WO2018058182A1 - A network connectable computing system and a method for processing a plurality of messages - Google Patents

A network connectable computing system and a method for processing a plurality of messages Download PDF

Info

Publication number
WO2018058182A1
WO2018058182A1 PCT/AU2017/051054 AU2017051054W WO2018058182A1 WO 2018058182 A1 WO2018058182 A1 WO 2018058182A1 AU 2017051054 W AU2017051054 W AU 2017051054W WO 2018058182 A1 WO2018058182 A1 WO 2018058182A1
Authority
WO
WIPO (PCT)
Prior art keywords
computing system
messages
software
protocol stack
driver
Prior art date
Application number
PCT/AU2017/051054
Other languages
French (fr)
Inventor
Carl Frans Van Schaik
Damon Todd Ward
Daniel Potts
Original Assignee
Cog Systems Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2016903928A external-priority patent/AU2016903928A0/en
Application filed by Cog Systems Pty Ltd filed Critical Cog Systems Pty Ltd
Publication of WO2018058182A1 publication Critical patent/WO2018058182A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Definitions

  • the disclosure herein generally relates to a network connectable computing system and a method for processing a plurality of messages.
  • Computing systems - examples of which include but are not limited to personal computers, laptop computers, smart phones, routers and tablet computers - may be connected to one or more networks, for example a local area network, which may itself be part of an internetwork, for example the internet.
  • networks for example a local area network, which may itself be part of an internetwork, for example the internet.
  • FIG. 1 shows a block diagram for a prior art computing system generally indicated by the numeral 1, which may be in the form of, for example, a smart phone running an operating system (examples of which include but are not limited to ANDROID and UBUNTU Phone).
  • the prior art computing system 1 comprises program instructions in the form of a driver 12 for a network interface controller 15 (e.g. network interface card) for interfacing with a network 14, and a communications protocol stack 16.
  • Messages 20 comprising at least one protocol data units, in the form of packets for example, for transmission over the network 14 or internetwork are communicated between the communications protocol stack 16 and the driver 12.
  • the communications protocol stack 16 is generally a software implementation of a computer networking protocol suite on a computing device.
  • the communications protocol stack defines the communication protocols for providing communication services to programs and
  • the communications protocol stack 16 generally, but not necessarily, comprise modules conceptualised as layers in the stack of protocols.
  • the driver 12 is a media-transport layer interface and defines how the transport layers makes use of a media and network interface controller (e.g. Wi-Fi controller).
  • the computing system's operating system may be commanded to change the communications protocol stack 16 or parameters of the communications protocol stack 16.
  • the security of the computing system 1 when connected to the network 14 may be compromised by malware running on the computing system 1, or by a user, changing the network security settings for the computing system.
  • the computing system 1 may be in communication with a remote local area network over a virtual private network (VPN).
  • the malware may modify the communications protocol stack 16 to by-pass the VPN.
  • Configuration data - for example certificates and credentials - for the VPN may be obtained by the malware and sent to a party that subsequently uses the configuration data to obtain unauthorised access to the remote local area network.
  • the malware may send private and/or sensitive information residing on the computing system or on the remote local area network, or proxy unauthorised access to the remote local area network.
  • the computing system comprises a driver for a network interface for interfacing with a network, a communications protocol stack, and an intercepting layer for intercepting a plurality of messages communicated between the communications protocol stack and the driver.
  • the intercepting layer is configured for redirecting the plurality of messages when so intercepted to another computing system configured for processing the at least some of the plurality of messages.
  • the other computing system may comprise networking software for processing the plurality of messages.
  • the networking software may comprise at least one of Virtual Private Network (VPN) client software, firewall software, encryption software, data redirect software, router software, communications monitoring software, communications logging software, antivirus software, cross domain filtering software and bridge software.
  • the other computing system may be configured to send the plurality of messages, after processing, to the computing system for processing by the communications protocol stack.
  • the plurality of messages may comprise at least one of a plurality of inbound messages communicated from the driver to the communications protocol stack and a plurality of outbound messages communicated from the communications protocol stack to the driver.
  • the intercepting layer may be configured for at least one of redirecting the plurality of inbound messages when so intercepted and redirecting the plurality of outbound messages when so intercepted.
  • the other computing system may be configured to send the plurality of outbound messages to the computing system for transmission to the network by the driver.
  • the other computer system is configured to send those of the plurality of messages so processed to the computing system for processing by the communications protocol stack.
  • the intercepting layer comprises a comparator operable to determine whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the message of the plurality of messages.
  • the message processing rule may comprise at least one of a redirect message rule, a pass message rule, and a drop message rule.
  • the other computing system comprises a processor core of the computing system.
  • An embodiment comprises a hypervisor hosting at least one of the other computing system and a virtual machine comprising the driver, communications protocol stack and intercepting layer.
  • An embodiment comprises a hypervisor hosting at least one of other computing system and the computing system.
  • the intercepting layer is not by-passable.
  • the communications protocol stack comprises a Transmission Control Protocol / Internet Protocol (TCP/IP) stack.
  • TCP/IP Transmission Control Protocol / Internet Protocol
  • An embodiment comprises a computing device comprising an outer device housing.
  • a computing system comprising a hypervisor hosting a guest machine and another guest machine, the guest machine comprising a driver for a network interface for interfacing with a network, a communications protocol stack, and an intercepting layer for intercepting a plurality of messages communicated between the communications protocol stack and the driver and redirecting the plurality of messages so intercepted to the other guest machine, wherein the other guest machine comprises a message processor for processing the plurality of messages and sending the plurality of messages so processed to the guest machine for the intercepting layer to receive and forward to one of the communications protocol stack and the driver.
  • the guest machine and the other guest machine each comprise an inter machine communications driver in communication for communication of the plurality of messages between the guest machine and the other guest machine.
  • the other guest machine comprises a communications network stack in intermediate communication with the guest machine's inter machine communications driver and application software.
  • the hypervisor is a bare metal hypervisor.
  • the message processor comprises networking software for processing the plurality of messages.
  • the networking software comprising at least one of Virtual Private Network (VPN) client software, firewall software, encryption software, data redirect software, router software, communications monitoring software, communications logging software, antivirus software, cross domain filtering software and bridge software.
  • VPN Virtual Private Network
  • the plurality of messages comprises at least one of a plurality of inbound messages communicated from the driver to the communications protocol stack and a plurality of outbound messages communicated from the communications protocol stack to the driver.
  • the intercepting layer is configured for at least one of redirecting the plurality of inbound messages when so intercepted and redirecting the plurality of outbound messages when so intercepted.
  • the intercepting layer is non by passable.
  • the communications protocol stack comprises a TCP/IP stack.
  • the intercepting layer comprises a comparator operable to determine whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the message of the plurality of messages.
  • the message processing rule comprises at least one of a redirect message rule, a pass message rule, and a drop message rule.
  • a computing system comprising a driver for a network interface for interfacing with a network, a communications protocol stack, and a plurality of intercepting layers, each of the plurality of intercepting layers being for intercepting the plurality of messages communicated between the communications protocol stack and the driver, wherein each of the plurality of intercepting layers forward at least one of the plurality of messages to another computing system for processing.
  • the method comprises an intercepting layer intercepting a plurality of messages which are communicated between a communications protocol stack within a computing system and driver for the computing system's network interface controller.
  • An embodiment comprises redirecting the plurality of messages so intercepted to another computing system for processing of the plurality of messages.
  • the redirected plurality of messages are processed in networking software.
  • the plurality of messages so processed are sent to the computing system.
  • the plurality of messages are redirected to the other computing system.
  • An embodiment comprises a hypervisor hosting at least one of the other computing system and a virtual machine comprising the driver, communications protocol stack and intercepting layer.
  • the other computing system hosts a hypervisor that hosts the computing system.
  • a hypervisor hosts the computing system and the other computing system.
  • the other computing system is non-by-passable.
  • the communications protocol stack comprises a Transmission Control Protocol / Internet Protocol (TCP/IP) stack.
  • TCP/IP Transmission Control Protocol / Internet Protocol
  • An embodiment comprises the step of determining whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the message of the plurality of messages.
  • the message processing rule may comprise at least one of a redirect message rule, a pass message rule, and a drop message rule.
  • the method comprises the step of starting a hypervisor and hosting a guest machine and another guest machine on the hypervisor.
  • the method comprises the step of redirecting a plurality of messages communicated between a communications protocol stack of the guest machine and a driver of the guest machine for a network interface for interfacing with a network to the other guest machine.
