WO2021152740A1 - Network device, computing method and computer readable medium - Google Patents
Network device, computing method and computer readable medium Download PDFInfo
- Publication number
- WO2021152740A1 WO2021152740A1 PCT/JP2020/003224 JP2020003224W WO2021152740A1 WO 2021152740 A1 WO2021152740 A1 WO 2021152740A1 JP 2020003224 W JP2020003224 W JP 2020003224W WO 2021152740 A1 WO2021152740 A1 WO 2021152740A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- packet
- program
- network
- network device
- queue
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
Definitions
- the present disclosure relates to a network device, computing method and computer readable medium.
- a technique of performing trusted computing has Secure boot (a technique that measures the integrity of BIOS, OS, and application using secure HW (Trusted platform module)) and Attestation (Verifies a program is compromised or not).
- Patent Literatures 1 to 6 various trusted computing systems and methods are being considered.
- Patent Literature 1 discloses a system, method and computer program product for guaranteeing a data transaction over a network are disclosed.
- Patent Literature 2 discloses an anti-virus method and apparatus and a firewall device, to solve the problem of low processing performance caused by performing AV detection on a file of a compressed format in the prior art.
- Patent Literature 3 discloses the inventive subject matter, there is described herein as a method and apparatus for securely and efficiently managing packet buffers between protection domains on an Intra-partitioned system using packet queues and triggers.
- Patent Literature 4 discloses method and system for network access control.
- Patent Literature 5 discloses the invention is to present a method, a computing device and a computer program product for detecting a threat in a communications network.
- Patent Literature 6 discloses a communication apparatus capable to improve a resistivity to data-plane attack to enhance a network security.
- PTL 1 International Publication No. WO2004/015524
- PTL 2 The description of EP Publication of Unexamined Patent Application No. 2797278
- PTL 3 The description of US Publication of Unexamined Patent Application No. 2008/0244725
- PTL 4 The description of US Publication of Unexamined Patent Application No. 2017/0339172
- PTL 5 The description of US Publication of Unexamined Patent Application No. 2014/0259160
- PTL 6 International Publication No. WO2018/055654
- Time-of-Check Time-of-Use For outgoing packets; Assuming periodical integrity measurement, it does not ensure that all outgoing packets are sent by trusted (non-tampered) software; and Packets after tampering until the next check are sent by tampered software.
- a purpose of the present disclosure is to provide a network device, computing method and computer readable medium capable of protecting network device(s) and keeping it secure during its operation.
- One aspect of a network device is a network device comprising: a monitoring means configured to measure the integrity of at least one program repeatedly; and a packet queue configured to queue at least one packet sent by the program, wherein the monitoring means configured to send a trigger to the packet queue when the measured result is integrity; the packet queue configured to send the at least one packet sent to a network when the packet queue receives the trigger.
- One aspect of a computing method according to the present invention is a computing method performed by a network device comprising: measuring the integrity of at least one program repeatedly; queueing at least one packet sent by the program; sending a trigger to the packet queue when the measured result is integrity; and sending at least one packet sent by the program to a network when the packet queue receives the trigger.
- One aspect of a computer readable medium is a non-transitory computer readable medium storing a program for causing a computer, the program causing the computer to execute: a measuring step for measuring the integrity of at least one program repeatedly; a queueing step for queueing at least one packet sent by the program; a sending step for sending a trigger to the packet queue when the measured result is integrity; and a sending step for sending at least one packet sent by the program to a network when the packet queue receives the trigger.
- Fig. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment
- Fig. 2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment
- Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment
- Fig. 4 is a timing chart of a network device according to the second exemplary embodiment
- Fig. 5 is a timing chart of a network device according to the second exemplary embodiment
- Fig. 6 is a flow chart of a network device according to the second exemplary embodiment
- Fig. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment
- Fig. 2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment
- Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment
- Fig. 4 is a timing chart of a network device according to the second exemplary embodiment
- FIG. 7 is a block diagram showing a schematic configuration of a network device according to a third exemplary embodiment
- Fig. 8 is a block diagram showing a schematic configuration of a network device according to a fourth exemplary embodiment
- Fig. 9 is a timing chart of a network device according to a fifth exemplary embodiment
- Fig. 10 is a block diagram showing a schematic configuration of a network device according to a sixth exemplary embodiment
- Fig. 11 is a block diagram showing a schematic configuration of a network device according to a seventh exemplary embodiment.
- FIG. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment.
- a network device 10 comprises a monitor 11, a packet queue 12 and at least one program 13.
