Computer applications often malfunction in damaging ways when they handle data containing unusual or malformed constructs. For example, many old versions of applications that handle JPEG images would erroneously execute some of the image file's data as code if a comment block in the JPEG image had an invalid length. Consequently the applications were vulnerable to attack by someone who placed damaging code in such a malformed file.
Computer applications often include more information in the data files they construct than is apparent to the user of the application. For example, Microsoft Word 97 has a feature whereby it may retain deleted text in a file to avoid the delay that would occur if the file were re-written to exclude deletions. Consequently, documents created by such applications may contain sensitive data that should not be disclosed and yet can be recovered by examining the data file using a different application, leading to leaks of sensitive information.
As a result of the risks of damage caused by data files received by a sensitive system and the risks of leaks caused by data files released from a sensitive system, it is normal practice to apply checks to data entering and leaving a sensitive system. These content checks examine the data for constructs that might cause damage or may leak information, blocking the data from passing if it has such undesirable content. Examples of this practice can be found in the many Anti-Virus and Data Leakage Protection products on the market, such as those from Sophos and Symantec.
In particularly sensitive systems, a secondary risk becomes important: a failure of some system component may cause data to enter or leave the system without being inspected by the content checkers. As a result, the sensitive system may be damaged by data that causes applications to malfunction or sensitive information may leak out.
Patent application WO 2007/031744 A1 “Communication System Firewall” discloses a method for delivering data to and from a software content checker, which is hosted on a dedicated computer, that mitigates this risk.
The data is carried in a format chosen to be invalid with respect to any other software or peripheral firmware which might receive it in error but nevertheless interpretable by the content checker. If some failure were to cause the data to be delivered to software or firmware other than the content checker, it will be delivered in an invalid format and hence be discarded. This avoids the possibility of such a failure leading to data being passed through the system without being checked.
This enforces the constraint that only data in the selected format enters or leaves the system. Data not in the correct format is discarded and so cannot cause any damage.
This gives good assurance that an attacker is unable to send carefully crafted data to the content checker host computer in order to cause it to malfunction, resulting in unchecked data being passed. It also assures that a component failure in the content checker host computer will not cause data containing sensitive data to be released without the content checkers having the opportunity to block the leak.
Referring to FIG. 1, the computer hardware connects to its peripherals, including the BreakWall Network Interface Card NIC, via a peripheral bus (e.g. a PCI bus). This is controlled by the bus controller logic, which arbitrates between the different peripherals that contend for the services provided by the bus. The computer's processor connects to the peripheral bus, allowing the computer to communicate with the peripherals, and the computer's memory is also connected to allow peripherals to transfer data at high-speed by direct memory access.
The BreakWall Network Interface Card (NIC) connects the network link (e.g. an Ethernet fibre) to the checker computer's peripheral bus. The NIC contains three logic sub-systems: the network logic drives the network link, receiving frames of data from it and passing frames of data to it; the bus logic drives the peripheral bus, exchanging data with the device driver directly under processor command, or indirectly through the computer's main memory by the use of direct memory access (DMA); and the frame checker logic ensures that only data framed in the expected way is allowed to pass between the network link and the computer.
The frame format that such systems allows to pass is selected carefully so that should the bus controller logic or other peripherals malfunction and cause the data to be delivered to any component other than the content checker, the data is not intelligible to them and it is discarded.