  • the method comprises the step of processing the plurality of messages within the other guest machine and sending the plurality of messages so processed to the guest machine for the intercepting layer to receive and forward to one of the communications protocol stack and the driver.
  • the other guest machine comprises networking software for processing the plurality of messages.
  • the networking software comprises at least one of Virtual Private Network (VPN) client software, firewall software, encryption software, data redirect software, router software, communications monitoring software, communications logging software, antivirus software, cross domain filtering software and bridge software.
  • VPN Virtual Private Network
  • the plurality of messages comprises at least one of a plurality of inbound messages communicated from the driver to the communications protocol stack and a plurality of outbound messages communicated from the communications protocol stack to the driver.
  • the intercepting layer at least one of redirecting the plurality of inbound messages when so intercepted and redirecting the plurality of outbound messages when so intercepted.
  • the communications protocol stack comprises a TCP/IP stack.
  • An embodiment comprises determining whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the massage of the plurality of messages.
  • Non-transitory processor readable tangible media including program instructions which when executed by a processor causes the processor to perform a method disclosed above.
  • Disclosed herein is a computer program for instructing a processor, which when executed by the processor causes the processor to perform a method disclosed above.
  • Figure 1 shows a block diagram for a prior art computing system.
  • Figure 2 shows an embodiment of a computing system.
  • Figure 3 shows a schematic block diagram of the architecture of the computing system.
  • Figure 4 is a schematic diagram of the computing system of figure 2 showing an example of an intercepting layer of the computing system of figure 2 in use.
  • Figure 5 shows a schematic diagram of the computing system of figure 2 wherein the intercepting layer is configured to redirect messages to a VPN module.
  • Figure 6 shows a schematic diagram of another embodiment of a computing system 80.
  • Figure 7 shows yet another embodiment of a computing system.
  • Figure 8 shows still yet another embodiment of a computing system.
  • Figure 9 shows a block diagram of an embodiment of a network router or gateway comprising an embodiment of a computing system.
  • Figure 10 shows a block diagram of an embodiment of a vehicle comprising an embodiment of a computing system.
  • Figure 11 shows a block diagram of an embodiment of a camera comprising an embodiment of a computing system.
  • Figure 12 shows a block diagram of an embodiment of an automated device comprising an embodiment of a computing system.
  • Figures 13 to 16 shows flow diagrams for methods performed by an example of an intercepting layer.
  • FIG. 2 shows an embodiment of a computing system generally indicated by the numeral 10.
  • the computing system comprises a driver 12 in the form of a network interface driver for a network interface 15 for interfacing with a network 14 in the form of a communications network, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages 20 communicated between the communications protocol stack 16 and the driver 12.
  • a driver 12 in the form of a network interface driver for a network interface 15 for interfacing with a network 14 in the form of a communications network, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages 20 communicated between the communications protocol stack 16 and the driver 12.
  • annexe layer intercepting layer
  • the plurality of messages 20 comprises at least one of a plurality of inbound messages 17 communicated from the driver 12 to the communications protocol stack 16, and a plurality of outbound messages 19 communicated from the communications protocol stack 16 to the driver 12.
  • the intercepting layer 18 is generally, but not necessarily, for at least one of intercepting the plurality of inbound messages 17 communicated from the driver 12 to the communications protocol stack 16, and for intercepting the plurality of outbound messages 19 communicated from the communications protocol stack 16 to the driver 12.
  • Inbound messages 17 are those received via the network 14, and outbound message 19 are those to be sent via the network 14.
  • FIG. 3 shows a schematic block diagram of the architecture of the computing system 10.
  • the computing system 10 comprises a computing device 300 having a processor package 302.
  • the processor package 302 comprises a single die 304 comprising a multi-core processor 306 comprising a plurality of processor cores 308.
  • the processor package 302 comprises a case 310 encapsulating the die 304, which protects the die 304 and has electrical contacts in the form of pads for electrically connecting the package.
  • An alternative processor package has a single microprocessor on the single die.
  • the processor package 302 is in the form of a system-on a chip (SoC) or micro-controller.
  • SoC system-on a chip
  • the processor package 302 may be mounted on a printed circuit board (PCB) 312, wherein the pads of the processor package 302 are soldered to contacts on the PCB 312.
  • a printed circuit board assembly (PCBA) which comprises the PCB 312, the processor package 302 and optionally other electronics, is mounted in a computing device housing.
  • An alternative embodiment of the computing device 300 comprises a plurality of intercommunicating microprocessor dies in the form of a multi-chip modules, for example. Generally, any form of processor package may be used.
  • processor packages 302 which may be within mobile phones and tablet computers for example, include the QUALCOMM SNAPDRAGON processors (including models 810, 820, and 821), SAMSUMG EXYNOS 8890, x86 processors including the INTEL ATOM processor, single core ARM CORTEX A5, multicore ARM CORTEX-A17, APPLE A9X, and APPLE A10. Generally any suitable processor package may be used.
  • the computing system 10 runs an operating system 314 in the form of an open source operating system, however it may not be an open source operating system in alternative embodiments.
  • the open source operating system is in this embodiment GOOGLE ANDROID. Examples of operating system that may be used in alternative embodiments include but are not limited to WINDOWS, MAC OS, iOS, BLACKBERRY OS, CHROME OS, UBUNTU,
  • the communications protocol stack 16 and the driver 12 may reside in the kernel 315 of the computing system's operating system314, which is in this embodiment in the form of a LINUX kernel.
  • the driver 12 and the communications protocol stack 16 have interfaces in the form of application programming interfaces (API) for intercommunication.
  • API application programming interfaces
  • the intercepting layer 18 is implemented by inserting a hook into the kernel 315 ("hooking"), whereby messages passed between the driver 12 and the communication protocol stack 16 are intercepted by the intercepting layer 18.
  • the hook may be inserted into the kernel source code which may then be compiled.
  • the network interface 15 comprises a network interface controller (NIC).
  • the NIC may be in the form of an IEEE 802.3 (“Ethernet”) NIC, a 802.11 (“Wi-Fi") NIC, a Bluetooth or other personal area network (PAN) protocol NIC, a FiberChannel NIC, a Long Term Evolution (LTE) NIC, a NIC for a cellular network, a low power wide area network (LPWAN) protocol NIC, or generally any suitable form of NIC.
  • the NIC may be in the form of a network interface card, or may be integrated with a motherboard, for example.
  • the computing system 10 has a plurality of network interfaces 15, each comprising a network interface controller, for a plurality of networks, and the intercepting layer 18 may be configured for intercepting and/or redirecting messages to and/or from any one of the plurality of network interfaces 15.
  • the driver 12 comprises software stored in processor memory 316 that operates the network interface 15.
  • the driver 12 may communicate with the network interface 15 via a bus or communications subsystem.
  • the computing system 10 comprises network address translation (NAT) software that operates at the network interface 15.
  • the messages 20 may each comprise at least one protocol data unit in the form of, for example, a datagram, a packet, frame, cell, chip, data packet or data segment for transmission over a network 14 or internetwork connecting a plurality of computing systems.
  • the protocol data units generally but not necessarily are in accordance with at least one of the IEEE 802.3 standards ("Ethernet”), IEEE 802.11 standards (“Wi-Fi”), TCP/IP standards (e.g. REC 1122), or variants thereof, however any suitable protocol data units types may be used.
  • One embodiment uses Ethernet frames having Ethernet packets as payloads.
  • the protocol data units may generally have a header and a payload, and may comprise a footer, that may comprise a protocol data unit check sequence (e.g. CRC).
  • the header may comprise, for example, at least one of a destination MAC and/or IP address, and source MAC and/or IP address.
  • the network interface controller may comprise a physical interface in the form of, for example, a network media connector in the form of an antenna or network cable connector.
  • the communications protocol stack 16 comprises an internet protocol layer, a transport layer, and may comprise at least some of the link layer.
  • the communications protocol stack 16 is a TCP/IP stack, however any suitable communications protocol stack may be used, for example a protocol stack in accordance with the Open Systems Interconnection (OSI) model.
  • the TCP/IP stack may be configured for at least one of IPv4 andIPv6.
  • the TCP/IP stack includes at least some, and generally but not necessarily all of, Internet Protocol (IP), Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), User Datagram Protocol (HDP), and Internet Group Management Protocol (IGMP).
  • IP Internet Protocol
  • ARP Address Resolution Protocol
  • ICMP Internet Control Message Protocol
  • TCP Transmission Control Protocol
  • HDP User Datagram Protocol
  • IGMP Internet Group Management Protocol
  • IPv6 In addition to IP, ICMP, TCP, UDP, implementations configured for IPv6 include Neighbour Discovery Protocol (NDP), ICMPv6, and IGMPv6 and may include an integrated IPSec security layer.
  • NDP Neighbour Discovery Protocol
  • ICMPv6 ICMPv6
  • IGMPv6 Internet Group Management Protocol
  • the communications protocol stack 16 may have routing tables for dynamic routing rules.
  • Program instructions in the form of application software may request communication services from the communications protocol stack 16.
  • an application layer protocol for example HTTP, FTP, SSH, etc.
  • the application software generally instructs a BSD socket interface implemented by the LINUX kernel to open a socket for a network address comprising an internet protocol address.
  • a web browser implementing the HTTP protocol opens a TCP socket, however other applications may generally open any suitable type of socket, including a UNIX socket, and transport layer sockets examples of which include but are not limited to a UDP socket and a DCC socket.
