Embedded guard-sanitizer

US 9,773,130 B2
Filed: 05/12/2010
Issued: 09/26/2017
Est. Priority Date: 05/12/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus configured to be embedded in a bus between networks or data buses, wherein at least two of the networks or data buses operate at different security levels, the apparatus comprising:

a single dedicated processor;

a volatile, high-to-low working memory partition connected to the single dedicated processor;

a volatile, low-to-high working memory partition connected to the processor;

the high-to-low and low-to-high working memory partitions configured by the processor to limit the range of memory in which the processor is working until a specific operation is executed to reset to another partition;

a high-side, input/output section providing an interface to a high-side network or data bus, and configured to send messages to the high-to-low working memory partition, and to receive messages from the low-to-high working memory partition;

a low-side, input/output section providing an interface to a low-side network or data bus, and configured to send messages to the low-to-high working memory partition, and to receive messages from the high-to-low working memory partition;

a first non-volatile memory for storing a binary rule set image, whereby the processor controls the transfer of messages between the high-side input/output section and the low-side input/output section in accordance with the rule set; and

a second non-volatile, memory for storing firmware for controlling executive functions of the apparatus;

wherein messages received from the high-side network or data bus are inspected using the rule set and based on that inspection, the apparatus passes the message to the low side network or data bus unmodified, redacts or substitutes the message prior to passing the message to the low side network or data bus, or blocks the message; and

wherein messages received from the low-side network or data bus are inspected using the rule set and based on that inspection, the apparatus passes the message to the high side network or data bus unmodified, redacts or substitutes the message prior to passing the message to the high side network or data bus, or blocks the message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embedded guard-sanitizer apparatus is disclosed including a processor, a volatile, high-to-low working memory partition connected to the processor, and a volatile, low-to-high working memory partition connected to the processor. The embedded guard-sanitizer further includes a high-side, input/output section providing an interface to a high-side network or data bus, and configured to send messages to the high-to-low working memory, and to receive messages from the low-to-high working memory, and a low-side, input/output section providing an interface to a low-side network or data bus, and configured to send messages to the low-to-high working memory, and to receive messages from the high-to-low working memory. The embedded guard-sanitizer also includes a first non-volatile memory for storing a rule set binary image, whereby the processor controls the transfer of messages between the high-side input/output section and the low-side input/output section in accordance with the rule set, and a second non-volatile, memory for storing firmware for controlling executive functions of the apparatus.

Citations

20 Claims

1. An apparatus configured to be embedded in a bus between networks or data buses, wherein at least two of the networks or data buses operate at different security levels, the apparatus comprising:
- a single dedicated processor;
  
  a volatile, high-to-low working memory partition connected to the single dedicated processor;
  
  a volatile, low-to-high working memory partition connected to the processor;
  
  the high-to-low and low-to-high working memory partitions configured by the processor to limit the range of memory in which the processor is working until a specific operation is executed to reset to another partition;
  
  a high-side, input/output section providing an interface to a high-side network or data bus, and configured to send messages to the high-to-low working memory partition, and to receive messages from the low-to-high working memory partition;
  
  a low-side, input/output section providing an interface to a low-side network or data bus, and configured to send messages to the low-to-high working memory partition, and to receive messages from the high-to-low working memory partition;
  
  a first non-volatile memory for storing a binary rule set image, whereby the processor controls the transfer of messages between the high-side input/output section and the low-side input/output section in accordance with the rule set; and
  
  a second non-volatile, memory for storing firmware for controlling executive functions of the apparatus;
  
  wherein messages received from the high-side network or data bus are inspected using the rule set and based on that inspection, the apparatus passes the message to the low side network or data bus unmodified, redacts or substitutes the message prior to passing the message to the low side network or data bus, or blocks the message; and
  
  wherein messages received from the low-side network or data bus are inspected using the rule set and based on that inspection, the apparatus passes the message to the high side network or data bus unmodified, redacts or substitutes the message prior to passing the message to the high side network or data bus, or blocks the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The apparatus of claim 1, wherein:
    - the high-side, input/output section includes a volatile high-side memory input message buffer, a volatile high-side memory output message buffer and a high-side interface configured to send messages to the high-to-low working memory, and to receive messages from the low-to-high working memory; and
      
      the low-side, input/output section includes a volatile low-side memory input message buffer, a volatile low-side memory output message buffer and a low-side interface to the microprocessor and its working memory configured to send messages to the low-to-high working memory, and to receive messages from the high-to-low working memory.
  - 3. The apparatus of claim 1, wherein:
    - the firmware provides executive services, input/output services, startup diagnostics, operational diagnostics, and a run-time environment for the rule-set image.
  - 4. The apparatus of claim 1, further comprising:
    - an alphanumeric status display unit to show the operational status of the apparatus.
  - 5. The apparatus of claim 1, further comprising:
    - a load port to input the rule set image from an external, non-volatile memory device.
  - 6. The apparatus of claim 1, further comprising:
    - permanent markings indicating “
      
