小化
    完整性DNS cookie
    DNSSEC
    源地址认证
    DNS-0x20 encoding
    TXID与源端口随机化
    可用性DNS响应速率限制
    DNS递归解析服务池
    规则匹配
    版本隐藏
    软件维护与升级
    注:利用漏洞:①缺乏身份认证机制/完整性保护;②数据明文传输;③软件系统存在安全漏洞;④缺乏流量访问控制;⑤ 对异常流量缺乏鉴别能力;⑥具有被利用为放大器的潜力.符号:○几乎不具备防御能力;●可以作为主要的防御缓解措施;●存在一定的辅助性缓解作用.
    下载: 导出CSV

    表  7   3类常见攻击的防御手段

    Table  7   Defenses Against Three Common Types of Attacks

    DNS安全扩展机制NXDOMAIN攻击幻域攻击泛洪攻击
    DNSSEC cache-validation×
    nxdomain cut×
    源地址认证
    递归解析服务器池××
    注:“√”表示DNS安全扩展机制可以缓解该攻击;“×”表示DNS安全扩展机制不能缓解该攻击.
    下载: 导出CSV

    表  8   不同信道下攻击的防御手段比较

    Table  8   Comparison of Defenses Against Attacks in Different Channels

    攻击信道不同部署位置下存在
    区别的防御机制
    通用防御
    机制
    客户端与递归
    解析服务器端
    DNSCrypt源地址认证
    DNS cookie
    递归解析服务器端与
    权威服务器端
    DNSSEC cache-validation
    响应速率限制
    下载: 导出CSV
  • [1]

    Mockapetris P V. RFC1034 Domain Names-Concepts and Facilities[S]. Fremont, CA: IETF Community, 1987

    [2]

    Mockapetris P V. RFC1035 Domain Names-Implementation and Specification[S]. Fremont, CA: IETF Community, 1987

    [3]

    Callejo P, Cuevas R, Vallina-Rodriguez N, et al. Measuring the global recursive DNS infrastructure: A view from the edge[J]. IEEE Access, 2019, 7: 168020−168028 doi: 10.1109/ACCESS.2019.2950325

    [4]

    Khormali A, Park J, Alasmary H, et al. Domain name system security and privacy: A contemporary survey[J]. Computer Networks, 2021, 185: 107699 doi: 10.1016/j.comnet.2020.107699

    [5]

    Van Der Toorn O, Müller M, Dickinson S, et al. Addressing the challenges of modern DNS a comprehensive tutorial[J]. Computer Science Review, 2022, 45(1): 100−469

    [6]

    Grothoff C, Wachs M, Ermert M, et al. Toward secure name resolution on the internet[J]. Computers & Security, 2018, 77: 694−708

    [7]

    Zou Futai, Zhang Siyu, Pei Bei, et al. Survey on domain name system security C]//Proc of the 1st IEEE Int Conf on Data Science in Cyberspace (DSC). Piscataway, NJ: IEEE, 2016: 602−607

    [8]

    Kim T H, Reeves D. A survey of domain name system vulnerabilities and attacks[J]. Journal of Surveillance, Security and Safety, 2020, 1(1): 34−60

    [9]

    Schmid G. Thirty years of DNS insecurity: Current issues and perspectives[J]. IEEE Communications Surveys & Tutorials, 2021, 23(4): 2429−2459

    [10] 王文通,胡宁,刘波,等. DNS 安全防护技术研究综述[J]. 软件学报,2020,31(7):2205−2220

    Wang Wentong, Hu Ning, Liu Bo. Survey on technology of security enhancement for DNS[J]. Journal of Software, 2020, 31(7): 2205−2220(in Chinese)

    [11] 张曼,姚健康,李洪涛,等. DNS 信道传输加密技术:现状,趋势和挑战[J]. 软件学报,2024,35(1):309−332

    Zhang Man, Yao Jiankang, Li Hongtao. Encryption technologies for DNS channel transmission: Status, trends and challenges[J]. Journal of Software, 2024, 35(1): 309−332(in Chinese)

    [12] 张宾,张宇,张伟哲. 递归侧 DNS 安全研究与分析[J/OL]. 软件学报[2024-03-05]. https://jos.org.cn/jos/article/abstract/6987