  • the intercepting layer 18 is in this, but not all embodiments, configured to inspect the messages 20 for applying at least one message processing rule to the messages 20.
  • the intercepting layer extracts information from the messages 20 and in a comparator 21 in the form of a computer software module compares the extracted information to a rule value.
  • the extracted information may be a sender address
  • the rule value may be a predetermined sender or destination network address.
  • the comparator determines if the extracted information matches the rule value in this example, however in another example the comparator may determine if the extracted information does not match the rule value, is less than or greater than the rule value, or generally may use any suitable Boolean logic or other system for comparison.
  • the at least one message process rule may include, for example, a message filtering rule, a message modification rule, a message routing rule, and generally any suitable rule.
  • the rules may be state full or state less.
  • the header and/or payload may be inspected.
  • the intercepting layer 18 may be configured to apply message processing rules to a message when the intercepting layer determines that the message satisfies a message condition.
  • the messages 20 intercepted by the intercepting layer 18 may be routed to at least one message processor 31 in the form of a message processing network module, examples of which include but are not limited to inline firewalls, encryptors, VPN applications, data redirects,
  • the modules may comprise at least one of a software module and a hardware module.
  • the message processor 31 is in this embodiment external of the computing system 10, however in an otherwise identical embodiment the message processor 31 is internal of the computing system.
  • the intercepting layer 18 may manipulate and/or modify the messages 20 before on forwarding.
  • the intercepting layer 18 may modify and redirect, pass, or drop messages (i.e. stop a message being transmitted further).
  • the intercepting layer 18 generally may introduce a strong layer of separation between the communications protocol stack 16 and the driver 12.
  • the intercepting layer 18 may be used to implement the addition of non-by-passable network modules, example of which include but are not limited to a firewall and a VPN client or other network security module in the form of, for example, an application. Because the intercepting layer 18 is embedded in the kernel, the non- by-passable network elements may not be easily - or at all - altered by the communications network stack 16 or upper levels of software and these may not be accessible by malware or users. This may enhance security.
  • Figure 4 is a schematic diagram showing the computing system 10 with the intercepting layer 18 in use.
  • Path 23 shows the path the messages 20 would take through the computing system and between the driver 12 and the communication protocol stack 16 with the intercepting layer 18 merely forwarding the messages 20 (or absent), in a manner similar to that within the prior art computing system 1.
  • the comparator has determined that a rule to pass the message to the protocol stack 16 has been satisfied.
  • Another message path is Path 25, in which the intercepting layer 18 redirects the received messages 20 to another network node 31 in the form of the message processor via another driver 13for another network interface.
  • the comparator has determined that a rule to redirect the message to the other network node 31 has been satisfied.
  • the other node 31 is in this embodiment the message processor 31 in the form of another computing system comprising networking software for processing the plurality of messages 20.
  • the networking software may comprise, for example, at least one of Virtual Private Network (VPN) software, firewall software, encryption software, data redirect software, router software, and bridge software.
  • VPN Virtual Private Network
  • the other computer system is configured in this embodiment to send those of the plurality of messages so processed to the computing system 10, which take path 29 to the communications protocol stack 16. While the other node 19 is of another network 29, it may in another embodiment be of the same network 14.
  • Figure 5 shows a schematic diagram of the computing system 10 wherein the intercepting layer 18 is configured to redirect messages to another computing system 50 which comprises a VPN module 21 in the form of VPN application software.
  • the other computing system 50 is generally a separate execution environment in the form of a physical or virtual machine having its own communications protocol stack 52, inter computing system driver 54 (similar and/or identical to inter computing system driver 22) and intercepting layer 56, and may comprise a protected network stack. All inbound messages for the communications protocol stack 16 may pass through the VPN module 21.
  • the computing system 10 comprises a hypervisor running the other computing system 50 and a virtual machine comprising at least the driver 12, communications protocol stack 16 and intercepting layer 18.
  • the other computing system 50 hosts a hypervisor hosting the computing system 10 as a virtual machine.
  • the intercepting layer 18 is used to add an additional communications protocol stack, without radically changing the system or drivers.
  • the messages may be tagged, for example by adding another header on the protocol dependant units.
  • the tag may comprise information indicative of at least one of where the packet is from, whether the packet is internal or external, and which network it is intended for.
  • the intercepting layer 18 may tag the messages.
  • the VPN module 21 may generally use any suitable VPN standard, for example Internet Protocol Security (IPSEC), Transport Layer Security (SSL/TLS), Datagram Transport layer Security (DTLS), Microsoft Point-to-Point Encryption (MPPE), Secure Socket Tunnelling Protocol (SSTP), and Secure Shell (SSH) VPN.
  • IPSEC Internet Protocol Security
  • SSL/TLS Transport Layer Security
  • DTLS Datagram Transport layer Security
  • MPPE Point-to-Point Encryption
  • MPPE Secure Socket Tunnelling Protocol
  • SSLTP Secure Socket Tunnelling Protocol
  • SSH Secure Shell
  • a hypervisor or virtual machine monitor is a piece of computer software, firmware or hardware that creates and runs virtual machines.
  • a computing device on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.
  • the hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems.
  • Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and OS X instances can all run on a single physical x86 machine. This contrasts with operating- system-level virtualization, where all instances (usually called containers) must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel.
  • the hypervisor used is a type 1 hypervisor (a "native" or “bare-metal” hypervisor) in which the processor package is configured to support a type 1 hypervisor, however a type 2 hypervisor (a "hosted" hypervisor) may be used.
  • a type 1 hypervisor may be more secure than a type 2 hypervisor because if one execution environment is compromised, the other isn't.
  • the guest machine may alternatively be a container.
  • the other inter machine communication driver 54 is for receiving the redirected plurality of messages 20.
  • the other driver 54 is generally not visible and/or connected directly to the computing system's communications protocol stack.
  • the other driver 54 is connected to the other computing systems network message processing software (communications network stack 52 or otherwise).
  • the drivers 22,54 use shared memory and software interrupts supported by the hypervisor for communications between the intercepting layers 18,56.
  • the software interrupt is used to alert the computing systems of information put into shared memory. Communication between the intercepting layers 18,56 may be performed using any suitable method.
  • the communications network stack 16 and/or application software 24 running on the computing system 10 is not aware of the VPN connection, and operates as if there is a direct connection to a remote local area network.
  • the intercepting layer 18, in this but not all embodiments may be configured for non-redirection and/or non-interception of messages satisfying non redirection / non interception rules.
  • time-of-day when connected to a trusted network, for Wi-Fi access point negotiation messages - which are not TCP/IP messages, messages allowed to by-pass by the filter criteria.
  • the intercepting layer may be transparent to user space applications on the host, and most of the kernel (e.g. the IP stack).
  • the intercepting layer may alternatively be at least in part or fully opaque, for example by returning a warning and/or a denied message if a user tried to browse a blacklisted site.
  • the intercepting layer 18 is particularly useful when combined with virtualisation, which allows the implementation of a protected network stack for complex processing of the messages, separate from the computer system's operating system. This could be implemented using two physical machines, or a single physical machine supporting multiple virtual machines using a hypervisor, for example.
  • Figure 6 shows an embodiment of a computing system 80 in the form of a host computing device. Parts having similar and/or identical form to those in other figures are similarly numbered.
  • the host computing device 80 is in the present embodiment in the form of a smart phone, however it may be in the form of a tablet computer or generally any suitable form of computing device.
  • the host computing device 80 comprises a hypervisor 86 in the form of a bare metal hypervisor.
  • the hypervisor is configured to run a plurality of virtual machines 82, 84. Communication between the plurality of virtual machines is via inter machine communication drivers and shared memory, however communication may be by any suitable method.
  • the hypervisor 86 is stored in non-volatile memory in the form of flash memory.
  • the hypervisor is stored in the non-volatile memory.
  • the computing system's boot starts the hypervisor and the plurality of virtual machines 82, 84.
  • the computing system 10, 80 may have multiple layers of VPN encryption. This may be done without extensive re-engineering of the software stack or new hardware.
  • a second VPN client may run in the application layer 24 of the computing system 10, in the communications protocol stack 18 of the computing system 10 or in both. Alternatively, the second VPN client may reside partly or whole in hardware.
  • the VPN client in the application layer 24 does not need to be aware of the VPN at the communications protocol stack 16.
  • the two VPNs may greatly increase security because they generally require different techniques to be compromised, especially if the VPN protocol used within the communications protocol stack 16 is different than the VPN protocol used within the application layer.
  • the intercepting layer 18 may send an intercepted message of the plurality of messages 20 to the communications protocol stack 16, may send it to the other computing system 50, may block it, or may modify it in accordance with messaging rules.