- the monitor 11 measures the integrity of at least one program 13 repeatedly.
- the monitor 11 sends a trigger to the packet queue 12 when the measured result is integrity.
- the packet queue 12 queues at least one packet sent by the program 13.
- the packet queue 12 sends the at least one packet sent to a network when the packet queue 12 receives the trigger.
- the network device stores outgoing packets until the next time of check of the packet queue and sends the packet(s) by the packet queue after verifying the integrity of the program by the monitor, and it is thereby possible to protect network device(s) and keep it secure during its operation.
- Second Exemplary embodiment Fig.2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment.
- a network device 100 comprises Secure World 101, Normal World 102 and NIC 103.
- the OS operates in Normal World 102 and cannot read or write the protected storage in Secure World 101.
- the network device 100 is implemented by CPU (e.g. TrustZone TM Hardware Architecture like ARM TM architecture processor), Memory and I/O circuit.
- the Secure World 101 is the environment not capable to access from the Normal World 102.
- the Secure World 101 comprises the Monitor 111 and the packet queues 112-1 ⁇ 112-n.
- the Normal World 102 is the environment capable to access from the Secure World 101.
- the Normal World 102 comprises programs 121-1 ⁇ 121-n, packet proxy 122, an OS network stack 123 and a NIC driver 124.
- the monitor 111 measures the integrity of at least one program 121-1 ⁇ 121-n repeatedly.
- the monitor 111 may perform integrity measurement of the programs 121-1 ⁇ 121-n respectively. For example, the monitor 111 periodically may measure whether each program's 121-1 ⁇ 121-n has been tampered with or not. And the monitor 111 sends a result of the integrity measurement to the packet queues 112-1 ⁇ 112-n.
- the monitor 111 sends a trigger to the packet queue when the measured result is integrity.
- the trigger means starting to send the packet from the packet queues 112-1 ⁇ 112-n to a computer network.
- the monitor 111 sends a report to the packet queue when the measured result is the program is tampered.
- the report means that the program is tampered and should delete the packet send by the tampered program.
- the monitor 111 sends the trigger or the report of the program 121-1 to packet queue 112-1.
- the monitor 111 sends the trigger or the report of the program 121-2 to the packet queue 112-2.
- the monitor 111 sends the trigger or the report of the program 121-n to the packet queue 112-n.
- the packet queues 112-1 ⁇ 112-n are queues of at least one packet.
- the packet queues 112-1 ⁇ 112-n are prepared per the programs 121-1 ⁇ 121-n in the Secure World 101.
- the packet queues 112-1 ⁇ 112-n receive packets sent from the programs 121-1 ⁇ 121-n and queue the packet(s).
- the packet queues 112-1 ⁇ 112-n send each packet to the packet proxy 122 when the packet queues 112-1 ⁇ 112-n receive the trigger.
- the packet queues 112-1 ⁇ 112-n send each packet to the packet proxy 122 when the packet queues 112-1 ⁇ 112-n receive the valid result corresponding to the programs 121-1 ⁇ 121-n.
- the packet queues 112-1 ⁇ 112-n delete the packet(s) corresponding to tampered program in the programs 121-1 ⁇ 121-n when the packet queues 112-1 ⁇ 112-n receive the report that the program is tampered. In other words, when the result corresponding to the programs 121-1 ⁇ 121-n is invalid, the packet queues 112-1 ⁇ 112-n delete the packet(s) corresponding to invalid program in the programs 121-1 ⁇ 121-n. Specifically, the packet queues 112-1 ⁇ 112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
- the packet queues 112-1 ⁇ 112-n may embed a signature to each packet using a pre-shared key and may send the packet(s) to the packet proxy 122.
- the Packet receiving device drops packets without signature (directly sent by the compromised program) and packets with invalid signature (modified by the compromised program). It is thereby possible to avoid packet sending by compromised program and to avoid modification of the packet(s) sent by the packet queue.
- the programs 121-1 ⁇ 121-n are programs that are processed on the Normal World 102.
- the programs 121-1 ⁇ 121-n send output one or more packets to the packet queues 112-1 ⁇ 112-n, respectively.
- the packet proxy 122 forwards the packet(s) from the packet queues 112-1 ⁇ 112-n to the OS network stack 123.
- the packet proxy 122 may cache the packet(s).
- the OS network stack 123 processes the packet(s) according to a predetermined network protocol and sends the processed packet(s) to the NIC driver 124.
- the NIC driver 124 is a device driver that controls the NIC 103.
- the NIC 103 is a network interface card that connects the network device 100 to the computer network.
