3

I have a software which processes pure numerical data and gives some response.

To make it safe, I put it behind two data diodes: one for incoming data, and one for outcoming response. The data diodes are implemented as customer-specific hardware.

Important point: the data diodes are 4-bit wide and thus allow only 4-bit words. The data is purely numerical and encoded like this in binary form:

0000 = '0'
0001 = '1'
0010 = '2'
0011 = '3'
0100 = '4'
0101 = '5'
0110 = '6'
0111 = '7'
1000 = '8'
1001 = '9'
1010 = '.'
1011 = ';' (separator)

Is my software behind the data diodes is still safe from the hacker attacks?

I believe yes, because the 4-bit data words do not allow hacker send any malicious commands. If they were 8-bit wide, then all ASCII characters would come through and the software would be vulnerable.

Server behind two data diodes

Pekka Sivonen
  • 31
  • 3
  • 2
    I suggest that you change your terminology. You do not have a "server" that processes data and responds. You have a "*service*" (software) that processes data and responds. That service runs on a server. Your *server* is still vulnerable to attacks (hardware, OS, networking infrastructure). – schroeder Jan 18 '18 at 10:28
  • Does the data diode completely block off access to the service and retransmits traffic sent from the outer network? – schroeder Jan 18 '18 at 10:30
  • Changed from "server" to "software". – Pekka Sivonen Jan 19 '18 at 08:39
  • Yes, the data diodes are real hardware and completely re-transmit all traffic as 4-bit data. – Pekka Sivonen Jan 19 '18 at 08:41

2 Answers2

6

There are several use cases for data diodes and it is unclear what your use case exactly is and if data diodes are the solution for your unknown problem. But my guess is that data diodes are not what you actually need and that your current idea of how to use data diodes does not provide the security you envision:

  • One use case of data diodes is to make sure that data can only leave a system but never enter a system. This is for example used to get logging data out of industry systems but stop any data flow into the industry systems so that they cannot be attacked.
  • The other use case is to make sure that data can only enter a system but never leave it. This is for example used to feed data collected by a lower security environment into a system which contains very sensitive data and guarantee that no sensitive data can ever leak into the lower security environment, even in case of bugs or vulnerabilities.

Your use case is none of these. Instead it looks like you want feed some data from outside into some service and get a response back, but still protect the service from being hacked from the outside. This bidirectional communication is not the use case for the unidirectional data diode. And by simply combining two data diodes you essentially allow (mostly unrestricted) bidirectional communication and thus do not protect the service.

What you probably would need instead is an application protocol level gateway, i.e. a system which allows restricted bidirectional communication. If properly enforcing the syntax and the semantics of the communication protocol, such gateway can make sure that the service gets only data which it can handle in a safe way and that only data leave the service which adhere to the defined syntax and semantics of the protocol - which severely limits both how the attacker could compromise the service and how he could make use of a successful compromise.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I agree, and I believe that the usage of 4-bit words is such restricted bidirectional protocol. – Pekka Sivonen Jan 19 '18 at 08:47
  • 1
    @PekkaSivonen: *"I believe that the usage of 4-bit words is such restricted bidirectional protocol."* - it depends. If the protocol spoken by the service allows as input any combination of 4-bit words and outputs similar data then there is probably no additional restriction you can do at the protocol level. If instead the diode simply transforms 8 bit data to 2x4 bit for transport and then transforms it back at the other side so that the service gets 8 bit data then you don't have any protocol level restriction at all from the perspective of the service. – Steffen Ullrich Jan 19 '18 at 09:24
2

It is still at risk. You seem to misunderstand how an attack works.

For example, say you had the following -

int arr[4];
int idx = ReadNumberFromInput();
int val = ReadNumberFromInput();
arr[idx] = val;

There was no check on idx to make sure it is between 0-3. You are overwriting an arbitrary piece of memory with val. It is possible that idx is crafted to point to instructions which can later be invoked by the user.

Hector
  • 10,893
  • 3
  • 41
  • 44