  • Sensitive network functions are protected by making them invisible to the communications protocol stack 16.
  • the intercepting layer 18 may change the MAC and/or IP address of the messages 20 prior to redirection.
  • the redirected messages are processed at the other node or computing system or virtual machine, and then the processed message is sent to the driver 13 and subsequently received by the communications protocol stack 16.
  • inline network elements may be added to extend a physical and/or virtual network to support multiple other networking components sharing the network independent of the communications protocol stack 16
  • the other networking components may be hidden from the communications protocol stack 16, and may not be supported by it.
  • the other computing system comprises a core of the multi-core processor.
  • FIG. 7 shows yet another embodiment of a computing system 100.
  • the computing system 100 hosts a plurality of guest machines 102, 104, 106.
  • the computing system 100 has a plurality of intercepting layers 118, 120, 122 for intercepting a plurality of messages communicated between a communications protocol stack 116 thereof and a driver 112 thereof. Parts similar or identical in form and/or function to parts in figures 1 to 5 are similarly numbered and prefixed by "1".
  • the drivers 112 are for a network interface for interfacing with a network. Each guest machine implements different messaging rules.
  • Each of the plurality of intercepting layers 118, 120, 122 send a plurality of messages to a respective one of the guest machines 102, 104, 106.
  • the plurality of guest machines 102, 104, 106 may each identify and process different types of messages.
  • guest machine 102 may identify and process VPN messages
  • guest machine 104 may identify and process telemetry messages
  • guest machine 106 may identify and process firmware updates.
  • Parts 400, 404 and 408 are intercepting layers.
  • Machine 106 comprises an OTA update software client 402.
  • Machine 104 comprises a logging software module.
  • Machine 102 comprises a VPN software module.
  • FIG. 8 shows still yet another embodiment of a computing system 200.
  • the computing system 200 comprises drivers 212 for a network interface for interfacing with at least one network, a communications protocol stack 216, and an intercepting layer 218 ("annexe layer") for intercepting a plurality of messages communicated between the communications protocol stack 216 and the driver 212, inter-machine communication drivers 220, 222 drivers.
  • the network access may be, for example, in the form of an application for mobile device
  • MDM mobile management
  • OTA over-the-air
  • the MDM or OTA firmware update functionality may reside in the different guest machines 202, 204.
  • the guest machines 202 and 204 comprise intercepting layers 206, 208.
  • Machine 202 comprises a firewall software module 210.
  • Machine 204 comprises OTA firmware updating software module 212.
  • the computer system firmware may require updating, for example with bug fixes or a new feature.
  • the intercepting layer 218 allows a path for traffic between the OTA client on the computing system 200 and an OTA server, for example, without any support from the primary operating system, other than providing the network drivers.
  • the OTA update traffic may be terminated within a communications protocol stack within one of the guest machines 202, 204, or forwarded to another dedicated virtual machine that is configured to manage updates. This may happen independently and transparently to any of the application software running in other guest machines.
  • One or more physical network connections may be shared and serve more than one purpose - secure OTA traffic and normal application network traffic.
  • OTA is an example of one of the typical functions of an MDM. Other MDM functions may include policy management, remote device kill, device tracking, and device auditing.
  • the guest machine may run a network router application.
  • Application 214 receives and sends messages to the stack 216.
  • Figures 13 to 16 shows flow diagrams for methods that may be performed by the intercepting layer 18 of the embodiments described herein.
  • the computing system 10 is a computing device in the form of a smart phone 10.
  • the smart phone has a QUALCOMM SNAPDRAGON 821 processor, 4 GB of RAM, 32 GB of FLASH memory, and comprises an ANDROID operating system.
  • the smart phone is a
  • GOOGLE PIXEL may generally be any suitable smart phone, examples of which include a SONY XPERIA, and an APPLE IPHONE.
  • the smart phone 10 may have a software-isolated VPN software in the form of a VPN client that is independent of the operating system, as shown in figure 5, while the operating system still provides network services to application software. Messages may be non by-passably routed through the VPN, and then back to intercepting layer 16 for forwarding.
  • the computing system 10 is a computing device in the form of tablet computer.
  • the tablet computer 10 is a GOOGLE PIXEL C with 64 GB of FLASH memory, 3 GB of RAM, NVIDIA TEGRA XI chip set including a 1.9 GHz quad-core processor, and comprises Android v6.0.1.
  • the tablet computer may be, for example, an APPLE IP AD.
  • Example 3 Figure 9 shows a block diagram of an embodiment of a network router or gateway 59 in the form of a wireless network router and comprises an embodiment of a computing system 60, where parts similar or identical in form and/or function to parts in figures 1 to 5 are similarly numbered.
  • the computing system 60 hosts another computer system 62 comprising a protected network stack 64 in communication with a firewall application 66.
  • the computing system 60 comprises drivers 12 for a network interface for interfacing with a network 14, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer”) for intercepting a plurality of messages communicated between the communications protocol stack 16 and the driver 12.
  • annexe layer intercepting layer 18
  • intercepting layer 18 is configured to redirect messages to the other computing system 62.
  • At least one applications may be run in the guest machine 62.
  • Other applications may be run external to the guest machine 62.
  • the other applications may include, for example, a network router application 66, a web server application 68, and media server 70.
  • one or more of these applications may be run within the guest machine 62 or another virtual machine hosted by the computing system 60.
  • a hacker that compromises one virtual machine may not gain control of another application in another real or virtual machine.
  • a plurality of virtual machines may benefit software development and configuration management.
  • An example of a suitable network router 59 is a LIMCSYS WRT1900AC wireless router, which supports LINUX, OPENWRT and OPEN VPN.
  • the router has a dual-core Marvell Armada 370/XP CPU with 256 MB of RAM and 128 MB of flash storage. Additional storage may be attached to the WRT1900AC using its USB 3.0 and eSATA ports.
  • a multi-level (for example a 2 level) VPN connection may be established.
  • Example 4 Figure 10 shows a block diagram of an embodiment of a vehicle 72 comprising an embodiment of a computing system 61, where parts similar or identical in form and/or function to parts in figures 1 to 5 are indicated by similarly numbers.
  • the computing system 61 is in communication with a network or internetwork (e.g. the Internet) via, for example, a wireless cellular network, a Wi-Fi network, an internet-of-things network, etc. for communication with, for example, cloud services.
  • the vehicle may be a car, truck, boat, airplane, or generally any suitable form of vehicle.
  • the computing system 61 may be in the form of, for example, a navigation system, an entertainment system, a performance telemetry system, a location tracking system, or generally any suitable computing system.
  • the computing system 61 comprises drivers 12 for a network interface for interfacing with a network 14, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages communicated between the communications protocol stack 16 and the driver 12.
  • the intercepting layer 18 is configured to redirect messages to the other computing system 62, which in this but not all embodiments is a guest machine hosted by the computing system 61.
  • the computing system 61 hosts a guest machine 62 comprising a protected network stack 64 in communication with a filtering and/or VPN application 66.
  • FIG 11 shows a block diagram of an embodiment of a camera 74 comprising computing system 63, where parts similar or identical in form and/or function to parts in figures 1 to 4 are indicated by similarly numbers.
  • the computing system 63 is in communication with a network 14 or internetwork (e.g. the Internet) via, for example, a wireless cellular network, a Wi-Fi network, or an internet-of-things network, etc for communication with, for example, cloud services.
  • a network 14 or internetwork e.g. the Internet
  • This may allow, for example, syncing of photos to cloud storage, and perform network based location tagging, for example.
  • Such cameras may be venerable to attack. Distributed denial of service attacks may use compromised computing systems of network attached cameras.
  • the computing system 63 comprises drivers 12 for a network interface for interfacing with a network, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages communicated between the communications protocol stack 16 and the driver 12.
  • the intercepting layer 18 is configured to redirect messages to the other computing system 62, which in this but not all embodiments is a guest machine hosted by the computing system 63.
  • the computing system 63 hosts a guest machine 62 comprises a protected communications protocol stack 64 in communication with a filtering and/or VPN application 66.
  • FIG 12 shows a block diagram of an embodiment of an automated device 76 for home or industrial use, for example in the form of a thermostat, light, garage door control, swimming pool heater and/or filter, burglar alarm, door lock or generally any suitable device.
  • the automated device 76 comprises a computing system 65, where parts similar or identical in form and/or function to parts in figures 1 to 4 are indicated by similarly numbers.
  • the computing system 65 is in communication with a network or internetwork (e.g. the Internet) via, for example, a wireless cellular network, a Wi-Fi network, an internet-of-things network, etc. for communication with, for example, cloud services.
  • a network or internetwork e.g. the Internet
  • Such devices may be vulnerable to attack. Distributed denial of service attacks may use compromised automated devices as slaves.
  • the computing system 65 comprises drivers 12 for a network interface for interfacing with a network 14, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages communicated between the communications protocol stack 16 and the driver 12.
  • the intercepting layer 18 is configured to redirect messages to the other computing system 62, which in this but not all embodiments is a guest machine hosted by the computing system 65.
  • the computing system 65 hosts communications protocol stack 64 in communication with a filtering and/or VPN application 66.
  • the computing system 10 may take any suitable form, further examples of which include but are not limited to a personal computer, and a laptop computer.

