Safe and secure data transmission thanks to protocol break
Computer security attacks come in many forms; a common method of attack is to get a computer to behave in a way not considered by the designers and seek to take advantage of that. Modifying protocols, for example, to send information that is non-compliant to the protocol is one way of inducing errors in a poorly designed system, is such a method. This can be prevented by protocol break.
In general, data that crosses a network can be divided into payload data and traffic control data. The payload data contains the data that the sender wants to send to the downstream network. For example, this may be a file, an email or a print job. This payload data is essentially static: the message that is sent should remain the same as the message that is delivered.
To deliver the payload, a protocol is used. A protocol is a set of communication agreements, which ensure that if both sides of a communication channel adhere to it, the payload gets delivered correctly. To achieve its design objectives, a protocol introduces extra data into the data flow to coordinate these protocol specific goals: traffic control data. A protocol takes care of many things that a normal computer user is never aware of: that the payload gets routed in the right direction; that it is chopped into parts where needed and reassembled again where possible. Protocols can do very complicated things like compression, tunneling, load balancing, authentication, caching, spooling, all kinds of things to make the communication go smoothly. Examples include FTP, SMTP and HTTP.
All this complexity which goes into these protocols makes the system work, but only under the condition that both sides are cooperative. An attacker may take the approach not to be cooperative, and send malformed traffic control data. This can cause a buffer overflow or other fault in the receiving system, and with it launch a successful disruptive attack.
In a “protecting secrets” scenario it can generally be assumed that the attacker has access to the upstream network. From the upstream network, the attacker could attack the downstream network by abusing a design flaw in one of the systems on the downstream network. A unidirectional network connection based on a datadiode prevents such an attack from leading to data leakage. The attack may still cause harm in terms of integrity and availability on the downstream network. A protocol break effectively cuts out attack vectors which live in the traffic control data, as will be discussed next.
The attacks that can be caused by one of the parties not adhering to a protocol can only be prevented by making sure that in the environment where attacks are not acceptable, both parties in the protocol are trusted. For unidirectional communication scenarios, that means that the side sending the payload (upstream) should be trustworthy, at least from the perspective of the receiver (downstream). The only way to ensure this is by the application of a protocol break.
A protocol break consists of two components that sit between the sender and the receiver of a message. The first one is a “catcher”, which, while adhering to the protocol, strips all traffic control data from the data it receives, and keeps only the payload data. The second component is a “thrower”. The thrower does the opposite: it takes bare payload data, and sends the payload to another system by means of some chosen protocol. In order to do this successfully, the thrower does all the complicated things that are necessary to adhere to the protocol specifications.
Blog author: Tim van Pelt