    Zhang Bing, Zhang Yu, Zhang Weizhe. Study and analysis of recursive side DNS security [J/OL]. Journal of Software[2024-03-05]. https://jos.org.cn/jos/article/abstract/6987(in Chinese)

    [13]

    Moura G C M, Castro S, Hardaker W, et al. Clouding up the internet: How centralized is dns traffic becoming?[C]//Proc of the 20th ACM Internet Measurement Conf. New York: ACM, 2020: 42−49

    [14]

    Li Xiang, Lu Chaoyi, Liu Baojun, et al. The maginot line: Attacking the boundary of DNS caching protection [C]//Proc of the 32nd USENIX Security Symp. Berkeley, CA: USENIX Association, 2023: 3153−3170

    [15]

    Schomp K, Callahan T, Rabinovich M, et al. On measuring the client-side DNS infrastructure[C]//Proc of the 13th Conf on Int measurement Conf. New York: ACM, 2013: 77−90

    [16]

    Romain Fouchereau. Securing anywhere networking[EB/OL]. [2024−03-05]. https://efficientip.com/wp-content/uploads/2022/10/IDC-EUR149048522-EfficientIP-infobrief_FINAL.pdf

    [17] (本刊综合. 2014年中国网络安全大事记 [J/OL]. 保密工作,2015[2024-

    Journal Synthesis. China's cybersecurity events in 2014 [J/OL]. Secrecy, 2015[2024-01-01]. http: //sdghasgdas (in Chinese) 01-01]. http://sdghasgdas

    [18]

    Ameet Naik. Anatomy of a BGP hijack on Amazon's route 53 DNS service [EB/OL]. (2018-04-25)[2024-03-05]. https://www.thousandeyes.com/blog/amazon-route-53-dns-and-bgp-hijack

    [19]

    Operation Team. October 6th: DNS security incident statement & guide [EB/OL]. [2023-10-06]. https://help.galxe.com/en/articles/8452958-october-6th-dns-security-incident-statement-guide

    [20]

    Alharbi F, Chang Jie, Zhou Yuchen, et al. Collaborative client-side DNS cache poisoning attack [C]//Proc of the IEEE Conf on Computer Communications(INFOCOM 2019). Piscataway, NJ: IEEE, 2019: 1153−1161

    [21]

    Wikipedia Contributors. Dan Kaminsky[EB/OL]. [2024-03-05]. https:// en.wikipedia.org/wiki/Dan Kaminsky

    [22]

    Sun Hungmin, Chang Wenhsuan, Chang Shihying, et al. DepenDNS: Dependable mechanism against DNS cache poisoning [C]//Proc of the 8th Int Conf on Cryptology and Network Security (CANS 2009). Berlin: Springer, 2009: 174−188

    [23]

    Man Keyu, Qian Zhiyun, Wang Zhongjie, et al. Dns cache poisoning attack reloaded: Revolutions with side channels [C]//Proc of the 2020 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2020: 1337−1350

    [24]

    Zheng Xiaofeng, Lu Chaoyi, Peng Jian, et al. Poison over troubled forwarders: A cache poisoning attack targeting DNS forwarding devices [C]// Proc of the 29th USENIX Security Symp (USENIX Security 20). Berkeley, CA: USENIX Association, 2020: 577−593

    [25]

    Brandt M, Dai Tianxiang, Klein A, et al. Domain validation++ for mitm- resilient pki[C]//Proc of the Conf on Computer and Communications Security (ACM SIGSAC 2018). New York: ACM, 2018: 2060−2076

    [26]

    Cho S, Fontugne R, Cho K, et al. BGP hijacking classification [C]//Proc of the 2019 Network Traffic Measurement and Analysis Conf (TMA 2019). Piscataway, NJ: IEEE, 2019: 25−32

    [27]

    Wikipedia Contributors. DNS hijacking[EB/OL]. [2024-03-05]. https://en. wikipedia.org/wiki/DNS_hijacking

    [28]

    Braun B. Investigating dns hijacking through high frequency measurements[D]. San Diego: UC San Diego, 2016

    [29]