Abstract

Disclosed herein is a computing system (10) comprising a driver (12) for a network interface (15) for interfacing with a network (14), a communications protocol stack (16), and an intercepting layer (18) for intercepting a plurality of messages communicated between the communications protocol stack and the driver.

Description

A NETWORK CONNECTABLE COMPUTING SYSTEM AND A METHOD FOR PROCESSING A PLURALITY OF MESSAGES
Technical field The disclosure herein generally relates to a network connectable computing system and a method for processing a plurality of messages.
Background
Computing systems - examples of which include but are not limited to personal computers, laptop computers, smart phones, routers and tablet computers - may be connected to one or more networks, for example a local area network, which may itself be part of an internetwork, for example the internet.
Figure 1 shows a block diagram for a prior art computing system generally indicated by the numeral 1, which may be in the form of, for example, a smart phone running an operating system (examples of which include but are not limited to ANDROID and UBUNTU Phone). The prior art computing system 1 comprises program instructions in the form of a driver 12 for a network interface controller 15 (e.g. network interface card) for interfacing with a network 14, and a communications protocol stack 16. Messages 20 comprising at least one protocol data units, in the form of packets for example, for transmission over the network 14 or internetwork are communicated between the communications protocol stack 16 and the driver 12. The communications protocol stack 16 is generally a software implementation of a computer networking protocol suite on a computing device. The communications protocol stack defines the communication protocols for providing communication services to programs and
applications on the computing device. The communications protocol stack 16 generally, but not necessarily, comprise modules conceptualised as layers in the stack of protocols. The driver 12 is a media-transport layer interface and defines how the transport layers makes use of a media and network interface controller (e.g. Wi-Fi controller).
The computing system's operating system may be commanded to change the communications protocol stack 16 or parameters of the communications protocol stack 16. The security of the computing system 1 when connected to the network 14 may be compromised by malware running on the computing system 1, or by a user, changing the network security settings for the computing system. The computing system 1 may be in communication with a remote local area network over a virtual private network (VPN). The malware may modify the communications protocol stack 16 to by-pass the VPN. Configuration data - for example certificates and credentials - for the VPN may be obtained by the malware and sent to a party that subsequently uses the configuration data to obtain unauthorised access to the remote local area network. The malware may send private and/or sensitive information residing on the computing system or on the remote local area network, or proxy unauthorised access to the remote local area network.
Summary
Disclosed herein is a computing system. The computing system comprises a driver for a network interface for interfacing with a network, a communications protocol stack, and an intercepting layer for intercepting a plurality of messages communicated between the communications protocol stack and the driver.
In an embodiment, the intercepting layer is configured for redirecting the plurality of messages when so intercepted to another computing system configured for processing the at least some of the plurality of messages. The other computing system may comprise networking software for processing the plurality of messages. The networking software may comprise at least one of Virtual Private Network (VPN) client software, firewall software, encryption software, data redirect software, router software, communications monitoring software, communications logging software, antivirus software, cross domain filtering software and bridge software. The other computing system may be configured to send the plurality of messages, after processing, to the computing system for processing by the communications protocol stack. The plurality of messages may comprise at least one of a plurality of inbound messages communicated from the driver to the communications protocol stack and a plurality of outbound messages communicated from the communications protocol stack to the driver. The intercepting layer may be configured for at least one of redirecting the plurality of inbound messages when so intercepted and redirecting the plurality of outbound messages when so intercepted.
In an embodiment, the other computing system may be configured to send the plurality of outbound messages to the computing system for transmission to the network by the driver.
In an embodiment, the other computer system is configured to send those of the plurality of messages so processed to the computing system for processing by the communications protocol stack. In an embodiment, the intercepting layer comprises a comparator operable to determine whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the message of the plurality of messages. The message processing rule may comprise at least one of a redirect message rule, a pass message rule, and a drop message rule.
In an embodiment, the other computing system comprises a processor core of the computing system.
An embodiment comprises a hypervisor hosting at least one of the other computing system and a virtual machine comprising the driver, communications protocol stack and intercepting layer.
An embodiment comprises a hypervisor hosting at least one of other computing system and the computing system.
In an embodiment, the intercepting layer is not by-passable.
In an embodiment, the communications protocol stack comprises a Transmission Control Protocol / Internet Protocol (TCP/IP) stack.
An embodiment comprises a computing device comprising an outer device housing.
Disclosed herein is a computing system comprising a hypervisor hosting a guest machine and another guest machine, the guest machine comprising a driver for a network interface for interfacing with a network, a communications protocol stack, and an intercepting layer for intercepting a plurality of messages communicated between the communications protocol stack and the driver and redirecting the plurality of messages so intercepted to the other guest machine, wherein the other guest machine comprises a message processor for processing the plurality of messages and sending the plurality of messages so processed to the guest machine for the intercepting layer to receive and forward to one of the communications protocol stack and the driver.
In an embodiment, the guest machine and the other guest machine each comprise an inter machine communications driver in communication for communication of the plurality of messages between the guest machine and the other guest machine.
In an embodiment, the other guest machine comprises a communications network stack in intermediate communication with the guest machine's inter machine communications driver and application software. In an embodiment, the hypervisor is a bare metal hypervisor.
In an embodiment, the message processor comprises networking software for processing the plurality of messages.
In an embodiment, the networking software comprising at least one of Virtual Private Network (VPN) client software, firewall software, encryption software, data redirect software, router software, communications monitoring software, communications logging software, antivirus software, cross domain filtering software and bridge software.
In an embodiment, the plurality of messages comprises at least one of a plurality of inbound messages communicated from the driver to the communications protocol stack and a plurality of outbound messages communicated from the communications protocol stack to the driver.
In an embodiment, the intercepting layer is configured for at least one of redirecting the plurality of inbound messages when so intercepted and redirecting the plurality of outbound messages when so intercepted.
In an embodiment, the intercepting layer is non by passable. In an embodiment, the communications protocol stack comprises a TCP/IP stack.
In an embodiment, the intercepting layer comprises a comparator operable to determine whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the message of the plurality of messages.
In an embodiment, the message processing rule comprises at least one of a redirect message rule, a pass message rule, and a drop message rule.
Disclosed herein is a computing system comprising a driver for a network interface for interfacing with a network, a communications protocol stack, and a plurality of intercepting layers, each of the plurality of intercepting layers being for intercepting the plurality of messages communicated between the communications protocol stack and the driver, wherein each of the plurality of intercepting layers forward at least one of the plurality of messages to another computing system for processing.
Disclosed herein is a method for processing a plurality of messages. The method comprises an intercepting layer intercepting a plurality of messages which are communicated between a communications protocol stack within a computing system and driver for the computing system's network interface controller.
An embodiment comprises redirecting the plurality of messages so intercepted to another computing system for processing of the plurality of messages. In an embodiment, the redirected plurality of messages are processed in networking software.
In an embodiment, the plurality of messages so processed are sent to the computing system.
In an embodiment, the plurality of messages are redirected to the other computing system.
An embodiment comprises a hypervisor hosting at least one of the other computing system and a virtual machine comprising the driver, communications protocol stack and intercepting layer. In an embodiment, the other computing system hosts a hypervisor that hosts the computing system.
In an embodiment, a hypervisor hosts the computing system and the other computing system.
In an embodiment, the other computing system is non-by-passable.
In an embodiment, the communications protocol stack comprises a Transmission Control Protocol / Internet Protocol (TCP/IP) stack.
An embodiment comprises the step of determining whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the message of the plurality of messages.
In an embodiment, the message processing rule may comprise at least one of a redirect message rule, a pass message rule, and a drop message rule.
Disclosed herein is a method for processing a plurality of message. The method comprises the step of starting a hypervisor and hosting a guest machine and another guest machine on the hypervisor. The method comprises the step of redirecting a plurality of messages communicated between a communications protocol stack of the guest machine and a driver of the guest machine for a network interface for interfacing with a network to the other guest machine. The method comprises the step of processing the plurality of messages within the other guest machine and sending the plurality of messages so processed to the guest machine for the intercepting layer to receive and forward to one of the communications protocol stack and the driver. In an embodiment, the other guest machine comprises networking software for processing the plurality of messages.
In an embodiment, the networking software comprises at least one of Virtual Private Network (VPN) client software, firewall software, encryption software, data redirect software, router software, communications monitoring software, communications logging software, antivirus software, cross domain filtering software and bridge software.
In an embodiment, the plurality of messages comprises at least one of a plurality of inbound messages communicated from the driver to the communications protocol stack and a plurality of outbound messages communicated from the communications protocol stack to the driver.
In an embodiment, the intercepting layer at least one of redirecting the plurality of inbound messages when so intercepted and redirecting the plurality of outbound messages when so intercepted.
In an embodiment, the communications protocol stack comprises a TCP/IP stack.
An embodiment comprises determining whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the massage of the plurality of messages.
Disclosed herein is non-transitory processor readable tangible media including program instructions which when executed by a processor causes the processor to perform a method disclosed above.
Disclosed herein is a computer program for instructing a processor, which when executed by the processor causes the processor to perform a method disclosed above.
Any of the various features of each of the above disclosures, and of the various features of the embodiments described below, can be combined as suitable and desired.
Brief description of the figures
Embodiments will now be described by way of example only with reference to the
accompanying figures in which:
Figure 1 shows a block diagram for a prior art computing system.
Figure 2 shows an embodiment of a computing system. Figure 3 shows a schematic block diagram of the architecture of the computing system.
Figure 4 is a schematic diagram of the computing system of figure 2 showing an example of an intercepting layer of the computing system of figure 2 in use.
Figure 5 shows a schematic diagram of the computing system of figure 2 wherein the intercepting layer is configured to redirect messages to a VPN module.
Figure 6 shows a schematic diagram of another embodiment of a computing system 80.
Figure 7 shows yet another embodiment of a computing system.
Figure 8 shows still yet another embodiment of a computing system.
Figure 9 shows a block diagram of an embodiment of a network router or gateway comprising an embodiment of a computing system.
Figure 10 shows a block diagram of an embodiment of a vehicle comprising an embodiment of a computing system.
Figure 11 shows a block diagram of an embodiment of a camera comprising an embodiment of a computing system. Figure 12 shows a block diagram of an embodiment of an automated device comprising an embodiment of a computing system.
Figures 13 to 16 shows flow diagrams for methods performed by an example of an intercepting layer.
Description of embodiments Figure 2 shows an embodiment of a computing system generally indicated by the numeral 10. The computing system comprises a driver 12 in the form of a network interface driver for a network interface 15 for interfacing with a network 14 in the form of a communications network, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages 20 communicated between the communications protocol stack 16 and the driver 12.
The plurality of messages 20 comprises at least one of a plurality of inbound messages 17 communicated from the driver 12 to the communications protocol stack 16, and a plurality of outbound messages 19 communicated from the communications protocol stack 16 to the driver 12. The intercepting layer 18 is generally, but not necessarily, for at least one of intercepting the plurality of inbound messages 17 communicated from the driver 12 to the communications protocol stack 16, and for intercepting the plurality of outbound messages 19 communicated from the communications protocol stack 16 to the driver 12. Inbound messages 17 are those received via the network 14, and outbound message 19 are those to be sent via the network 14.
