Hasso-Plattner-Institut für Softwaresystemtechnik
Dissertation Feng Cheng

Dissertation Feng Cheng

Physical Separation Technology and its Lock-Keeper Implementation

The security problems of computer systems and networks are ever-increasing and far from being "under control". More defensive mechanisms and strategies have been designed to protect the vast range of information and its communication against the illegal intrudes from both outside and inside. These attacks can be roughly categorized as online attacks and offline attacks. As a simple but intuitive security concept, "Physical Separation" has been proposed for several years to meet the needs of high level security. By having realized the basic principle that "the ultimate method to secure a network is to disconnect it", "Physical Separation" can offer users the most psychological trust. How to reliably isolate the target system or network from the external world as well as efficiently exchange data through such a physically separated connection has been a major challenge.

This thesis provides a detailed insight into the "Physical Separation" technology. Several important and relevant issues, such as the principle, benefits, implementations, performance and applications, etc., are addressed, discussed and systemized. A new concept of "Protocol Isolation" is put forward as an important aspect for formalizing the "Physical Separation" idea. The trade-off between security and usability is investigated to be the main factor for evaluating "Physical Separation" solutions.

A new "Physical Separation" implementation, named as Lock-Keeper, is presented in detail in the thesis. The SingleGate Lock-Keeper system, which consists of three active PC-based components (called as INNER, GATE and OUTER ) and an autonomous switching Printed Circuit Board (PCB), simply realizes the "Physical Separation" principle as well as practically demonstrates its benefit on entirely eliminating the possibility of direct online attacks to a protected system or network. As an enhanced version, the DualGate Lock-Keeper system is proposed by including another new "GATE" unit, which gains not only the significantly improved performance on data transfer but also many other useful characteristics on reliability. Along with this development, the Lock-Keeper Cluster architecture, which is built up by the combination of two or more independent Lock-Keeper systems, is introduced as well. According to the requirements of "Protocol Isolation", universal Secure Data Exchange (SDE) software is developed, which can be easily deployed on both the SingleGate Lock-Keeper and DualGate Lock-Keeper, to support reliable data transfer. A preliminary mathematical model for illustrating the special data transfer procedure inside the Lock-Keeper is proposed and used, together with some practically conducted experiments, to analyze and measure the performance of the Lock-Keeper data transfer. A smart, lightweight and extensible security measurement platform is developed to carry out well-known network penetration testing for evaluating the security of Lock-Keeper. Attack Graph is used as a metric to explain in theory the Lock-Keeper's competence on preventing online network attacks.

To enhance the system security of Lock-Keeper, some new results from virtualization technology, Trusted Computing (TC) technology, and Intrusion Detection System (IDS) technology are applied into the Lock-Keeper solution. The SDE's application modules on INNER/OUTER are transplanted into respective Virtual Machines (VM), which achieve both "Application Separation" and "User Separation". The data scanning VM deployed on GATE accomplishes the idea of "Offline Scanning" and "Offline Maintaining". With the help of TC-based Trusted Platform Modules (TPM) integrated on each Lock-Keeper components, many traditional cryptography algorithms and security approaches can be flexibly realized. By deploying IDS sensors on the Lock-Keeper system, the attacks on OUTER and INNER from both sides as well as the application layer attacks towards GATE can be recognized and prevented accordingly.

Several Lock-Keeper applications, such as heterogeneous database replication, secure Web Services providing, and strong and federated authentication, etc., are revealed and described in detail to explain how the Lock-Keeper can be integrated as a "Physical Separation" based Application-layer gateway into complex practical scenarios.