      high side” and
      
      “
      
      low side”
      
      connections for the networks or data buses to prevent inadvertent misconnection.
  - 7. The apparatus of claim 1, wherein the single processor and firmware block message transfers between high-side and low-side networks of data buses by default.
  - 8. The apparatus of claim 1, wherein the firmware provides an executive program not writable or modifiable by the single processor except by use of a special, protected load port.
  - 9. The apparatus of claim 1, wherein the single processor performs a hardware and firmware diagnostic test after start-up.
  - 10. The apparatus of claim 1, wherein the single processor performs periodic hardware and firmware diagnostic tests during normal operations.
  - 11. The apparatus of claim 1, wherein the processor periodically checks the validity of the rule set image.
  - 12. The apparatus of claim 1, wherein the firmware writes status messages to an alphanumeric display and optionally sends a status message on the high-side network in support of built-in test capability of a system in which the apparatus is embedded.
  - 13. The apparatus of claim 1, wherein the rule set image produced on a separate, general purpose computer by a rule set image generator software application and compiled into the form of a binary executable image to be executed by the single processor.
  - 14. The apparatus of claim 1, wherein the apparatus uses the single processor'"'"'s hardware memory partitioning capability to maintain separate high-to-low and low-to-high working memory partitions.
  - 15. The apparatus of claim 1, wherein the single processor is configured to perform a hardware validation, and then perform multiple overwrite operations on the non-volatile memories and overwrite all the volatile memory areas in response to a sanitize command.

16. An apparatus configured to be embedded in a bus between networks or data buses, wherein at least two of the networks or data buses operate at different security levels, the apparatus comprising:
- a single dedicated processor;
  
  a volatile, high-to-low working memory partition connected to a single dedicated processor;
  
  a volatile, low-to-high working memory partition connected to the processor;
  
  the high-to-low and low-to-high working memory partitions configured by the processor to limit the range of memory in which the processor is working until a specific operation is executed to reset to another partition;
  
  a high-side, input/output section providing an interface to a high-side network or data bus, and configured to send messages to the high-to-low working memory partition, and to receive messages from the low-to-high working memory partition;
  
  a low-side, input/output section providing an interface to a low-side network or data bus, and configured to send messages to the low-to-high working memory partition, and to receive messages from the high-to-low working memory partition;
  
  a first non-volatile memory for storing a binary rule set image, whereby the processor controls the transfer of messages between the high-side input/output section and the low-side input/output section in accordance with the rule set; and
  
  a second non-volatile, memory for storing firmware for controlling executive functions of the apparatus;
  
  wherein messages received from the high-side network or data bus are inspected using the rule set and based on that inspection, the apparatus redacts or substitutes the message prior to passing the message to the low side network or data bus; and
  
  wherein messages received from the low-side network or data bus are inspected using the rule set and based on that inspection, the apparatus redacts or substitutes the message prior to passing the message to the high side network or data bus.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein:
    - the high-side, input/output section includes a volatile high-side memory input message buffer, a volatile high-side memory output message buffer and a high-side interface configured to send messages to the high-to-low working memory, and to receive messages from the low-to-high working memory; and
      
      the low-side, input/output section includes a volatile low-side memory input message buffer, a volatile low-side memory output message buffer and a low-side interface to the microprocessor and its working memory configured to send messages to the low-to-high working memory, and to receive messages from the high-to-low working memory.
  - 18. The apparatus of claim 16, wherein the firmware writes status messages to an alphanumeric display and optionally sends a status message on the high-side network in support of built-in test capability of a system in which the apparatus is embedded.
  - 19. The apparatus of claim 16, wherein the apparatus uses the single processor'"'"'s hardware memory partitioning capability to maintain separate high-to-low and low-to-high working memory partitions.
  - 20. The apparatus of claim 16, wherein the single processor is configured to perform a hardware validation, and then perform multiple overwrite operations on the non-volatile memories and overwrite all the volatile memory areas in response to a sanitize command.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Original Assignee
Northrop Grumman Systems Corporation (Northrop Grumman Corporation)
Inventors
Collins, James G.
Primary Examiner(s)
Potratz, Daniel

Application Number

US12/778,247
Publication Number

US 20110283143A1
Time in Patent Office

2,694 Days
Field of Search

726 17
US Class Current
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/62   Protecting access to data v...

G06F 21/71   to assure secure computing ...

G06F 21/85   interconnection devices, e....

Embedded guard-sanitizer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Embedded guard-sanitizer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links