High assurance segregated gateway interconnecting different domains

US 10,609,029 B2
Filed: 09/01/2016
Issued: 03/31/2020
Est. Priority Date: 09/04/2015
Status: Active Grant

First Claim

Patent Images

1. A gateway adapted to interconnect a first domain to a second domain, comprising:

memory,first and second protocol adapter code hosted respectively within the first and second domains and configured to make a conversion between an application data formatted according to an applicative protocol relative to said first and second domains and a gateway data formatted according to a gateway internal protocol, anda hosting platform that is a virtualization platform, the hosting platform being physically segregated from said first domain and connected to said first domain by a first data link and physically segregated from said second domain and connected to said second domain by a second data link, said hosting platform comprising;

a first network interface coupled to the first domain for communicating with the first data link;

a second network interface coupled to the second domain for communicating with the second data link;

a first set of one or more partitions hosted on the virtualization platform comprising a first set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive gateway data from, but not send the gateway data to, the first data link along a first secure unidirectional path;

a second set of one or more partitions hosted on the virtualization platform comprising a second set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the first set of one or more partitions along the first secure unidirectional path, and to analyze the received gateway data according to a series of security rules at the gateway internal protocol level;

a third set of one or more partitions hosted on the virtualization platform comprising a third set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the second set of one or more partitions along the first secure unidirectional path and to forward the gateway data to, but not receive the gateway data from, the second data link along the first secure unidirectional path;

a fourth set of one or more partitions hosted on the virtualization platform comprising a fourth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive gateway data from, but not send the gateway data to, the second data link along a second secure unidirectional path;

a fifth set of one or more partitions hosted on the virtualization platform comprising a fifth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the fourth set of one or more partitions along the second secure unidirectional path, and to filter the received gateway data according to a series of application-level security rules;

a sixth set of one or more partitions hosted on the virtualization platform comprising a sixth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the fifth set of one or more partitions along the second secure unidirectional path and to forward the gateway data to, but not receive the gateway data from, the first data link along the second secure unidirectional path;

wherein said second set of one or more partitions further causes the virtualization platform to gather information on gateway data flowing along said first unidirectional path;

wherein said fifth set of one or more partitions causes the virtualization platform to implement a first series of application-level security rules before allowing or disallowing the flow of gateway data from the second protocol adapter towards the first protocol adapter along the second unidirectional path, said first series of application-level security rules comprising first consulting rules intended to consult the information gathered by said second set of one or more partitions; and

wherein first and second protocol adapters hosted respectively within the first and second domains and configured to make a conversion between an application data formatted according to an applicative protocol relative to said first and second domains and a gateway data formatted according to a gateway internal protocol,wherein said first and second protocol adapter code comprise seventh and eighth sets of one or more components of code decomposed into a plurality of subsets of elementary components of code and being executable by the first and second domains, respectively.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway having an architecture authorizing bidirectional communication between applications located in different domains and presenting a high assurance level of protection. The gateway interconnects a first and second domain. The gateway comprises an internal protocol, first and second protocol adapters hosted within the first and second domains and configured to make a conversion between application data formatted according to an applicative protocol relative to the two domains and gateway data formatted according to the gateway internal protocol, and a security module hosted on a separate platform to communicate with the first and second protocol adapters via first and second data links according to the gateway internal protocol. The first and second protocol adapters and security module are each physically segregated and the security module comprises functional blocs configured to authorize secure bidirectional flow of gateway data along two different and separate unidirectional paths between the two protocol adapters.

32 Citations

View as Search Results

9 Claims

1. A gateway adapted to interconnect a first domain to a second domain, comprising:
- memory,first and second protocol adapter code hosted respectively within the first and second domains and configured to make a conversion between an application data formatted according to an applicative protocol relative to said first and second domains and a gateway data formatted according to a gateway internal protocol, anda hosting platform that is a virtualization platform, the hosting platform being physically segregated from said first domain and connected to said first domain by a first data link and physically segregated from said second domain and connected to said second domain by a second data link, said hosting platform comprising;
  
  a first network interface coupled to the first domain for communicating with the first data link;
  
  a second network interface coupled to the second domain for communicating with the second data link;
  
  a first set of one or more partitions hosted on the virtualization platform comprising a first set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive gateway data from, but not send the gateway data to, the first data link along a first secure unidirectional path;
  
  a second set of one or more partitions hosted on the virtualization platform comprising a second set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the first set of one or more partitions along the first secure unidirectional path, and to analyze the received gateway data according to a series of security rules at the gateway internal protocol level;
  
  a third set of one or more partitions hosted on the virtualization platform comprising a third set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the second set of one or more partitions along the first secure unidirectional path and to forward the gateway data to, but not receive the gateway data from, the second data link along the first secure unidirectional path;
  