- the NIC 103 is controlled by the NIC driver 124 in the normal world 102.
- Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment.
- the program 121-1 sends each packet to the packet queue 112-1.
- the packet queue 112-1 receives the packet(s) from the program 121-1 and queues the packet(s).
- the monitor 111 measures whether the program 121-1 has been tampered with or not.
- the monitor 111 sends a signal with the measurement result to the packet queues 112-1.
- the packet queue 112-1 sends the packet(s) to the computer network when the measurement result is valid.
- the packet queue 112-1 deletes the packet(s) to the computer network when the measurement result is invalid.
- Fig.3 shows an example in which one program sends the packet(s)
- a plurality of programs may send the packet(s)
- each program may be measured, and the packet(s) of each program may be sent or deleted based on each measurement result.
- Fig. 4 is a timing chart of a network device according to the second exemplary embodiment. Fig. 4 shows an example when the measurement result is valid.
- the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
- the program 121-1 sends a packet 421, and the packet queue 112-1 queues the packet 421 and has not sent the packet 421 until next check timing t404.
- the program 121-1 sends a packet 431, and the packet queue 112-1 queues the packet 431 and has not sent the packet 431 until next check timing t404.
- the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t404, the program has been verified integrity from timing t401 to timing t404.
- the packet queue 112-1 sends the packet(s) 421 and 431 at timing t404 (or immediately after timing t404).
- the program 121-1 sends a packet 451, and the packet queue 112-1 queues the packet 451 and has not sent the packet 451 until next check timing t407.
- the program 121-1 sends a packet 461, and the packet queue 112-1 queues the packet 461 and has not sent the packet 461 until next check timing t407.
- the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t407, the program has been verified integrity from timing t404 to timing t407.
- the packet queue 112-1 sends the packet(s) 451 and 461 at timing t407 (or immediately after timing t407).
- Fig. 5 is a timing chart of a network device according to the second exemplary embodiment.
- Fig. 5 shows an example when the measurement result is invalid after a valid result.
- the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
- the program 121-1 sends a packet 521, and the packet queue 112-1 queues the packet 521 and has not sent the packet 521 until next check timing t504.
- the program 121-1 sends a packet 531, and the packet queue 112-1 queues the packet 531 and has not sent the packet 531 until next check timing t504.
- the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t504, the program has been verified integrity from timing t501 to timing t504.
- the packet queue 112-1 sends the packet(s) 521 and 531 at timing t504 (or immediately after timing t504).
- the program 121-1 would be compromised by an attacker.
- a packet 561 would be sent by the compromised program, and the packet queue 112-1 queues the packet 561 and has not sent the packet 561 until next check timing t508.
- a packet 571 would be sent by the compromised program, and the packet queue 112-1 queues the packet 571 and has not sent the packet 571 until next check timing t508.
- the monitor 111 checks the program 121-1 and detects tampering of the program 121-1. As a result of check at timing t508, the result is that the program is tampered from timing t504 to timing t508. According to the result, the packet queue 112-1 deletes the packet(s) 561 and 571 at timing t508 (or immediately after timing t508).
- Fig. 6 is a flow chart of a network device according to the second exemplary embodiment.
- step S601 the program 121-1 is executed and moves to the next step S602.
- step S602 the program 121-1 sends the at least one packet to the packet queue 112-1 and moves to the next step S603.
- the packet queue 112-1 queues the at least one packet sent from the program 121-1 and moves to the next step S604.
- step S604 if measurement timing has come, moves to the next step S605. If measurement timing has not come, returns to step S601.
- the monitor 111 measures whether the program 121-1 has been tampered with or not and moves to the next step S606.
- the monitor 111 sends a signal with the measurement result to the packet queues 112-1.
- the signal is the trigger of sending the packet or the report that the program is tampered.
- the signal is the trigger, moves to the next step S608.
- the signal is not the trigger (i.e. the signal is the report), moves to the next step S609.
- the packet queue 112-1 sends the packet(s) to the computer network and returns step S601.
- the packet queue 112-1 deletes the packet(s).
- the network device stores outgoing packets until the next time of check of the packet queue and deletes the packet(s) by the packet queue after detecting the tampered program by the monitor, and it is thereby possible to protect network device(s) and keep it secure during its operation.
- the network device embeds a signature to each packet, and it is thereby possible to avoid packet sending by compromised program and to avoid modification of the packet(s) sent by the packet queue.
- the monitor instead of adding a signature to the packet(s), before the packet queue sends the packet(s), the monitor can attests components (packet proxy and OS network stack) that handle the packet(s) in the normal world.