Figure 3 shows a schematic block diagram of the architecture of the computing system 10. The computing system 10 comprises a computing device 300 having a processor package 302. The processor package 302 comprises a single die 304 comprising a multi-core processor 306 comprising a plurality of processor cores 308. The processor package 302 comprises a case 310 encapsulating the die 304, which protects the die 304 and has electrical contacts in the form of pads for electrically connecting the package. An alternative processor package has a single microprocessor on the single die. The processor package 302 is in the form of a system-on a chip (SoC) or micro-controller. The processor package 302 may be mounted on a printed circuit board (PCB) 312, wherein the pads of the processor package 302 are soldered to contacts on the PCB 312. A printed circuit board assembly (PCBA), which comprises the PCB 312, the processor package 302 and optionally other electronics, is mounted in a computing device housing. An alternative embodiment of the computing device 300 comprises a plurality of intercommunicating microprocessor dies in the form of a multi-chip modules, for example. Generally, any form of processor package may be used.
Examples of suitable processor packages 302, which may be within mobile phones and tablet computers for example, include the QUALCOMM SNAPDRAGON processors (including models 810, 820, and 821), SAMSUMG EXYNOS 8890, x86 processors including the INTEL ATOM processor, single core ARM CORTEX A5, multicore ARM CORTEX-A17, APPLE A9X, and APPLE A10. Generally any suitable processor package may be used.
The computing system 10 runs an operating system 314 in the form of an open source operating system, however it may not be an open source operating system in alternative embodiments. The open source operating system is in this embodiment GOOGLE ANDROID. Examples of operating system that may be used in alternative embodiments include but are not limited to WINDOWS, MAC OS, iOS, BLACKBERRY OS, CHROME OS, UBUNTU,
MINT,OPENWRT and BSD. The communications protocol stack 16 and the driver 12 may reside in the kernel 315 of the computing system's operating system314, which is in this embodiment in the form of a LINUX kernel. The driver 12 and the communications protocol stack 16 have interfaces in the form of application programming interfaces (API) for intercommunication. In this but not all embodiments, the intercepting layer 18 is implemented by inserting a hook into the kernel 315 ("hooking"), whereby messages passed between the driver 12 and the communication protocol stack 16 are intercepted by the intercepting layer 18. The hook may be inserted into the kernel source code which may then be compiled.
The network interface 15 comprises a network interface controller (NIC). The NIC may be in the form of an IEEE 802.3 ("Ethernet") NIC, a 802.11 ("Wi-Fi") NIC, a Bluetooth or other personal area network (PAN) protocol NIC, a FiberChannel NIC, a Long Term Evolution (LTE) NIC, a NIC for a cellular network, a low power wide area network (LPWAN) protocol NIC, or generally any suitable form of NIC. The NIC may be in the form of a network interface card, or may be integrated with a motherboard, for example. The computing system 10 has a plurality of network interfaces 15, each comprising a network interface controller, for a plurality of networks, and the intercepting layer 18 may be configured for intercepting and/or redirecting messages to and/or from any one of the plurality of network interfaces 15. The driver 12 comprises software stored in processor memory 316 that operates the network interface 15. The driver 12 may communicate with the network interface 15 via a bus or communications subsystem. The computing system 10 comprises network address translation (NAT) software that operates at the network interface 15. The messages 20 may each comprise at least one protocol data unit in the form of, for example, a datagram, a packet, frame, cell, chip, data packet or data segment for transmission over a network 14 or internetwork connecting a plurality of computing systems. The protocol data units generally but not necessarily are in accordance with at least one of the IEEE 802.3 standards ("Ethernet"), IEEE 802.11 standards ("Wi-Fi"), TCP/IP standards (e.g. REC 1122), or variants thereof, however any suitable protocol data units types may be used. One embodiment uses Ethernet frames having Ethernet packets as payloads. The protocol data units may generally have a header and a payload, and may comprise a footer, that may comprise a protocol data unit check sequence (e.g. CRC). The header may comprise, for example, at least one of a destination MAC and/or IP address, and source MAC and/or IP address. The network interface controller may comprise a physical interface in the form of, for example, a network media connector in the form of an antenna or network cable connector. In this but not all embodiments, the communications protocol stack 16 comprises an internet protocol layer, a transport layer, and may comprise at least some of the link layer. The communications protocol stack 16 is a TCP/IP stack, however any suitable communications protocol stack may be used, for example a protocol stack in accordance with the Open Systems Interconnection (OSI) model. The TCP/IP stack may be configured for at least one of IPv4 andIPv6. The TCP/IP stack includes at least some, and generally but not necessarily all of, Internet Protocol (IP), Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), User Datagram Protocol (HDP), and Internet Group Management Protocol (IGMP). In addition to IP, ICMP, TCP, UDP, implementations configured for IPv6 include Neighbour Discovery Protocol (NDP), ICMPv6, and IGMPv6 and may include an integrated IPSec security layer. The communications protocol stack 16 may have routing tables for dynamic routing rules.
Program instructions in the form of application software, for example, implementing an application layer protocol, for example HTTP, FTP, SSH, etc. may request communication services from the communications protocol stack 16. In embodiments described herein with a LINUX kernel (for example ANDROID KERNEL), the application software generally instructs a BSD socket interface implemented by the LINUX kernel to open a socket for a network address comprising an internet protocol address. In one example, a web browser implementing the HTTP protocol opens a TCP socket, however other applications may generally open any suitable type of socket, including a UNIX socket, and transport layer sockets examples of which include but are not limited to a UDP socket and a DCC socket. The intercepting layer 18 is in this, but not all embodiments, configured to inspect the messages 20 for applying at least one message processing rule to the messages 20. The intercepting layer extracts information from the messages 20 and in a comparator 21 in the form of a computer software module compares the extracted information to a rule value. For example, the extracted information may be a sender address, and the rule value may be a predetermined sender or destination network address. The comparator determines if the extracted information matches the rule value in this example, however in another example the comparator may determine if the extracted information does not match the rule value, is less than or greater than the rule value, or generally may use any suitable Boolean logic or other system for comparison. The at least one message process rule may include, for example, a message filtering rule, a message modification rule, a message routing rule, and generally any suitable rule. The rules may be state full or state less. The header and/or payload may be inspected. The intercepting layer 18 may be configured to apply message processing rules to a message when the intercepting layer determines that the message satisfies a message condition. The messages 20 intercepted by the intercepting layer 18 may be routed to at least one message processor 31 in the form of a message processing network module, examples of which include but are not limited to inline firewalls, encryptors, VPN applications, data redirects,
communications monitoring software, communications logging software, antivirus software, cross domain filtering software, routers, bridges, packet logging, data monitoring, and any other simple and/or complex network primitives. The modules may comprise at least one of a software module and a hardware module. The message processor 31 is in this embodiment external of the computing system 10, however in an otherwise identical embodiment the message processor 31 is internal of the computing system. Alternatively, the intercepting layer 18 may manipulate and/or modify the messages 20 before on forwarding.
According to some rules implemented by the comparator and / or configurations, the intercepting layer 18 may modify and redirect, pass, or drop messages (i.e. stop a message being transmitted further).
The intercepting layer 18 generally may introduce a strong layer of separation between the communications protocol stack 16 and the driver 12. The intercepting layer 18 may be used to implement the addition of non-by-passable network modules, example of which include but are not limited to a firewall and a VPN client or other network security module in the form of, for example, an application. Because the intercepting layer 18 is embedded in the kernel, the non- by-passable network elements may not be easily - or at all - altered by the communications network stack 16 or upper levels of software and these may not be accessible by malware or users. This may enhance security.
Figure 4 is a schematic diagram showing the computing system 10 with the intercepting layer 18 in use. Path 23 shows the path the messages 20 would take through the computing system and between the driver 12 and the communication protocol stack 16 with the intercepting layer 18 merely forwarding the messages 20 (or absent), in a manner similar to that within the prior art computing system 1. In this case the comparator has determined that a rule to pass the message to the protocol stack 16 has been satisfied. Another message path is Path 25, in which the intercepting layer 18 redirects the received messages 20 to another network node 31 in the form of the message processor via another driver 13for another network interface. In this case, the comparator has determined that a rule to redirect the message to the other network node 31 has been satisfied. The other node 31 is in this embodiment the message processor 31 in the form of another computing system comprising networking software for processing the plurality of messages 20. The networking software may comprise, for example, at least one of Virtual Private Network (VPN) software, firewall software, encryption software, data redirect software, router software, and bridge software. The other computer system is configured in this embodiment to send those of the plurality of messages so processed to the computing system 10, which take path 29 to the communications protocol stack 16. While the other node 19 is of another network 29, it may in another embodiment be of the same network 14.
Figure 5 shows a schematic diagram of the computing system 10 wherein the intercepting layer 18 is configured to redirect messages to another computing system 50 which comprises a VPN module 21 in the form of VPN application software. The other computing system 50 is generally a separate execution environment in the form of a physical or virtual machine having its own communications protocol stack 52, inter computing system driver 54 (similar and/or identical to inter computing system driver 22) and intercepting layer 56, and may comprise a protected network stack. All inbound messages for the communications protocol stack 16 may pass through the VPN module 21. In the embodiment of figure 5, the computing system 10 comprises a hypervisor running the other computing system 50 and a virtual machine comprising at least the driver 12, communications protocol stack 16 and intercepting layer 18. In an otherwise identical embodiment, the other computing system 50 hosts a hypervisor hosting the computing system 10 as a virtual machine. The intercepting layer 18 is used to add an additional communications protocol stack, without radically changing the system or drivers. The messages may be tagged, for example by adding another header on the protocol dependant units. The tag may comprise information indicative of at least one of where the packet is from, whether the packet is internal or external, and which network it is intended for. The intercepting layer 18 may tag the messages.
The VPN module 21 may generally use any suitable VPN standard, for example Internet Protocol Security (IPSEC), Transport Layer Security (SSL/TLS), Datagram Transport layer Security (DTLS), Microsoft Point-to-Point Encryption (MPPE), Secure Socket Tunnelling Protocol (SSTP), and Secure Shell (SSH) VPN.
A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines. A computing device on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine. The hypervisor presents the guest operating systems with a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of operating systems may share the virtualized hardware resources: for example, Linux, Windows, and OS X instances can all run on a single physical x86 machine. This contrasts with operating- system-level virtualization, where all instances (usually called containers) must share a single kernel, though the guest operating systems can differ in user space, such as different Linux distributions with the same kernel. In this embodiment, the hypervisor used is a type 1 hypervisor (a "native" or "bare-metal" hypervisor) in which the processor package is configured to support a type 1 hypervisor, however a type 2 hypervisor (a "hosted" hypervisor) may be used. A type 1 hypervisor may be more secure than a type 2 hypervisor because if one execution environment is compromised, the other isn't. The guest machine may alternatively be a container.
The other inter machine communication driver 54 is for receiving the redirected plurality of messages 20. The other driver 54 is generally not visible and/or connected directly to the computing system's communications protocol stack. On the other computing system 50, the other driver 54 is connected to the other computing systems network message processing software (communications network stack 52 or otherwise). The drivers 22,54 use shared memory and software interrupts supported by the hypervisor for communications between the intercepting layers 18,56. The software interrupt is used to alert the computing systems of information put into shared memory. Communication between the intercepting layers 18,56 may be performed using any suitable method. The communications network stack 16 and/or application software 24 running on the computing system 10 is not aware of the VPN connection, and operates as if there is a direct connection to a remote local area network. The intercepting layer 18, in this but not all embodiments may be configured for non-redirection and/or non-interception of messages satisfying non redirection / non interception rules. (For example: time-of-day, when connected to a trusted network, for Wi-Fi access point negotiation messages - which are not TCP/IP messages, messages allowed to by-pass by the filter criteria).