  a fourth set of one or more partitions hosted on the virtualization platform comprising a fourth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive gateway data from, but not send the gateway data to, the second data link along a second secure unidirectional path;
  
  a fifth set of one or more partitions hosted on the virtualization platform comprising a fifth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the fourth set of one or more partitions along the second secure unidirectional path, and to filter the received gateway data according to a series of application-level security rules;
  
  a sixth set of one or more partitions hosted on the virtualization platform comprising a sixth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the fifth set of one or more partitions along the second secure unidirectional path and to forward the gateway data to, but not receive the gateway data from, the first data link along the second secure unidirectional path;
  
  wherein said second set of one or more partitions further causes the virtualization platform to gather information on gateway data flowing along said first unidirectional path;
  
  wherein said fifth set of one or more partitions causes the virtualization platform to implement a first series of application-level security rules before allowing or disallowing the flow of gateway data from the second protocol adapter towards the first protocol adapter along the second unidirectional path, said first series of application-level security rules comprising first consulting rules intended to consult the information gathered by said second set of one or more partitions; and
  
  wherein first and second protocol adapters hosted respectively within the first and second domains and configured to make a conversion between an application data formatted according to an applicative protocol relative to said first and second domains and a gateway data formatted according to a gateway internal protocol,wherein said first and second protocol adapter code comprise seventh and eighth sets of one or more components of code decomposed into a plurality of subsets of elementary components of code and being executable by the first and second domains, respectively.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The gateway according to claim 1, wherein each of the first, second, third, fourth, fifth, and sixth sets of one or more partitions are decomposed into a plurality of subsets of predefined elementary components of code, each comprising a plurality of lines of code having a code complexity sufficiently small as to be analyzable at a desired level of assurance, wherein each elementary component has a specified function and is adapted to communicate with other predefined elementary components.
  - 3. The gateway according to claim 1, wherein said gateway internal protocol is configured to have a minimum communication protocol based on a query and a response exchange mechanism and wherein each frame of an exchanged gateway data is decomposed into predefined fields of a fixed length.
  - 4. The gateway according to claim 3 wherein the gateway internal protocol is of the type RPC (Remote Procedure Call).
  - 5. The gateway according to claim 1, wherein said seventh and eighth sets of one or more components of code are executable by the first and second domains, respectively, to cause the first and second domains, respectively, to:
    - manage authorized applicative protocols relative to applications belonging to the first and second domains, respectively,construct a gateway data out of a corresponding application data by adapting the application data from an applicative protocol format into said gateway internal protocol format before sending said gateway data to the first and second data links, respectively, andreconstruct an application data according to the applicative protocol format out of a corresponding gateway data formatted according to the internal gateway protocol.
  - 6. The gateway according to claim 1, wherein said fifth set of one more partitions causes the virtualization platform to implement the series of security rules at the gateway internal protocol level on the gateway data flowing along the second unidirectional path to ensure that no malicious or unauthorized gateway data is flowing along the second unidirectional path.
  - 7. The gateway according to claim 1, wherein said fifth set of one or more partitions further causes the virtualization platform to gather information on gateway data flowing along said first unidirectional path and to transmit it to the fifth set of one or more partitions, and in that said second set of one or more partition further causes the virtualization platform to implement a second series of application-level security rules comprising second consulting rules intended to consult the information stored in said associated set of stateful context components.

8. An embedded infrastructure comprising a gateway adapted to interconnect a first domain to a second domain, the gateway comprising:
- memory,first and second protocol adapter code hosted respectively within the first and second domains and configured to make a conversion between an application data formatted according to an applicative protocol relative to said first and second domains and a gateway data formatted according to said gateway internal protocol, anda hosting platform that is a virtualization platform, the hosting platform being physically segregated from said first domain and connected to said first domain by a first data link physically segregated from said second domain and connected to said second domain by a second data link, said hosting platform comprising;
  
  a first network interface coupled to the first domain for communicating with the first data link;
  
  a second network interface coupled to the second domain for communicating with the second data link;
  
  a first set of one or more partitions hosted on the virtualization platform comprising a first set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive gateway data from, but not send the gateway data to, the first data link along a first secure unidirectional path;
  
  a second set of one or more partitions hosted on the virtualization platform comprising a second set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the first set of one or more partitions along the first secure unidirectional path, and to analyze the received gateway data according to a series of security rules at the gateway internal protocol level;
  
  a third set of one or more partitions hosted on the virtualization platform comprising a third set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the second set of one or more partitions along the first secure unidirectional path and to forward the gateway data to, but not receive the gateway data from, the second data link along the first secure unidirectional path;
  
  a fourth set of one or more partitions hosted on the virtualization platform comprising a fourth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive gateway data from, but not send the gateway data to, the second data link along a second secure unidirectional path;
  
