Patents /

Host-based, network enabled, integrated remote interrogation system

Inventors

Collins, James CWall, Chet MKaufman, III, Robert J

Assignees

United States Department of the Air Force

Publication Number

US-10104096-B1

Publication Date

2018-10-16

Expiration Date

2035-07-01

Interested in licensing this patent?

MTEC can help explore whether this patent might be available for licensing for your application.

Abstract

An Enhanced Ethernet Network Interface Card (EENIC) interfaces with a host and a network. The EENIC includes an internal network interface controller (NIC), a field programmable array (FPGA) in electrical communication with the internal network interface controller, and a peripheral component interconnect express (PCIe) controller, in independent electrical communication with the field programmable array or the internal network interface controller. The FPGA is configured to intercept data from either the host, or from the network, or from a combination thereof. Additionally, the configured interception is undetected by the host, or by the network, or a combination thereof.

Core Innovation

The invention disclosed is an Enhanced Ethernet Network Interface Card (EENIC) designed to interface with a host and a network. The EENIC consists of an internal network interface controller (NIC), a field programmable gate array (FPGA) electrically connected to the NIC, and a peripheral component interconnect express (PCIe) controller independently connected to either the FPGA or the NIC. This FPGA is configured to intercept data from the host, the network, or both, and the interception remains undetectable by the host, network, or both.

The problem addressed by this invention arises from the vulnerabilities in conventional host-based security defenses which can be altered or disabled by sophisticated exploitation codes, granting persistent unauthorized access within a computer system's hardware or firmware. Existing network security architectures primarily protect at high hierarchical points such as Points of Presence (PoP) but fail to effectively monitor or control lower level enclave security activities. Consequently, exploits can persist and propagate within lower level enclaves, often circumventing upper level security measures. There is a need for a host-independent security apparatus that operates separately from the host's operating system and memory space.

The invention provides a versatile system where the EENIC can be programmed in multiple modes, including active in-line modes controlling all network traffic to the host, operating as a PCIe endpoint device capable of non-cooperative access to host memory, or as a powered device without host communication. A notable feature includes an embedded microprocessor on the FPGA running an independent operating system that enables near real-time data filtering, blocking, forwarding, and malware scanning—all outside the control of the host operating system. Additionally, a specialized secure network wormhole protocol permits remote, encrypted command and control access to the EENIC without host awareness or detection on external networks.

Claims Coverage

The patent contains independent claims directed to both a device (the Enhanced Ethernet Network Interface Card) and a method for performing security actions using the EENIC. The main inventive features reflect the device's architecture, configuration, and operational capabilities for undetected data interception and security functions.

Enhanced Ethernet Network Interface Card with FPGA for undetected data interception

The EENIC includes an internal NIC, an FPGA disposed on the EENIC and configured to operate internally to the host, and a PCIe controller independently connected to the FPGA or NIC. The FPGA is configured to intercept data from the host, network, or both, with its interception undetected by the host or network.

Non-cooperative data extraction from host memory

The FPGA is configured to intercept data from the host by non-cooperatively extracting the data from the host's memory space, allowing access without host CPU or cooperation.

Security actions performed on intercepted data

The FPGA further performs actions on intercepted data including blocking, forwarding, scanning for malware, and near real-time modification of data structures.

Replication and sharing of host MAC and protocol addresses

The internal NIC's media access control (MAC) address and protocol-level address are configured to replicate and share the corresponding addresses of the host, aiding undetectable operation on the network.

Method for EENIC security actions utilizing FPGA and independent operating system

The method involves providing an EENIC with an FPGA internally within the host, a NIC electrically connected to the FPGA, and a PCIe controller in communication with either. The method includes intercepting data from host or network and performing security actions such as blocking, forwarding, or malware scanning.

Configuration of FPGA as an emulated microprocessor running an independent OS and secure wormhole communications

The FPGA is configured as an emulated microprocessor running an OS functioning independently from the host, which ignores all incoming communications until receiving a specifically crafted activation packet. The FPGA-based OS then responds by establishing a cryptographically secured wormhole communication channel for remote secure command and control.

The independent claims collectively protect an Enhanced Ethernet Network Interface Card with an FPGA configured for undetected data interception and security operations independent of the host system, as well as methods of operating such a device including establishing secure remote communications and performing various data security actions.

Stated Advantages

Separation and logical isolation of the FPGA from the host and the external network improving overall system security.

Ability to perform network data inspection and control outside the control or influence of the host operating system, thus preventing host-resident malware interference.

Multiple configurable modes, including an active host embedded mode enabling full control over network data to and from the host with transparency and non-detectability to the host user.

Provision of a specialized communication protocol enabling a secure, encrypted remote network wormhole connection for command and control without host system intervention or detection.

Real-time or near real-time filtering, blocking, forwarding, scanning for malware, and data modification on network data flows improving host and network security.

Documented Applications

Use as an integrated remote interrogation system (IRIS) embedded within host computer systems for enhanced network security monitoring and control.

Deployment at network enclave levels to provide security monitoring capabilities independent from host operating system vulnerabilities.

Operation in enterprise networks where traditional defense-in-depth architectures fail to monitor lower level enclave host activities effectively.

JOIN OUR MAILING LIST

Stay Connected with MTEC

Keep up with active and upcoming solicitations, MTEC news and other valuable information.