The intercepting layer may be transparent to user space applications on the host, and most of the kernel (e.g. the IP stack). The intercepting layer may alternatively be at least in part or fully opaque, for example by returning a warning and/or a denied message if a user tried to browse a blacklisted site.
The intercepting layer 18 is particularly useful when combined with virtualisation, which allows the implementation of a protected network stack for complex processing of the messages, separate from the computer system's operating system. This could be implemented using two physical machines, or a single physical machine supporting multiple virtual machines using a hypervisor, for example. Figure 6 shows an embodiment of a computing system 80 in the form of a host computing device. Parts having similar and/or identical form to those in other figures are similarly numbered. The host computing device 80 is in the present embodiment in the form of a smart phone, however it may be in the form of a tablet computer or generally any suitable form of computing device. The host computing device 80 comprises a hypervisor 86 in the form of a bare metal hypervisor. The hypervisor is configured to run a plurality of virtual machines 82, 84. Communication between the plurality of virtual machines is via inter machine communication drivers and shared memory, however communication may be by any suitable method. The hypervisor 86 is stored in non-volatile memory in the form of flash memory. The hypervisor is stored in the non-volatile memory. The computing system's boot starts the hypervisor and the plurality of virtual machines 82, 84. The computing system 10, 80 may have multiple layers of VPN encryption. This may be done without extensive re-engineering of the software stack or new hardware. A second VPN client may run in the application layer 24 of the computing system 10, in the communications protocol stack 18 of the computing system 10 or in both. Alternatively, the second VPN client may reside partly or whole in hardware. This 2-layer VPN approach provides defence-in-depth. The VPN client in the application layer 24 does not need to be aware of the VPN at the communications protocol stack 16. The two VPNs may greatly increase security because they generally require different techniques to be compromised, especially if the VPN protocol used within the communications protocol stack 16 is different than the VPN protocol used within the application layer. In the above embodiments, the intercepting layer 18 may send an intercepted message of the plurality of messages 20 to the communications protocol stack 16, may send it to the other computing system 50, may block it, or may modify it in accordance with messaging rules.
Sensitive network functions are protected by making them invisible to the communications protocol stack 16. The intercepting layer 18 may change the MAC and/or IP address of the messages 20 prior to redirection. The redirected messages are processed at the other node or computing system or virtual machine, and then the processed message is sent to the driver 13 and subsequently received by the communications protocol stack 16.
Consequently, inline network elements may be added to extend a physical and/or virtual network to support multiple other networking components sharing the network independent of the communications protocol stack 16 The other networking components may be hidden from the communications protocol stack 16, and may not be supported by it. In an alternative embodiment, the other computing system comprises a core of the multi-core processor.
Figure 7 shows yet another embodiment of a computing system 100. The computing system 100 hosts a plurality of guest machines 102, 104, 106. The computing system 100 has a plurality of intercepting layers 118, 120, 122 for intercepting a plurality of messages communicated between a communications protocol stack 116 thereof and a driver 112 thereof. Parts similar or identical in form and/or function to parts in figures 1 to 5 are similarly numbered and prefixed by "1". The drivers 112 are for a network interface for interfacing with a network. Each guest machine implements different messaging rules.
Each of the plurality of intercepting layers 118, 120, 122 send a plurality of messages to a respective one of the guest machines 102, 104, 106. The plurality of guest machines 102, 104, 106 may each identify and process different types of messages. For example, guest machine 102 may identify and process VPN messages, guest machine 104 may identify and process telemetry messages, and guest machine 106 may identify and process firmware updates. Parts 400, 404 and 408 are intercepting layers. Machine 106 comprises an OTA update software client 402. Machine 104 comprises a logging software module. Machine 102 comprises a VPN software module.
Figure 8 shows still yet another embodiment of a computing system 200. Network access for a plurality of guest machines 202, 204 is now described with reference to figure 8. The computing system 200 comprises drivers 212 for a network interface for interfacing with at least one network, a communications protocol stack 216, and an intercepting layer 218 ("annexe layer") for intercepting a plurality of messages communicated between the communications protocol stack 216 and the driver 212, inter-machine communication drivers 220, 222 drivers. The network access may be, for example, in the form of an application for mobile device
management (MDM) or over-the-air (OTA) firmware updating, or generally any form of network access. The MDM or OTA firmware update functionality may reside in the different guest machines 202, 204. The guest machines 202 and 204 comprise intercepting layers 206, 208. Machine 202 comprises a firewall software module 210. Machine 204 comprises OTA firmware updating software module 212. The computer system firmware may require updating, for example with bug fixes or a new feature. The intercepting layer 218 allows a path for traffic between the OTA client on the computing system 200 and an OTA server, for example, without any support from the primary operating system, other than providing the network drivers. The OTA update traffic may be terminated within a communications protocol stack within one of the guest machines 202, 204, or forwarded to another dedicated virtual machine that is configured to manage updates. This may happen independently and transparently to any of the application software running in other guest machines. One or more physical network connections may be shared and serve more than one purpose - secure OTA traffic and normal application network traffic. OTA is an example of one of the typical functions of an MDM. Other MDM functions may include policy management, remote device kill, device tracking, and device auditing. The guest machine may run a network router application. Application 214 receives and sends messages to the stack 216.
Figures 13 to 16 shows flow diagrams for methods that may be performed by the intercepting layer 18 of the embodiments described herein.
Example 1
In an example, the computing system 10 is a computing device in the form of a smart phone 10. The smart phone has a QUALCOMM SNAPDRAGON 821 processor, 4 GB of RAM, 32 GB of FLASH memory, and comprises an ANDROID operating system. The smart phone is a
GOOGLE PIXEL, however it may generally be any suitable smart phone, examples of which include a SONY XPERIA, and an APPLE IPHONE.
The smart phone 10 may have a software-isolated VPN software in the form of a VPN client that is independent of the operating system, as shown in figure 5, while the operating system still provides network services to application software. Messages may be non by-passably routed through the VPN, and then back to intercepting layer 16 for forwarding.
Example 2
In an example, the computing system 10 is a computing device in the form of tablet computer. The tablet computer 10 is a GOOGLE PIXEL C with 64 GB of FLASH memory, 3 GB of RAM, NVIDIA TEGRA XI chip set including a 1.9 GHz quad-core processor, and comprises Android v6.0.1. The tablet computer may be, for example, an APPLE IP AD.
Example 3 Figure 9 shows a block diagram of an embodiment of a network router or gateway 59 in the form of a wireless network router and comprises an embodiment of a computing system 60, where parts similar or identical in form and/or function to parts in figures 1 to 5 are similarly numbered. The computing system 60 hosts another computer system 62 comprising a protected network stack 64 in communication with a firewall application 66. The computing system 60 comprises drivers 12 for a network interface for interfacing with a network 14, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages communicated between the communications protocol stack 16 and the driver 12. The
intercepting layer 18 is configured to redirect messages to the other computing system 62.
At least one applications, for example a firewall 67, may be run in the guest machine 62. Other applications may be run external to the guest machine 62. The other applications may include, for example, a network router application 66, a web server application 68, and media server 70. Alternatively, one or more of these applications may be run within the guest machine 62 or another virtual machine hosted by the computing system 60. A hacker that compromises one virtual machine may not gain control of another application in another real or virtual machine. A plurality of virtual machines may benefit software development and configuration management.
An example of a suitable network router 59 is a LIMCSYS WRT1900AC wireless router, which supports LINUX, OPENWRT and OPEN VPN. The router has a dual-core Marvell Armada 370/XP CPU with 256 MB of RAM and 128 MB of flash storage. Additional storage may be attached to the WRT1900AC using its USB 3.0 and eSATA ports.
A multi-level (for example a 2 level) VPN connection may be established.
Example 4 Figure 10 shows a block diagram of an embodiment of a vehicle 72 comprising an embodiment of a computing system 61, where parts similar or identical in form and/or function to parts in figures 1 to 5 are indicated by similarly numbers. The computing system 61 is in communication with a network or internetwork (e.g. the Internet) via, for example, a wireless cellular network, a Wi-Fi network, an internet-of-things network, etc. for communication with, for example, cloud services. The vehicle may be a car, truck, boat, airplane, or generally any suitable form of vehicle. The computing system 61 may be in the form of, for example, a navigation system, an entertainment system, a performance telemetry system, a location tracking system, or generally any suitable computing system. The computing system 61 comprises drivers 12 for a network interface for interfacing with a network 14, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages communicated between the communications protocol stack 16 and the driver 12. The intercepting layer 18 is configured to redirect messages to the other computing system 62, which in this but not all embodiments is a guest machine hosted by the computing system 61. The computing system 61 hosts a guest machine 62 comprising a protected network stack 64 in communication with a filtering and/or VPN application 66.
Example 5
Figure 11 shows a block diagram of an embodiment of a camera 74 comprising computing system 63, where parts similar or identical in form and/or function to parts in figures 1 to 4 are indicated by similarly numbers. The computing system 63 is in communication with a network 14 or internetwork (e.g. the Internet) via, for example, a wireless cellular network, a Wi-Fi network, or an internet-of-things network, etc for communication with, for example, cloud services. This may allow, for example, syncing of photos to cloud storage, and perform network based location tagging, for example. Such cameras may be venerable to attack. Distributed denial of service attacks may use compromised computing systems of network attached cameras. The computing system 63 comprises drivers 12 for a network interface for interfacing with a network, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages communicated between the communications protocol stack 16 and the driver 12. The intercepting layer 18 is configured to redirect messages to the other computing system 62, which in this but not all embodiments is a guest machine hosted by the computing system 63. The computing system 63 hosts a guest machine 62 comprises a protected communications protocol stack 64 in communication with a filtering and/or VPN application 66. Example 6
Figure 12 shows a block diagram of an embodiment of an automated device 76 for home or industrial use, for example in the form of a thermostat, light, garage door control, swimming pool heater and/or filter, burglar alarm, door lock or generally any suitable device. The automated device 76 comprises a computing system 65, where parts similar or identical in form and/or function to parts in figures 1 to 4 are indicated by similarly numbers. The computing system 65 is in communication with a network or internetwork (e.g. the Internet) via, for example, a wireless cellular network, a Wi-Fi network, an internet-of-things network, etc. for communication with, for example, cloud services. Such devices may be vulnerable to attack. Distributed denial of service attacks may use compromised automated devices as slaves. The computing system 65 comprises drivers 12 for a network interface for interfacing with a network 14, a communications protocol stack 16, and an intercepting layer 18 ("annexe layer") for intercepting a plurality of messages communicated between the communications protocol stack 16 and the driver 12. The intercepting layer 18 is configured to redirect messages to the other computing system 62, which in this but not all embodiments is a guest machine hosted by the computing system 65. The computing system 65 hosts communications protocol stack 64 in communication with a filtering and/or VPN application 66.
Other Examples. The computing system 10 may take any suitable form, further examples of which include but are not limited to a personal computer, and a laptop computer.
Variations and/or modifications may be made to the embodiments described without departing from the spirit or ambit of the invention. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive. Reference to a feature disclosed herein does not mean that all embodiments must include the feature.
Prior art, if any, described herein is not to be taken as an admission that the prior art forms part of the common general knowledge in any jurisdiction.
In the claims which follow and in the preceding description of the invention, except where the context requires otherwise due to express language or necessary implication, the word
"comprise" or variations such as "comprises" or "comprising" is used in an inclusive sense, that is to specify the presence of the stated features but not to preclude the presence or addition of further features in various embodiments of the invention.