    Weaver N, Kreibich C, Paxson V. Redirecting DNS for ads and profit [C/OL]//Proc of the USENIX Workshop on Free and Open Communications on the Internet (FOCI 11). Berkeley, CA: USENIX Association, 2011[2024−03−05]. https://www.usenix.org/legacy/events/foci11/tech/final_files/ Weaver.pdf

    [30]

    Tsai E, Kumar D, Raman R S, et al. CERTainty: Detecting DNS manipulation at scale using TLS certificates[J]. arXiv preprint, arXiv: 2305.08189, 2023

    [31]

    Pearce P, Jones B, Li F, et al. Global measurement of DNS manipulation [C]//Proc of the 26th USENIX Security Symp (USENIX Security 17). Berkeley, CA: USENIX Association, 2017: 307−323

    [32]

    Fejrskov M, Pedersen J M, Vasilomanolakis E. Detecting DNS hijacking by using NetFlow data [C]//Proc of the 2022 IEEE Conf on Communications and Network Security (CNS). Piscataway, NJ: IEEE, 2022: 273−280

    [33]

    Liu Baojun, Lu Chaoyi, Duan Haixin, et al. Who is answering my queries: Understanding and characterizing interception of the DNS resolution path [C]// Proc of the 27th USENIX Security Symp (USENIX Security 18). Berkeley, CA: USENIX Association, 2018: 1113−1128

    [34]

    Randall A, Liu Enze, Padmanabhan R, et al. Home is where the hijacking is: Understanding DNS interception by residential routers [C]//Proc of the 21st ACM Internet Measurement Conf. New York: ACM, 2021: 390−397

    [35]

    Radware. What is DNS flood attack (DNS flooding)[EB/OL]. [2024−03-05]. https://www.radware.com/security/DDOS-knowledge-center/DDOSpedia/dns-flood/

    [36]

    Bortzmeyer S, Huque S. RFC8020: NXDOMAIN: There Really is Nothing Underneath[S]. Fremont, CA: IETF Community, 2016

    [37]

    whatsmydns. net. NXDOMAIN attacks[EB/OL]. [2024-03-05]. https://www.whatsmydns.net/dns-security/dns-attacks/nxdomain-attacks

    [38]

    Li Weimin, Chen Luying, Lei Zhenming. Alleviating the impact of DNS DDOS attacks [C]//Proc of the 2nd Int Conf on Networks Security, Wireless Communications and Trusted Computing. Piscataway, NJ: IEEE, 2010: 240−243

    [39]

    Alieyan K, Kadhum M M, Anbar M, et al. An overview of DDOS attacks based on DNS [C]//Proc of the 2016 Int Conf on Information and Communication Technology Convergence (ICTC). Piscataway, NJ: IEEE, 2016: 276−280

    [40]

    Yazdani R, van Rijswijk-Deij R, Jonker M, et al. A matter of degree: Characterizing the amplification power of open DNS resolvers [C]//Proc of the 23rd Int Conf on Passive and Active Network Measurement(PAM 2022). Berlin: Springer, 2022: 293−318

    [41]

    Duan Huaiyi, Bearzi M, Vieli J, et al. CAMP: Compositional amplification attacks against DNS [C]//Proc of the 33rd USENIX Security Symp (USENIX Security 24). Berkeley, CA: USENIX Association, 2024: 5769−5786

    [42]

    Anagnostopoulos M, Kambourakis G, Gritzalis S, et al. Never say never: Authoritative TLD nameserver-powered DNS amplification[C/OL]//Proc of the 2018 IEEE/IFIP Network Operations and Management Symp. Piscataway, NJ: IEEE, 2018[2024-03-05]. https://ieeexplore.ieee.org/stamp/stamp.jsp? arnumber=8406224&casa_token=i0ocXejqPzYAAAAA:7FixmD7NWvuKbHLvZrqk7tIisTx0whU-ZayJOiGDI5ZxdwehPvop1x1S9QOqMRZ8wb2WdtYrVFo

    [43]

    Nawrocki M, Jonker M, Schmidt T C, et al. The far side of DNS amplification: Tracing the DDoS attack ecosystem from the internet core[C]// Proc of the 21st ACM Internet Measurement Conf. New York: 2021: 419−434

    [44]