- Fig. 7 is a block diagram showing a schematic configuration of a network device according to a third exemplary embodiment.
- the Secure World 101 comprises a Monitor 711 and the packet queues 112-1 ⁇ 112-n.
- the Monitor 711 performs integrity measurement of a network component that includes the packet proxy 122 and/or the OS network stack 123. And the monitor 711 sends a result of the integrity measurement to the packet queues 112-1 ⁇ 112-n. The integrity measurement is performed periodically by the monitor 711.
- the packet queues 112-1 ⁇ 112-n send each packet to the packet proxy 122 when the results corresponding to the network component is valid (integrity). When the results corresponding to the network component is invalid (is tampered), the packet queues 112-1 ⁇ 112-n delete the packet(s). The packet queues 112-1 ⁇ 112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
- the network device performs integrity measurement of a network component and delete the packet(s) when the network component is invalid, and it is thereby possible to protect network device(s) and keep it secure during its operation without a signature.
- FIG. 8 is a block diagram showing a schematic configuration of a network device according to a fourth exemplary embodiment.
- the Secure World 101 comprises the Monitor 111, the packet queues 112-1 ⁇ 112-n, an OS network stack 823 and a NIC driver 824
- the Normal World 102 comprises programs 121-1 ⁇ 121-n.
- the packet queues 112-1 ⁇ 112-n send each packet to the OS network stack 823 when the result corresponding to the programs 121-1 ⁇ 121-n is valid.
- the packet queues 112-1 ⁇ 112-n delete the packet(s) corresponding to invalid program in the programs 121-1 ⁇ 121-n.
- the packet queues 112-1 ⁇ 112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
- the OS network stack 823 processes the packet(s) according to a predetermined network protocol in the secure world 101 and sends the processed packet(s) to the NIC driver 824.
- the NIC driver 824 is a device driver that controls the NIC 103.
- the NIC driver 824 controls the NIC 103 in the secure world 101.
- the NIC 103 is a network interface card that connects the network device 100 to a computer network.
- the NIC 103 is controlled by the NIC driver 824 in the secure world 101.
- the network device comprises at least one network component in Secure World.
- the network component(s) includes the NIC driver and/or the OS network stack in Secure World, and it is thereby possible to protect the NIC driver and the OS network stack and keep it secure during its operation without a signature.
- NIC is controlled by OS in the secure world.
- the addition of the signature can be skipped because the secure world directly controls NIC and there is no risk that the compromised program sends or modifies the packet.
- the monitor 111 measures the integrity of at least one program 121-1 ⁇ 121-n repeatedly.
- the monitor 111 monitors the presence of at least one received packet from the network.
- the monitor 111 turns off measurement the integrity until the received packet is received from the network.
- the monitor 111 is configured to transmit signal of queuing packet(s) or signal of stop queuing packet(s) to packet queues 112-1 ⁇ 112-n.
- the packet queues 112-1 ⁇ 112-n sends the packet(s) sent by the program 121-1 ⁇ 121-n to the network without queuing until the received packet is received.
- Integrity measurement and packet storing can be skipped from time of integrity measurement to time of receiving a packet.
- Fig. 9 is a timing chart of a network device according to a fifth exemplary embodiment.
- the network device 100 receives the packet(s).
- the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
- the monitor 111 does not check the program 121-1, because no packet has received until timing t902 to timing t903.
- the packet queue 112-1 does not queue the packet(s) sent by the program 121-1 and send the packet(s) to the network timing t902 to timing t903.
- the network device 100 receives the packet(s).
- the packet queue 112-1 queues the packet(s) sent by the program 121-1.
- the monitor 111 checks the program 121-1, because the packet(s) has received until timing t903 to timing t905.
- the network device skips integrity measurement and packet storing from time of integrity measurement to time of receiving a packet, and it is thereby possible to reduce resource for checking integrity.
- the integrity measurement and the packet storing can be started when data is received by other interfaces such as a serial port, a USB port, a storage, and/or a keyboard.
- packet(s) from each process are handled by its dedicated queue and each queue can be connected with a dedicated slice network.
- Fig. 10 is a block diagram showing a schematic configuration of a network device according to a sixth exemplary embodiment.
- the packet(s) from process 1001-1 is handled by the packet queue 121-1.
- the packet queue 121-1 can be connected with a dedicated slice network 1010-1.
- the packet(s) from process 1010-2 is handled by the packet queue 121-2.
- the packet queue 121-2 can be connected with a dedicated slice network 1010-2.
- the packet(s) from process 1001-n is handled by the packet queue 121-n.