Claims

Claims
1. A computing system comprising a driver for a network interface for interfacing with a network, a communications protocol stack, and an intercepting layer for intercepting a plurality of messages communicated between the communications protocol stack and the driver.
2. A computing system defined by claim 1 wherein the intercepting layer is configured for redirecting the plurality of messages when so intercepted to another computing system configured for processing the at least some of the plurality of messages.
3. A computing system defined by claim 2 wherein the other computing system comprises networking software for processing the plurality of messages.
4. A computing system defined by claim 3 wherein the networking software comprises at least one of Virtual Private Network (VPN) client software, firewall software, encryption software, data redirect software, router software, communications monitoring software, communications logging software, antivirus software, cross domain filtering software and bridge software.
5. A computing system defined by any one of the claims 2 to 5 wherein the other computing system is configured to send the plurality of messages, after processing, to the computing system for processing by the communications protocol stack.
6. A computing system defined by any one of the claims 2 to 5 wherein the plurality of messages comprises at least one of a plurality of inbound messages communicated from the driver to the communications protocol stack and a plurality of outbound messages communicated from the communications protocol stack to the driver.
7. A computing system defined by claim 6 wherein the intercepting layer is configured for at least one of redirecting the plurality of inbound messages when so intercepted and redirecting the plurality of outbound messages when so intercepted.
8. A computing system defined by any one of the claims 6 to 7 wherein the other computing system is configured to send the plurality of outbound messages to the computing system for transmission to the network by the driver.
9. A computing system defined by any one of the claims 2 to 8 wherein the other computer system is configured to send those of the plurality of messages so processed to the computing system for processing by the communications protocol stack.
10. A computing system defined by any one of the claims 1 to 9 wherein the intercepting layer comprises a comparator operable to determine whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the message of the plurality of messages.
11. A computing system defined by claim 10 wherein the message processing rule comprises at least one of a redirect message rule, a pass message rule, and a drop message rule.
12. A computing system defined by any one of the claims 2 to 11 wherein the other
computing system comprises a processor core of the computing system.
13. A computing system defined by any one of the preceding claims comprising a hypervisor hosting at least one of the other computing system and a virtual machine comprising the driver, communications protocol stack and intercepting layer.
14. A computing system defined by any one of the preceding claims comprising a hypervisor hosting at least one of other computing system and the computing system.
15. A computing system defined by any one of the preceding claims wherein the intercepting layer is not by-passable.
16. A computing system defined by any one of the preceding claims wherein the
communications protocol stack comprises a Transmission Control Protocol / Internet Protocol (TCP/IP) stack.
17. A computing system defined by any one of the preceding claims comprising a computing device comprising an outer device housing.
18. A computing system comprising a hypervisor hosting a guest machine and another guest machine, the guest machine comprising a driver for a network interface for interfacing with a network, a communications protocol stack, and an intercepting layer for intercepting a plurality of messages communicated between the communications protocol stack and the driver and redirecting the plurality of messages so intercepted to the other guest machine, wherein the other guest machine comprises a message processor for processing the plurality of messages and sending the plurality of messages so processed to the guest machine for the intercepting layer to receive and forward to one of the communications protocol stack and the driver.
19. A computing system defined by claim 18 wherein the guest machine and the other guest machine each comprise an inter machine communications driver in communication for communication of the plurality of messages between the guest machine and the other guest machine.
20. A computing system defined by claim 19 wherein the other guest machine comprises a communications network stack in intermediate communication with the guest machine's inter machine communications driver and application software.
21. A computing system defined by any one of the claims 18 to 20 wherein the hypervisor is a bare metal hypervisor.
22. A computing system defined by any one of the claims 18 to 21 wherein the message processor comprises networking software for processing the plurality of messages.
23. A computing system defined by claim 22 wherein the networking software comprising at least one of Virtual Private Network (VPN) client software, firewall software, encryption software, data redirect software, router software, communications monitoring software, communications logging software, antivirus software, cross domain filtering software and bridge software.
24. A computing system defined by any one of the claims 18 to 23 wherein the plurality of messages comprises at least one of a plurality of inbound messages communicated from the driver to the communications protocol stack and a plurality of outbound messages communicated from the communications protocol stack to the driver.
25. A computing system defined by claim 24 wherein the intercepting layer is configured for at least one of redirecting the plurality of inbound messages when so intercepted and redirecting the plurality of outbound messages when so intercepted.
26. A computing system defined by any one of the claims 18 to 25 wherein the intercepting layer is non by passable.
27. A computing system defined by any one of the claims 18 to 26 wherein the
communications protocol stack comprises a TCP/IP stack.
28. A computing system defined by any one of the claims 18 to 27 wherein the intercepting layer comprises a comparator operable to determine whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the message of the plurality of messages.
29. A computing system defined by claim 28 wherein the message processing rule comprises at least one of a redirect message rule, a pass message rule, and a drop message rule.
30. A computing system comprising a driver for a network interface for interfacing with a network, a communications protocol stack, and a plurality of intercepting layers, each of the plurality of intercepting layers being for intercepting the plurality of messages communicated between the communications protocol stack and the driver, wherein each of the plurality of intercepting layers forward at least one of the plurality of messages to another computing system for processing.
31. A method for processing a plurality of messages, the method comprising an intercepting layer intercepting a plurality of messages which are communicated between a communications protocol stack within a computing system and driver for the computing system's network interface controller.
32. A method defined by claim 31 comprising redirecting the plurality of messages so
intercepted to another computing system for processing of the plurality of messages.
33. A method defined by claim 32 wherein the redirected plurality of messages are processed in networking software.
34. A method defined by any one of claim 32 and claim 33 wherein the plurality of messages so processed are sent to the computing system.
35. A method defined by any one of the claims 32 to 34 wherein the plurality of messages are redirected to the other computing system.
36. A method defined by claim 35 comprising a hypervisor hosting at least one of the other computing system and a virtual machine comprising the driver, communications protocol stack and intercepting layer.
37. A method defined by any one of the claims 32 to 36 wherein the other computing system hosts a hypervisor that hosts the computing system.
38. A method defined by any one of the claims 32 to 37 wherein a hypervisor hosts the
computing system and the other computing system.
39. A method defined by any one of the claims 32 to 38 wherein the other computing system is non-by-passable.
40. A method defined by any one of the claims 2 to 39 wherein the communications protocol stack comprises a Transmission Control Protocol / Internet Protocol (TCP/IP) stack.
41. A method defined by any one of the claims 31 to 40 comprising the step of determining whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the message of the plurality of messages.
42. A method defined by claim 41 wherein the message processing rule comprises at least one of a redirect message rule, a pass message rule, and a drop message rule.
43. A method for processing a plurality of messages, the method comprising the steps of:
starting a hypervisor and hosting a guest machine and another guest machine on the hypervisor;
redirecting a plurality of messages communicated between a communications protocol stack of the guest machine and a driver of the guest machine for a network interface for interfacing with a network to the other guest machine;
processing the plurality of messages within the other guest machine and sending the plurality of messages so processed to the guest machine for the intercepting layer to receive and forward to one of the communications protocol stack and the driver.
44. A method defined by claim 43 wherein the other guest machine comprises networking software for processing the plurality of messages.
45. A method defined by claim 44 wherein the networking software comprises at least one of Virtual Private Network (VPN) client software, firewall software, encryption software, data redirect software, router software, communications monitoring software, communications logging software, antivirus software, cross domain filtering software and bridge software.
46. A method defined by any one of the claims 43 to 45 wherein the plurality of messages comprises at least one of a plurality of inbound messages communicated from the driver to the communications protocol stack and a plurality of outbound messages
communicated from the communications protocol stack to the driver.
47. A method defined by any one of the claims 43 to 46 comprising the intercepting layer at least one of redirecting the plurality of inbound messages when so intercepted and redirecting the plurality of outbound messages when so intercepted.
48. A method defined by any one of the claims 43 to 47 wherein the communications
protocol stack comprises a TCP/IP stack.
49. A method defined by any one of the claims 43 to 48 comprising determining whether a message of the plurality of messages satisfies a rule and if so determined apply a message processing rule to the massage of the plurality of messages.
50. A computer program for instructing a processor, which when executed by the processor causes the processor to perform a method defined by any one of the claims 31 to 49
51. Non-transitory processor readable tangible media including program instructions which when executed by a processor causes the processor to perform a method defined by any one of the claims 31 to 49.
PCT/AU2017/051054 2016-09-27 2017-09-27 A network connectable computing system and a method for processing a plurality of messages WO2018058182A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2016903928 2016-09-27
AU2016903928A AU2016903928A0 (en) 2016-09-27 A network connectable computing system and a method for processing a plurality of messages

Publications (1)

Publication Number Publication Date
WO2018058182A1 true WO2018058182A1 (en) 2018-04-05

Family

ID=61762366

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2017/051054 WO2018058182A1 (en) 2016-09-27 2017-09-27 A network connectable computing system and a method for processing a plurality of messages

Country Status (1)

Country Link
WO (1) WO2018058182A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6678734B1 (en) * 1999-11-13 2004-01-13 Ssh Communications Security Ltd. Method for intercepting network packets in a computing device
US20060069544A1 (en) * 2004-09-30 2006-03-30 Microsoft Corporation Network emulator architecture
US20090296685A1 (en) * 2008-05-29 2009-12-03 Microsoft Corporation User-Mode Prototypes in Kernel-Mode Protocol Stacks
US20130138944A1 (en) * 2009-04-05 2013-05-30 Moso LEE Methods and systems for modifying disk images to provide network interface card teaming capabilities

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6678734B1 (en) * 1999-11-13 2004-01-13 Ssh Communications Security Ltd. Method for intercepting network packets in a computing device
US20060069544A1 (en) * 2004-09-30 2006-03-30 Microsoft Corporation Network emulator architecture
US20090296685A1 (en) * 2008-05-29 2009-12-03 Microsoft Corporation User-Mode Prototypes in Kernel-Mode Protocol Stacks
US20130138944A1 (en) * 2009-04-05 2013-05-30 Moso LEE Methods and systems for modifying disk images to provide network interface card teaming capabilities

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MESSAOUDI, K.: "Network traffic filtering technologies for Windows", 13 September 2016 (2016-09-13), XP055498665, Retrieved from the Internet <URL:https://web.archive.org/web/20160913044913/https://briolidz.wordpress.com/2011/12/20/network-traffic-filtering-technologies-for-windows> [retrieved on 20180119] *

Similar Documents

Publication Publication Date Title
JP4488077B2 (en) Virtualization system, virtualization method, and virtualization program
US10333897B2 (en) Distributed firewalls and virtual network services using network packets with security tags
JP6487979B2 (en) Framework and interface for offload device-based packet processing
CN106063229B (en) Method and system for forwarding data
US20130179593A1 (en) Cloud computing controlled gateway for communication networks
US11956100B1 (en) System for scaling network address translation (NAT) and firewall functions
US11005813B2 (en) Systems and methods for modification of p0f signatures in network packets
US11470071B2 (en) Authentication for logical overlay network traffic
CN117378174A (en) Protecting containerized applications
US11032162B2 (en) Mothod, non-transitory computer-readable storage medium, and computer system for endpoint to perform east-west service insertion in public cloud environments
TWI625950B (en) Method for relaying packets with aid of network address translation in a network system, and associated apparatus
US9591025B2 (en) IP-free end-point management appliance
US20230111416A1 (en) Method and Apparatus for Secure Communication and Routing
US10505892B2 (en) Method for transmitting at least one IP data packet, related system and computer program product
WO2018058182A1 (en) A network connectable computing system and a method for processing a plurality of messages
US20220385631A1 (en) Distributed traffic steering and enforcement for security solutions
EP3316545A1 (en) Forwarding service requests from outbound proxy servers to remote servers inside of firewalls
US20170005984A1 (en) Scalable access to firewall-protected resources
US20240007435A1 (en) Chassis system management through data paths
US20240073698A1 (en) Applying subscriber-id based security, equipment-id based security, and/or network slice-id based security with user-id and syslog messages in mobile networks
KR101480263B1 (en) System and Method for Virtual Private Network with Enhanced Security
EP2940944B1 (en) Method and device for processing packet in trill network
WO2015066996A1 (en) A method and system for implementing ng-firewall, a ng-firewall client and a ng-firewall server

Legal Events

Date Code Title Description
DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17854244

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 07/08/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17854244

Country of ref document: EP

Kind code of ref document: A1