    Nosyk Y, Korczyński M, Duda A. Routing loops as mega amplifiers for dns-based ddos attacks[C]//Proc of the 23rd Int Conf on Passive and Active Network Measurement. Berlin: Springer, 2022: 629−644

    [45]

    Wikipedia Contributors. DNS flood[EB/OL]. [2024-03-05]. https://en.wikipedia.org/wiki/DNS_Flood

    [46]

    rsd attack. cyberattack[EB/OL]. [2024-03-05]. https://cybatk.com/2017 /03/25/rsd-attack/

    [47]

    Afek Y, Bremler-Barr A, Shafir L. NXNSAttack: Recursive DNS inefficiencies and vulnerabilities [C]//Proc of the 29th USENIX Security Symp (USENIX Security 20). Berkeley, CA: USENIX Association, 2020: 631−648

    [48]

    Sommese R, Claffy K C, van Rijswijk-Deij R, et al. Investigating the impact of DDOS attacks on DNS infrastructure [C]//Proc of the 22nd ACM Internet Measurement Conf. New York: ACM, 2022: 51−64

    [49]

    Allor P, Armstrong K, Beardsley T, et al. CVE[EB/OL]. [2024-03-05]. https://cve.mitre.org/

    [50]

    somebody. DNSpooq series vulnerability analysis and reproof[EB/OL]. [ 2024-03-05]. https://www.venustech.com.cn/new_type/aqldfx/20210201/22352.html

    [51]

    somebody. Vulnerability details : CVE−2020−8616[EB/OL]. [ 2024-03-05]. https://www.cvedetails.com/cve/CVE-2020-8616/?q=CVE-2020-8616

    [52]

    somebody. Nginx DNS resolver vulnerability (CVE−2021−23017) problem fix[EB/OL]. [2024-03-05]. https://blog.csdn.net/qq_42534026/article/details/117354728

    [53]

    somebody. Vulnerability details : CVE−2022−0635[EB/OL]. [ 2024-03-05]. https://www.cvedetails.com/cve/CVE-2022-0635/?q=CVE-2022-0635

    [54]

    Zhu Liang, Hu Zi, Heidemann J, et al. Connection-oriented DNS to improve privacy and security [C]//Proc of the 2015 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2015: 171−186

    [55]

    Hu Zi, Zhu Liang, Heidemann J, et al. RFC7858: Specification for DNS over transport layer security (TLS)[S]. Fremont, CA: IETF Community, 2016

    [56]

    Reddy T, Wing D, Patil P. RFC8094 DNS over Datagram Tansport Layer Security (DTLS)[S]. Fremont, CA: IETF Community, 2017

    [57]

    Houser R, Li Zhou, Cotton C, et al. An investigation on information leakage of DNS over TLS [C]//Proc of the 15th Int Conf on Emerging Networking Experiments And Technologies. New York: ACM, 2019: 123−137

    [58]

    Hoffman P, McManus P. RFC8484 DNS Queries over HTTPS (DOH)[S]. Fremont, CA: IETF Community, 2018

    [59]

    Hounsel A, Borgolte K, Schmitt P, et al. Comparing the effects of DNS, DoT, and DoH on web performance [C]//Proc of the Web Conf 2020. New York: ACM, 2020: 562−572

    [60]

    Huitema C, Dickinson S, Mankin A. RFC9250 DNS over Dedicated QUIC connections[S]. Fremont, CA: IETF Community, 2022

    [61]

    Batenburg B. Performance of DNS over QUIC[D]. Enschede: University of Twente, 2022

    [62]

    Lyu M, Gharakheili H H, Sivaraman V. A survey on DNS encryption: Current development, malware misuse, and inference techniques[J/OL]. ACM Computing Surveys, 2022, 55(8)[2024-03-05]. https://dl.acm.org/doi/pdf/10.1145/3547331?casa_token=lSpIfqwii5cAAAAA:b9JvXsifAG6JD0bwupjGOEE2GuWpXrCY14LLrRf5tZ34d7rOYG2NJx1CNQjyw1EDqF97QhnznCDC2A

    [63]

    Badhwar R. Domain name system (DNS) security [M]//The CISO’s Next Frontier: AI, Post-Quantum Cryptography and Advanced Security Paradigms. Berlin: Springer, 2021: 207−212