- the packet queue 121-n can be connected with a dedicated slice network 1010-n.
- the monitor detects arrivals of packets and can perform measurement against network components such as the packet proxy and OS network stack so that the program can correctly receive the packet(s).
- the attestation can be performed before and after NIC driver and OS network stack handles a packet.
- Fig. 11 is a block diagram showing a schematic configuration of a network device according to a seventh exemplary embodiment.
- the Monitor 1111 monitors the presence of at least one received packet from the network.
- the Monitor 1111 performs integrity measurement of a network component that includes the OS network stack 123 and/or the NIC driver 124 when the monitor 1111 detects arrivals of packets. And the monitor 1111 sends a result of the integrity measurement to the NIC driver 124.
- the NIC driver 124 sends packet(s) to the OS network stack 123 when the results corresponding to the network component is valid (integrity). When the results corresponding to the network component is invalid (is tampered), the NIC driver 124 deletes the packet(s).
- the network device performs integrity measurement of a network component when NIC receives the packet(s) and delete the packet(s) when the network component is invalid, and it is thereby possible to protect network device(s) and keep it secure during its operation.
- checks of the packet(s) may be performed at different timings or synchronized for each program.
- Monitor 111 directly measures program 102. Instead, Monitor 111 may indirectly measure the program via an agent deployed in Normal World 102. Specifically, Monitor 111 measures the agent in Normal World 102, and then the agent measures program 102.
- the programs may be stored in various types of non-transitory computer readable media and thereby supplied to computers.
- the non-transitory computer readable media includes various types of tangible storage media.
- non-transitory computer readable media examples include a magnetic recording medium (such as a flexible disk, a magnetic tape, and a hard disk drive) and a magneto-optic recording medium (such as a magneto-optic disk).
- a magnetic recording medium such as a flexible disk, a magnetic tape, and a hard disk drive
- a magneto-optic recording medium such as a magneto-optic disk
- examples of the non-transitory computer readable media include CD-ROM (Read Only Memory), CD-R, and CD-R/W. Further, examples of the non-transitory computer readable media include a semiconductor memory.
- the semiconductor memory includes, for example, a mask ROM, a PROM (Programmable ROM), an EPROM (Erasable PROM), a flash ROM, and a RAM (Random Access Memory).
- Transitory computer readable media examples include an electrical signal, an optical signal, and an electromagnetic wave.
- the transitory computer readable media can be used to supply programs to a computer through a wired communication line (e.g., electric wires and optical fibers) or a wireless communication line.
- the first to seventh exemplary embodiments can be combined as desirable by one of ordinary skill in the art.
- the number of combining exemplary embodiments is not limited.
- the present invention is applicable to a network device, IOT device, router, base station.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A network device (10) comprising: a monitoring means (11) configured to measure the integrity of at least one program repeatedly; and a packet queue (12) configured to queue at least one packet sent by the program (13), wherein the monitoring means (11) configured to send a trigger to the packet queue when the measured result is integrity; the packet queue (12) configured to send the at least one packet sent to a network when the packet queue (12) receives the trigger.
Description
The present disclosure relates to a network device, computing method and computer readable medium.
A technique of performing trusted computing has Secure boot (a technique that measures the integrity of BIOS, OS, and application using secure HW (Trusted platform module)) and Attestation (Verifies a program is compromised or not).
Further as mentioned below in Patent Literatures 1 to 6, various trusted computing systems and methods are being considered.
Patent Literature 1 discloses a system, method and computer program product for guaranteeing a data transaction over a network are disclosed.
Patent Literature 2 discloses an anti-virus method and apparatus and a firewall device, to solve the problem of low processing performance caused by performing AV detection on a file of a compressed format in the prior art.
Patent Literature 3 discloses the inventive subject matter, there is described herein as a method and apparatus for securely and efficiently managing packet buffers between protection domains on an Intra-partitioned system using packet queues and triggers.
Patent Literature 4 discloses method and system for network access control.
Patent Literature 5 discloses the invention is to present a method, a computing device and a computer program product for detecting a threat in a communications network.
Patent Literature 6 discloses a communication apparatus capable to improve a resistivity to data-plane attack to enhance a network security.
