It is normal practice to check that data is fit for purpose before it is passed between computer systems, particularly if one of the computer systems handles sensitive information. Data entering a receiving system may be checked to ensure that it is not associated with an attack against that system and its software applications; data leaving a computer system may be checked to ensure it is not being disseminated inappropriately (“leaked”), e.g. contrary to commercial-in-confidence restrictions.
Software products are commercially available for checking that data is not infected with a virus or carrying other kinds of malware such as key loggers: such products include those of Symantec, Sophos and Macaffe. Other products, e.g. those of Clearswift and Purifile, check that data leaving a computer system is not sensitive data being disseminated inappropriately.
A typical prior art arrangement involves a sensitive computer system receiving data after checking that the data is safe and is not part of an attack. Data output from the sensitive system is checked to ensure that it is not being leaked.
However, software products (content checkers) which carry out data checking are themselves potential targets for an attack, particularly if they are running on computer systems handling sensitive material, such as financial transactions. If an attacker makes an attack which succeeds in taking control of a content checker running on a sensitive computer system, the attacker can then disable checks implemented by the checker and thereby allow data to pass inappropriately or use the checker as a platform for launching a further attack against the system.
Software engineering techniques are known which are intended to make content checkers robust against attack, but unfortunately they are not foolproof. Prior art content checkers are therefore associated with potential for failure, which may not be acceptable in critical situations.
It is known to reduce the potential for failure in a computer system by providing for failure restricted to a single component being unable to cause overall system failure: here “system failure” means data passing from one computer system to another without being appropriately checked.
In one prior art arrangement, a sensitive computer system sends data to and receives data from an external computer system via an input/output sub-system linked to a content checker; data passed by the content checker is forwarded to the recipient system. A single failure of either the input/output sub-system or the content checker could lead to overall system failure. If the checker fails to identify inappropriate data and instead wrongly reports it fit to pass, then that data will be passed on and cause damage to a recipient system. Alternatively, the input/output sub-system may fail by passing on data which has not been checked.
A known technique for guarding against failure of a check is to implement the check twice independently, it being unlikely that two independent checks will fail simultaneously: a prior art example of this is two anti-virus products being combined to provide a defence against viruses. If two content checkers are used, both must clear data before it is allowed to pass: even this safeguard may be defeated by failure of an input/output sub-system.
A potential single point of failure represented by an input/output sub-system may be eliminated by dividing it into separate input and output sub-systems with content checking means arranged between them. These sub-systems cease to be single points of failure because the input sub-system can only pass data for content checking, and the output sub-system only receives data which content checking indicates is fit to pass. A single content checker can be a point of failure, but this can be avoided by using two centrally located content checkers arranged in parallel to perform checks simultaneously. An output sub-system receives results from both content checkers and compares them: if both indicate the data passes the checks, the data is passed on. This is an example of the prior art technique of modular redundancy with voting on the outputs. Its disadvantage is that it is necessary to be sure that the two content checkers fail independently, which is difficult to ascertain if the checkers are complex and must handle many different data formats. As more formats need to be handled, the possible dependencies grows so it is difficult to scale up the task of assessing independence.
Voting is usually applied to streams of data that should be identical. For example, an encryption device can be made robust by implementing the encryption twice in parallel and then comparing the outputs, passing encrypted data on only if the two streams are identical. In the case of content checking however, the voting component is more complicated as it must implement a go/no-go decision based on the varied results received from the checkers rather than just compare identical data streams. This complexity makes it difficult to construct the voting component without it becoming a single point of failure.