    [64]

    Hu Guannan, Fukuda K. An analysis of privacy leakage in DoQ traffic [C]//Proc of the CoNEXT Student Workshop. New York: ACM, 2021: 7−8

    [65]

    hvt. DNSCrypt[EB/OL]. [2024-03-05]. https://github.com/DNSCrypt/ dnscrypt-protocol/blob/master/DNSCRYPT-V2-PROTOCOL.txt

    [66]

    Andrews M. RFC7873 Domain Name System (DNS) Cookies[S]. Fremont, CA: IETF Community, 2016

    [67]

    Sury O, Toorop W, Eastlake 3rd D, et al. RFC9018 Interoperable Domain Name System (DNS) Server Cookies[S]. Fremont, CA: IETF Community, 2021

    [68]

    Dickson B. Authenticated DNS over TLS to authoritative servers[EB/OL]. [2024-03-05]. https://www.ietf.org/archive/id/draft-dickson-dprive-aDoTauth-06.html

    [69]

    Bernstein D. Curve25519: High-speed elliptic-curve cryptography[EB/OL]. [2024-03-05]. https://cr.yp.to/ecdh.html

    [70]

    Wikipedia Contributors. DNSCurve[EB/OL]. [2024-03-05]. https://en.wikipedia.org/wiki/DNSCurve

    [71]

    DNSCurve. org. Introduction to DNSCurve[EB/OL]. [2024-03-05]. https:// dnscurve.org/

    [72]

    Cooper A, Tschofenig H, Aboba B, et al. RFC6973 Privacy Considerations for Internet Protocols[S]. Fremont, CA: IETF Community, 2013

    [73]

    Bortzmeyer S, Dolmans R, Hoffman P. RFC9156 DNS Query Name Minimisation to Improve Privacy[S]. Fremont, CA: IETF Community, 2021

    [74]

    Bortzmeyer S. RFC7816: DNS Query Name Minimisation to Improve Privacy[S]. Fremont, CA: IETF Community, 2016

    [75]

    Verisign Labs. Query name minimization and authoritative DNS server behavior[EB/OL]. [2024-03-05]. https://indico.dns-oarc.net/event/21/ contributions/298/attachments/267/487/qname-min.pdf

    [76]

    Arends R, Austein R, Larson M, et al. RFC4033 DNS Security Introduction and Requirements[S]. Fremont, CA: IETF Community, 2005

    [77]

    Laurie B, Sisson G, Arends R, et al. RFC5155 DNS Security (DNSSEC) Hashed Authenticated Denial of Existence[S]. Fremont, CA: IETF Community, 2008

    [78]

    van Adrichem N L M, Blenn N, Lúa A R, et al. A measurement study of DNSSEC misconfigurations[J/OL]. Security Informatics, 2015, 4(1)[2024-03-05]. https://link.springer.com/content/pdf/10.1186/s13388-015-0023-y.pdf

    [79]

    Herzberg A, Shulman H. DNSSEC: Security and availability challenges [C]//Proc of the 2013 IEEE Conf on Communications and Network Security (CNS). Piscataway, NJ: IEEE, 2013: 365−366

    [80]

    Dagon D, Antonakakis M, Day K, et al. Recursive DNS Architectures and Vulnerability Implications [C/OL]//Proc of the NDSS. Reston, VA, USA: The Internet Society, 2009[2024-03-05]. https://coeus-center.com/articles/ recursive_dns_architectures.pdf

    [81]

    Hubert A, van Mook R. RFC 5452 Measures for Making DNS More Resilient Against Forged Answers[S]. Fremont, CA: IETF Community, 2009

    [82]

    Chandramouli R, Rose S. Secure domain name system (DNS) deployment guide[J/OL]. NIST Special Publication, 2006, 800[2024-03-05]. https://nvlpubs. nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf

    [83]

    Senie D. RFC2827 Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing[S]. Fremont, CA: IETF Community, 2000

    [84]

    Baker F, Savola P. RFC3704 Ingress Filtering for Multihomed Networks [S]. Fremont, CA: IETF Community, 2004

    [85]

    Vixie P, Schryver V. Dns response rate limiting (dns rrl)[EB/OL]. [2024-03-05]. http://ss.vix.su/~ vixie/isc-tn-2012-1.txt