PTL 1: International Publication No. WO2004/015524
PTL 2: The description of EP Publication of Unexamined Patent Application No. 2797278
PTL 3: The description of US Publication of Unexamined Patent Application No. 2008/0244725
PTL 4: The description of US Publication of Unexamined Patent Application No. 2017/0339172
PTL 5: The description of US Publication of Unexamined Patent Application No. 2014/0259160
PTL 6: International Publication No. WO2018/055654
PTL 2: The description of EP Publication of Unexamined Patent Application No. 2797278
PTL 3: The description of US Publication of Unexamined Patent Application No. 2008/0244725
PTL 4: The description of US Publication of Unexamined Patent Application No. 2017/0339172
PTL 5: The description of US Publication of Unexamined Patent Application No. 2014/0259160
PTL 6: International Publication No. WO2018/055654
However, existing solutions do not meet the following security property.
Time-of-Check Time-of-Use (ToCToU) for outgoing packets;
Assuming periodical integrity measurement, it does not ensure that all outgoing packets are sent by trusted (non-tampered) software; and
Packets after tampering until the next check are sent by tampered software.
Time-of-Check Time-of-Use (ToCToU) for outgoing packets;
Assuming periodical integrity measurement, it does not ensure that all outgoing packets are sent by trusted (non-tampered) software; and
Packets after tampering until the next check are sent by tampered software.
A purpose of the present disclosure is to provide a network device, computing method and computer readable medium capable of protecting network device(s) and keeping it secure during its operation.
It should be noted that the above-described object is merely one of the objects to be attained by the example exemplary embodiments disclosed herein. Other objects or problems and novel features will be made apparent from the following description and the accompanying drawings.
One aspect of a network device according to the present invention is a network device comprising: a monitoring means configured to measure the integrity of at least one program repeatedly; and a packet queue configured to queue at least one packet sent by the program, wherein the monitoring means configured to send a trigger to the packet queue when the measured result is integrity; the packet queue configured to send the at least one packet sent to a network when the packet queue receives the trigger.
One aspect of a computing method according to the present invention is a computing method performed by a network device comprising: measuring the integrity of at least one program repeatedly; queueing at least one packet sent by the program; sending a trigger to the packet queue when the measured result is integrity; and sending at least one packet sent by the program to a network when the packet queue receives the trigger.
One aspect of a computer readable medium according to the present invention is a non-transitory computer readable medium storing a program for causing a computer, the program causing the computer to execute: a measuring step for measuring the integrity of at least one program repeatedly; a queueing step for queueing at least one packet sent by the program; a sending step for sending a trigger to the packet queue when the measured result is integrity; and a sending step for sending at least one packet sent by the program to a network when the packet queue receives the trigger.
According to the present disclosure, it is possible to provide a network device, computing method and computer readable medium capable of protecting network device(s) and keeping it secure during its operation.
The above and other aspects, advantages and features will be more apparent from the following description of certain exemplary embodiments taken in conjunction with the accompanying drawings, in which:
Fig. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment;
Fig. 2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment;
Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment;
Fig. 4 is a timing chart of a network device according to the second exemplary embodiment;
Fig. 5 is a timing chart of a network device according to the second exemplary embodiment;
Fig. 6 is a flow chart of a network device according to the second exemplary embodiment;
Fig. 7 is a block diagram showing a schematic configuration of a network device according to a third exemplary embodiment;
Fig. 8 is a block diagram showing a schematic configuration of a network device according to a fourth exemplary embodiment;
Fig. 9 is a timing chart of a network device according to a fifth exemplary embodiment;
Fig. 10 is a block diagram showing a schematic configuration of a network device according to a sixth exemplary embodiment; and
Fig. 11 is a block diagram showing a schematic configuration of a network device according to a seventh exemplary embodiment.
Example exemplary embodiments according to the present disclosure will be described hereinafter with reference to the drawings.
For the clarification of the description, the following description and the drawings may be omitted or simplified as appropriate. Further, each element shown in the drawings as functional blocks that perform various processing can be formed of a CPU (Central Processing Unit), a memory, and other circuits in hardware and may be implemented by programs loaded into the memory in software. Those skilled in the art will therefore understand that these functional blocks may be implemented in various ways by only hardware, only software, or the combination thereof without any limitation. Throughout the drawings, the same components are denoted by the same reference signs and overlapping descriptions will be omitted as appropriate.
For the clarification of the description, the following description and the drawings may be omitted or simplified as appropriate. Further, each element shown in the drawings as functional blocks that perform various processing can be formed of a CPU (Central Processing Unit), a memory, and other circuits in hardware and may be implemented by programs loaded into the memory in software. Those skilled in the art will therefore understand that these functional blocks may be implemented in various ways by only hardware, only software, or the combination thereof without any limitation. Throughout the drawings, the same components are denoted by the same reference signs and overlapping descriptions will be omitted as appropriate.