  a fifth set of one or more partitions hosted on the virtualization platform comprising a fifth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the fourth set of one or more partitions along the second secure unidirectional path, and to filter the received gateway data according to a series of application-level security rules;
  
  a sixth set of one or more partitions hosted on the virtualization platform comprising a sixth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the fifth set of one or more partitions along the second secure unidirectional path and to forward the gateway data to, but not receive the gateway data from, the first data link along the second secure unidirectional path;
  
  wherein said second set of one or more partitions further causes the virtualization platform to gather information on gateway data flowing along said first unidirectional path;
  
  wherein said fifth set of one or more partitions causes the virtualization platform to implement a first series of application-level security rules before allowing or disallowing the flow of gateway data from the second protocol adapter towards the first protocol adapter along the second unidirectional path, said first series of application-level security rules comprising first consulting rules intended to consult the information gathered by said second set of one or more partitions; and
  
  wherein said first and second protocol adapter code comprise computing modules respectively including seventh and eighth sets of one or more components of code decomposed into a plurality of subsets of elementary components of code and being executable by the first and second domains, respectively.

9. An aircraft communication system comprising a gateway adapted to interconnect a first domain to a second domain, the gateway comprising:
- memory,first and second protocol adapter code hosted respectively within the first and second domains and configured to make a conversion between an application data formatted according to an applicative protocol relative to said first and second domains and a gateway data formatted according to said gateway internal protocol, anda hosting platform that is a virtualization platform, the hosting platform being physically segregated from said first domain and connected to said first domain by a first data link and physically segregated from said second domain and connected to said second domain by a second data link, said hosting platform comprising;
  
  a first network interface coupled to the first domain for communicating with the first data link;
  
  a second network interface coupled to the second domain for communicating with the second data link;
  
  a first set of one or more partitions hosted on the virtualization platform comprising a first set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive gateway data from, but not send the gateway data to, the first data link along a first secure unidirectional path;
  
  a second set of one or more partitions hosted on the virtualization platform comprising a second set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the first set of one or more partitions along the first secure unidirectional path, and to analyze the received gateway data according to a series of security rules at the gateway internal protocol level;
  
  a third set of one or more partitions hosted on the virtualization platform comprising a third set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the second set of one or more partitions along the first secure unidirectional path and to forward the gateway data to, but not receive the gateway data from, the second data link along the first secure unidirectional path;
  
  a fourth set of one or more partitions hosted on the virtualization platform comprising a fourth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive gateway data from, but not send the gateway data to, the second data link along a second secure unidirectional path;
  
  a fifth set of one or more partitions hosted on the virtualization platform comprising a fifth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the fourth set of one or more partitions along the second secure unidirectional path, and to filter the received gateway data according to a series of application-level security rules;
  
  a sixth set of one or more partitions hosted on the virtualization platform comprising a sixth set of one or more components of code being executable by the virtualization platform to cause the virtualization platform to receive the gateway data from, but not send the gateway data to, the fifth set of one or more partitions along the second secure unidirectional path and to forward the gateway data to, but not receive the gateway data from, the first data link along the second secure unidirectional path;
  
  wherein said second set of one or more partitions further causes the virtualization platform to gather information on gateway data flowing along said first unidirectional path;
  
  wherein said fifth set of one or more partitions causes the virtualization platform to implement a first series of application-level security rules before allowing or disallowing the flow of gateway data from the second protocol adapter towards the first protocol adapter along the second unidirectional path, said first series of application-level security rules comprising first consulting rules intended to consult the information gathered by said second set of one or more partitions; and
  
  wherein said first and second protocol adapter code comprise computing modules respectively including seventh and eighth sets of one or more components of code decomposed into a plurality of subsets of elementary components of code and being executable by the first and second domains, respectively.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Airbus Operations SAS (Airbus SE)
Original Assignee
Airbus Operations SAS (Airbus SE)
Inventors
Leconte, Bertrand, Triquet, Benoit, Simache, Cristina
Primary Examiner(s)
Poltorak, Piotr

Application Number

US15/254,279
Publication Number

US 20170070507A1
Time in Patent Office

1,307 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2221/2101   Auditing as a secondary aspect

H04L 12/40032   Details regarding a bus int...

H04L 12/4625   Single bridge functionality...

H04L 12/66   Arrangements for connecting...

H04L 2012/40267   Bus for use in transportati...

H04L 47/196   Integration of transport la...

H04L 63/02   for separating internal fro...

H04L 63/10   for controlling access to d...

H04L 63/107   wherein the security polici...

H04L 63/1408   by monitoring network traff...

H04L 67/02   based on web technology, e....

H04L 67/133   Protocols for remote proced...

H04L 69/08   Protocols for interworking;...

High assurance segregated gateway interconnecting different domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

High assurance segregated gateway interconnecting different domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links