    [86]

    Rossow C. Amplification hell: Revisiting network protocols for DDOS abuse [C/OL]//Proc of the NDSS. Reston, VA, USA: The Internet Society, 2014[2024-03-05]. https://dud.inf.tu-dresden.de/~strufe/rn_lit/ rossow14amplification.pdf

    [87]

    BlueKrypt. Cryptographic key length recommendation[EB/OL]. [2024-03-05]. https://www.keylength.com/en/4/

    [88]

    BlueKrypt. Cryptographic key length recommendation[EB/OL]. [2024-03-05]. https://www.keylength.com/en/3/

    [89]

    Perdisci R, Antonakakis M, Luo Xiapu, et al. WSEC DNS: Protecting recursive DNS resolvers from poisoning attacks [C]//Proc of the 2009 IEEE/IFIP Int Conf on Dependable Systems & Networks. Piscataway, NJ: IEEE, 2009: 3−12

    [90]

    Nosyk Y, Lone Q, Zhauniarovich Y, et al. Intercept and inject: DNS response manipulation in the wild [C]//Proc of the 24th Int Conf on Passive and Active Network Measurement. Berlin: Springer, 2023: 461−478

    [91]

    Hardaker W. Analyzing and mitigating privacy with the DNS root service [C/OL]//Proc of the NDSS: DNS Privacy Workshop. Reston, VA, USA: The Internet Society, 2018[2024-03-05]. https://ant.isi.edu/~hardaker/papers/ 2018-02-ndss-analyzing-root-privacy.pdf

    [92]

    Dai Tianxiang, Jeitner P, Shulman H, et al. From IP to transport and beyond: Cross-layer attacks against applications [C]//Proc of the 2021 ACM SIGCOMM. New York: ACM, 2021: 836−849

    [93]

    Kaminsky D. Black ops 2008: It’s the end of the cache as we know it[EB/OL]. [2024-03-05]. https://www.blackhat.com/presentations/bh-jp-08/ bh-jp-08-Kaminsky/BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf

    [94]

    Trostle J, Van Besien B, Pujari A. Protecting against DNS cache poisoning attacks [C]//Proc of the 6th IEEE Workshop on Secure Network Protocols. Piscataway, NJ: IEEE, 2010: 25−30

    [95]

    Luo Jing. The latest DGA malicious domain name detection method in 2021 (with Python code)[EB/OL]. [2024-03-05]. https://bbs.huaweicloud.com/ blogs/detail/264516

    [96]

    Turner A, Athapathu R, Kharbanda C. Evaluating QUIC for privacy improvements over its predecessors[EB/OL]. [2024-03-05]. https://allison- turner.github.io

    [97]

    Hoang N P, Polychronakis M, Gill P. Measuring the accessibility of domain name encryption and its impact on internet filtering [C]//Proc of the 23rd Int Conf on Passive and Active Network Measurement. Berlin: Springer, 2022: 518−536

    [98]

    Alowaisheq E, Tang Siyuan, Wang Zhihao, et al. Zombie awakening: Stealthy hijacking of active domains through DNS hosting referral [C]//Proc of the 2020 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2020: 1307−1322

    [99]

    Akiwate G, Sommese R, Jonker M, et al. Retroactive identification of targeted DNS infrastructure hijacking [C]//Proc of the 22nd ACM Internet Measurement Conf. New York: ACM, 2022: 14−32

    [100]

    Fujiwara K, Kato A, Kumari W. RFC8198 Aggressive Use of DNSSEC-Validated Cache[S]. Fremont, CA: IETF Community, 2017

    [101]

    Damas J, Neves F. RFC5358 Preventing Use of Recursive Nameservers in Reflector Attacks[S]. Fremont, CA: IETF Community, 2008

    [102]

    Wikipedia Contributors. DNSCrypt[EB/OL]. [2024-03-05]. https://en. wikipedia.org/wiki/DNSCrypt

    [103]

    Davis J. The DNS bake sale: Advertising DNS cookie support for DDOS protection[D]. Provo: Brigham Young University, 2021

    [104]