First Exemplary embodiment
Fig. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment. Anetwork device 10 comprises a monitor 11, a packet queue 12 and at least one program 13.
Fig. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment. A
The monitor 11 measures the integrity of at least one program 13 repeatedly. The monitor 11 sends a trigger to the packet queue 12 when the measured result is integrity.
The packet queue 12 queues at least one packet sent by the program 13. The packet queue 12 sends the at least one packet sent to a network when the packet queue 12 receives the trigger.
The network device according to the first exemplary embodiment stores outgoing packets until the next time of check of the packet queue and sends the packet(s) by the packet queue after verifying the integrity of the program by the monitor, and it is thereby possible to protect network device(s) and keep it secure during its operation.
Second Exemplary embodiment
Fig.2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment.
Fig.2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment.
A network device 100 comprises Secure World 101, Normal World 102 and NIC 103. For example, the OS operates in Normal World 102 and cannot read or write the protected storage in Secure World 101. For example, the network device 100 is implemented by CPU (e.g. TrustZoneTM Hardware Architecture like ARMTM architecture processor), Memory and I/O circuit.
The Secure World 101 is the environment not capable to access from the Normal World 102. The Secure World 101 comprises the Monitor 111 and the packet queues 112-1~112-n.
The Normal World 102 is the environment capable to access from the Secure World 101. The Normal World 102 comprises programs 121-1~121-n, packet proxy 122, an OS network stack 123 and a NIC driver 124.
The monitor 111 measures the integrity of at least one program 121-1~121-n repeatedly. The monitor 111 may perform integrity measurement of the programs 121-1~121-n respectively. For example, the monitor 111 periodically may measure whether each program's 121-1~121-n has been tampered with or not. And the monitor 111 sends a result of the integrity measurement to the packet queues 112-1~112-n.
For example, the monitor 111 sends a trigger to the packet queue when the measured result is integrity. The trigger means starting to send the packet from the packet queues 112-1~112-n to a computer network. For example, the monitor 111 sends a report to the packet queue when the measured result is the program is tampered. The report means that the program is tampered and should delete the packet send by the tampered program. The monitor 111 sends the trigger or the report of the program 121-1 to packet queue 112-1. The monitor 111 sends the trigger or the report of the program 121-2 to the packet queue 112-2. The monitor 111 sends the trigger or the report of the program 121-n to the packet queue 112-n.
The packet queues 112-1~112-n are queues of at least one packet. The packet queues 112-1~112-n are prepared per the programs 121-1~121-n in the Secure World 101. The packet queues 112-1~112-n receive packets sent from the programs 121-1~121-n and queue the packet(s).
The packet queues 112-1~112-n send each packet to the packet proxy 122 when the packet queues 112-1~112-n receive the trigger. In other words, the packet queues 112-1~112-n send each packet to the packet proxy 122 when the packet queues 112-1~112-n receive the valid result corresponding to the programs 121-1~121-n.
The packet queues 112-1~112-n delete the packet(s) corresponding to tampered program in the programs 121-1~121-n when the packet queues 112-1~112-n receive the report that the program is tampered. In other words, when the result corresponding to the programs 121-1~121-n is invalid, the packet queues 112-1~112-n delete the packet(s) corresponding to invalid program in the programs 121-1~121-n. Specifically, the packet queues 112-1~112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
The packet queues 112-1~112-n may embed a signature to each packet using a pre-shared key and may send the packet(s) to the packet proxy 122. The Packet receiving device drops packets without signature (directly sent by the compromised program) and packets with invalid signature (modified by the compromised program). It is thereby possible to avoid packet sending by compromised program and to avoid modification of the packet(s) sent by the packet queue.
The programs 121-1~121-n are programs that are processed on the Normal World 102. The programs 121-1~121-n send output one or more packets to the packet queues 112-1~112-n, respectively.
The packet proxy 122 forwards the packet(s) from the packet queues 112-1~112-n to the OS network stack 123. The packet proxy 122 may cache the packet(s).
The OS network stack 123 processes the packet(s) according to a predetermined network protocol and sends the processed packet(s) to the NIC driver 124.
The NIC driver 124 is a device driver that controls the NIC 103.
TheNIC 103 is a network interface card that connects the network device 100 to the computer network. The NIC 103 is controlled by the NIC driver 124 in the normal world 102.
The
As described above, the network device 100 prevents transmission of a packet by a compromised program. The operation of the network device 100 is described below. Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment.
In Fig.3, at step from S301-1 to S301-m (m is an integer greater than or equal to 1), the program 121-1 sends each packet to the packet queue 112-1. The packet queue 112-1 receives the packet(s) from the program 121-1 and queues the packet(s).
