CDDC: One Secure Screen for Classified, Secret and Public NetworksAustralian Researchers Crack Thorny Network Segmentation Usability Problem
The public internet is a dangerous place. The risks are plenty: emails with malicious links, malware-ridden websites and innumerable hardware and software components in between that could be compromised.
Militaries have long realized that the best way to protect information is to build separate, air-gapped networks with no links to the public internet. Network segmentation is a model that is increasingly recommended for companies and critical infrastructure providers.
But viewing and working with information from separate networks - crucial for productivity in some industries - poses either usability or security problems.
KVM (keyboard, video and mouse) switches let users switch between the different networks on one screen, but it's not workflow friendly. You may not be able to, for example, view classified information right alongside other unclassified information.
Virtualization is another solution. But it relies on software known as hypervisors to funnel data from various virtual machines to one screen. Hypervisors are problematic: A software vulnerability could compromise the networks it touches.
But researchers in Australia have found a way to make segregated networks seamlessly accessible through a single screen without the security risks. They've created a device, called the Cross Domain Desktop Compositor, which prevents data from leaking from one network to another or malware jumping across.
The CCDC is "trying to give you the best of both worlds," says Toby Murray, a senior research scientist with the Trustworthy Systems Team of Australia's national research agency, Data61. He says the CDDC offers the security benefits of hardware-enforced physical isolation of networks and the benefit of having all data on screen, minus the security worries around virtualization.
The CDDC is the result of collaboration between Data61 and Australia's Defense Science and Technology Group, which is part of the Department of Defense. Leading the project is Murray, Kevin Elphinstone, a principal researcher with Data61; and Mark Beaumont, a researcher with DST.
The CDDC is an external hardware device that only accepts video output from different computers, maintaining a strong isolation between networks.
"It's a bit like an intelligent KVM switch in that you're physically plugging in your different PCs and your keyboard and mouse and display into it," Murray says. "But then it's displaying on screen for you your different content from each of those PCs together."
Software on the various PCs encode the position and size of each window for forwarding to the video stream. The CDDC's software then takes the video signals and works out which regions of the screens have active applications. It effectively cuts out those pixels and then renders them onto the user's single screen.
The user, for example, would be able to use a web browser running on the open internet, an email client on higher classification network and then, for example, a Microsoft Word document running on the top-secret machine. The windows are clearly labeled so the user knows exactly with which domain they're working.
The user's actions, through the keyboard and mouse, are forwarded to the right computer. So what if malware infected the unclassified machine? It wouldn't be able to jump to a higher-level network because the machines are physically separated, and the CDDC itself is only taking video feeds from machines.
The security of the system is further strengthened by the operating system that runs the CDDC's software. The CDDC uses seL4, a so-called microkernel - a stripped down version of the core software of a computer known as a kernel.
In 2009, researchers in Australia mathematically proved that seL4 contained no software vulnerabilities at all, a process known as formal verification. It has been incorporated into a drone and other applications for seL4 include in-flight computers (see Does This Drone Sport the World's Most Secure Operating System?).
With CDDC, operators can dart between classified networks and the open internet without the risks that one domain will tamper with the other. It's even possible to copy and paste. But Murray says filters can ensure that only ASCII text can be moved from, say, an unclassified machine to a classified one.
The researchers have considered advanced attack scenarios. Malware on an unclassified PC could try to lie about where certain windows appear on screen, which could confuse users. And it's possible that a confused user might start behaving insecurely, Murray says. But it's a very advanced threat.
"It's only once when you've built a device this secure in the first place that you can start to worry about those threats because we've been able to close off the traditional ones," Murray says.
There's also another attack possibility: covert channel analysis. The keyboard could be engineered to record keystrokes and then secretly replay them on the unclassified machine.
That scenario would rely on an attacker planting tampered keyboards in the supply chain. It's not an impossible feat, but one that would generally be considered a very advanced attack. As a defense, the CDDC has been designed to power down the keyboard when switching between windows so it can't retain state, Murray said.
"At the end of the day, if you can get someone to install malicious hardware on your network, then you kind of own them already," Murray says.
Data61 is looking toward commercialization opportunities, but the proceess is still in it's early days. Australia's Defense Department has tested the CDDC, and it was positively received, Murray says.
In the next year or so, plans are to cultivate a local supply chain to produce the CDDC. After that, the eye will be on defense markets, such as the U.S., U.K., Canada and New Zealand, part of the so-called "Five Eyes" intelligence collective. Beyond the defense industry, the CDDC could prove useful in industries such as critical infrastructure that need highly secure solutions, Murray says.