    Rajendran B. DNS amplification & DNS tunneling attacks simulation, detection and mitigation approaches [C]//Proc of the 2020 Int Conf on Inventive Computation Technologies (ICICT). Piscataway, NJ: IEEE, 2020: 230−236

    [105]

    Lu Keyu, Li Zhengmin, Zhang Zhaoxin, et al. DNS recursive server health evaluation model [C/OL]//Proc of the 18th Asia-Pacific Network Operations and Management Symp (APNOMS). Piscataway, NJ: IEEE, 2016[2024-03-05]. https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7737281&casa_token=wnW5NSnV4hUAAAAA:xF6Bq9m9tzUywItG08EBiTdzZKpKRNbD6zPlXxR-10vbnKUUdX476jQBkeAfb2aPExMIRIbMeFc

    [106]

    Goldlust S, Almond C. How do I restrict only remote users from looking up the server version?[EB/OL]. [2024-03-05]. https://kb.isc.org/docs/aa-00308

    [107]

    Davis J, Deccio C. A peek into the DNS cookie jar: An analysis of DNS cookie use [C]//Proc of the 22nd Int Conf on Passive and Active Network Measurement. Berlin: Springer, 2021: 302−316

    [108]

    Lu Chaoyi, Liu Baojun, Li Zhou, et al. An end-to-end, large-scale measurement of dns-over-encryption: How far have we come? [C]//Proc of the 19th Internet Measurement Conf. New York: ACM, 2019: 22−35

    [109]

    Chhabra R, Murley P, Kumar D, et al. Measuring DNS-over-HTTPS performance around the world [C]//Proc of the 21st ACM Internet Measurement Conf. New York: ACM, 2021: 351−365

    [110]

    Kosek M, Doan T V, Granderath M, et al. One to rule them all? A first look at dns over quic [C]//Proc of the 22nd Int Conf on Passive and Active Network Measurement. Berlin: Springer, 2022: 537−551

    [111]

    Koshy A M, Yellur G, Kammachi H J, et al. An insight into encrypted DNS protocol: DNS over TLS [C]//Proc of the 4th Int Conf on Recent Developments in Control, Automation & Power Engineering (RDCAPE). Piscataway, NJ: IEEE, 2021: 379−383

    [112]

    Vekshin D, Hynek K, Cejka T. DoH insight: Detecting dns over https by machine learning [C]//Proc of the 15th Int Conf on Availability, Reliability and Security. New York: ACM, 2020[2024-03-05]. https://dl.acm.org/doi/pdf/10.1145/3407023.3409192?casa_token=5zTRxSHZ40YAAAAA:o9HHbXL9KKClSwL07f_UkFrmCKXK7Ev-8bJ4B-Td3TukMOvhkPTCqOf6HzIMUZ72yQ5xHdFN0-AWMQ

    [113]

    Takano Y, Ando R, Takahashi T, et al. A measurement study of open resolvers and DNS server version [C/OL]//Proc of the Internet Conf IEICE. Piscataway, NJ: IEEE, 2013[2024-03-05]. https://www.internetconference.org /ic2013/PDF/ic2013-paper01.pdf

    [114] 陆柯羽. DNS递归解析服务器推荐系统设计与实现 [D]. 哈尔滨:哈尔滨工业大学,2015

    Lu Keyu. Design and implementation of a DNS recursive server recommendation system [D]. Harbin: Harbin Institute of Technology, 2015 (in Chinese)

    [115]

    MacFarland D C, Shue C A, Kalafut A J. Characterizing optimal DNS amplification attacks and effective mitigation [C]//Proc of the 16th Int Conf on Passive and Active Measurement. Berlin: Springer, 2015: 15−27

    [116]

    Deccio C, Argueta D, Demke J. A quantitative study of the deployment of DNS rate limiting [C]//Proc of the 2019 Int Conf on Computing, Networking and Communications (ICNC). Piscataway, NJ: IEEE, 2019: 442−447

    [117] 陈怡丹 李馥娟. 数字证书安全性研究[J]. 信息安全研究,2021,7(9):836-843

    Chen Yidan, Li Fujuan. Research on security of digital certificate[J]. Journal of information research, 2021, 7(9): 836-843)(in Chinese)

    [118]

    Wander M. Measurement survey of server-side DNSSEC adoption [C/OL]//Proc of the 2017 Network Traffic Measurement and Analysis Conf. Piscataway, NJ: IEEE, 2017[2024-03-05]. https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8002913&casa_token=LgIpHGNSwPgAAAAA:2YFrNJv2Bp8T5n0J6PiN214AbOask5jtPpFzWTZHzirxSko7NN2FZP6iZvM9TFj9EIkEo3jZwRw

    [119]

    de Vries W B, Scheitle Q, Müller M, et al. A first look at QNAME minimization in the domain name system [C]//Proc of the 20th Int Conf on Passive and Active Measurement. Berlin: Springer, 2019: 147−160

    [120]

    Hilton A, Deccio C, Davis J. Fourteen years in the life: A root server’s perspective on DNS resolver security [C]//Proc of the 32nd USENIX Security Symp. Berkeley, CA: USENIX Association, 2023[2024-03-05]. https://www.usenix.org/system/files/usenixsecurity23-hilton.pdf

    [121]

    Dagon D, Antonakakis M, Vixie P, et al. Increased DNS forgery resistance through 0x20-bit encoding: Security via leet queries [C]//Proc of the 15th ACM Conf on Computer and Communications Security. New York: ACM, 2008: 211−222

    [122]

    Vyshnevskyi I. DNS and the bit 0x20[EB/OL]. [2024-03-05]. https:// hypothetical.me/short/dns-0x20/

    [123]

    Vyshnevskyi I. DNS resolver advanced options[EB/OL]. [2024-03-05]. https://hypothetical.me/short/dns-0x20/

    [124]

    CZ. NIC. Knot resolver 1.1. 0 release, August 2016[EB/OL]. [2024-03-05]. https://knotresolver.readthedocs.io/en/stable/NEWS.html#knotresolver-1-1-0-2016-08-12

    [125]

    Rukhin A, Soto J, Nechvatal J, et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications[M]. Gaithersburg: US Department of Commerce, Technology Administration, National Institute of Standards and Technology, 2001

    [126]

    Wang Yongge, Nicol T. Statistical properties of pseudo random sequences and experiments with PHP and Debian OpenSSL [C]//Proc of the 19th Computer European Symp on Research in Computer Security. Berlin: Springer, 2014: 454−471

    [127]

    Wikipedia Contributors. Wald–Wolfowitz runs test[EB/OL]. [2024-03-05]. https://en.wikipedia.org/wiki/Wald-Wolfowitz_runs_test

    [128]

    Wikipedia Contributors. Spectral test[EB/OL]. [2024-03-05]. https://en. wikipedia.org/wiki/Spectral_test

    [129]

    Wikipedia Contributors. Pearson's chi-squared test[EB/OL]. [2024-03-05]. https://en.wikipedia.org/wiki/Pearson%27s_chi-squared_test

    [130]

    Korczy´nski M, Nosyk Y, Lone Q, et al. Inferring the deployment of inbound source address validation using DNS resolvers [C]//Proc of the Applied Networking Research Workshop. New York: ACM, 2020: 9–11

    [131]

    MANRS. Mutually agreed norms for routing security[EB/OL]. [2024−03 −05]. https://www.manrs.org/

    [132]

    Lone Q, Luckie M, Korczyński M, et al. Using loops observed in traceroute to infer the ability to spoof [C]//Proc of the 18th Int Conf on Passive and Active Measurement. Berlin: Springer, 2017: 229−241

    [133]

    Korczyński M, Nosyk Y, Lone Q, et al. Don’t forget to lock the front door! inferring the deployment of source address validation of inbound traffic [C]//Proc of the 21st Int Conf on Passive and Active Measurement(PAM 2020). Berlin: Springer, 2020: 107−121

    [134]

    Spoofer Project. The spoofer project[EB/OL]. [2024-03-05]. https://www. caida.org/projects/spoofer/

图(11)  /  表(8)
计量
  • 文章访问数:  45
  • HTML全文浏览量:  17
  • PDF下载量:  19
  • 被引次数: 0
出版历程
  • 收稿日期:  2024-03-11
  • 修回日期:  2024-08-06
  • 录用日期:  2025-01-08
  • 网络出版日期:  2025-01-08

目录

/

返回文章
返回