At step S302, the monitor 111 measures whether the program 121-1 has been tampered with or not.
At step S303, themonitor 111 sends a signal with the measurement result to the packet queues 112-1.
At step S303, the
At step S304, the packet queue 112-1 sends the packet(s) to the computer network when the measurement result is valid. At step S304, the packet queue 112-1 deletes the packet(s) to the computer network when the measurement result is invalid.
Although Fig.3 shows an example in which one program sends the packet(s), a plurality of programs may send the packet(s), each program may be measured, and the packet(s) of each program may be sent or deleted based on each measurement result.
The above processing of step S301-1 to step S304 may be repeated periodically. Fig. 4 is a timing chart of a network device according to the second exemplary embodiment. Fig. 4 shows an example when the measurement result is valid.
At timing t401, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
At timing t402, the program 121-1 sends a packet 421, and the packet queue 112-1 queues the packet 421 and has not sent the packet 421 until next check timing t404.
At timing t403, the program 121-1 sends a packet 431, and the packet queue 112-1 queues the packet 431 and has not sent the packet 431 until next check timing t404.
At timing t404, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t404, the program has been verified integrity from timing t401 to timing t404. The packet queue 112-1 sends the packet(s) 421 and 431 at timing t404 (or immediately after timing t404).
At timing t405, the program 121-1 sends a packet 451, and the packet queue 112-1 queues the packet 451 and has not sent the packet 451 until next check timing t407.
At timing t406, the program 121-1 sends a packet 461, and the packet queue 112-1 queues the packet 461 and has not sent the packet 461 until next check timing t407.
At timing t407, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t407, the program has been verified integrity from timing t404 to timing t407. The packet queue 112-1 sends the packet(s) 451 and 461 at timing t407 (or immediately after timing t407).
As described above, storing outgoing packets until the next time of check by the packet queue and the packet(s) are sent after verifying the integrity of the program by the monitor.
Fig. 5 is a timing chart of a network device according to the second exemplary embodiment. Fig. 5 shows an example when the measurement result is invalid after a valid result.
At timing t501, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
At timing t502, the program 121-1 sends a packet 521, and the packet queue 112-1 queues the packet 521 and has not sent the packet 521 until next check timing t504.
At timing t503, the program 121-1 sends a packet 531, and the packet queue 112-1 queues the packet 531 and has not sent the packet 531 until next check timing t504.
At timing t504, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t504, the program has been verified integrity from timing t501 to timing t504. The packet queue 112-1 sends the packet(s) 521 and 531 at timing t504 (or immediately after timing t504).
At timing t505, the program 121-1 would be compromised by an attacker.
At timing t506, apacket 561 would be sent by the compromised program, and the packet queue 112-1 queues the packet 561 and has not sent the packet 561 until next check timing t508.
At timing t506, a
At timing t507, a packet 571 would be sent by the compromised program, and the packet queue 112-1 queues the packet 571 and has not sent the packet 571 until next check timing t508.
At timing t508, the monitor 111 checks the program 121-1 and detects tampering of the program 121-1. As a result of check at timing t508, the result is that the program is tampered from timing t504 to timing t508. According to the result, the packet queue 112-1 deletes the packet(s) 561 and 571 at timing t508 (or immediately after timing t508).
Fig. 6 is a flow chart of a network device according to the second exemplary embodiment.
At step S601, the program 121-1 is executed and moves to the next step S602.
At step S602, the program 121-1 sends the at least one packet to the packet queue 112-1 and moves to the next step S603.
At step S602, the program 121-1 sends the at least one packet to the packet queue 112-1 and moves to the next step S603.
At step S603, the packet queue 112-1 queues the at least one packet sent from the program 121-1 and moves to the next step S604.
At step S604, if measurement timing has come, moves to the next step S605. If measurement timing has not come, returns to step S601.
At step S605, the monitor 111 measures whether the program 121-1 has been tampered with or not and moves to the next step S606.
At step S606, the monitor 111 sends a signal with the measurement result to the packet queues 112-1. The signal is the trigger of sending the packet or the report that the program is tampered.
At step S607, the signal is the trigger, moves to the next step S608. The signal is not the trigger (i.e. the signal is the report), moves to the next step S609.
At step S608, the packet queue 112-1 sends the packet(s) to the computer network and returns step S601.
At step S609, the packet queue 112-1 deletes the packet(s).
At step S609, the packet queue 112-1 deletes the packet(s).
The network device according to the second exemplary embodiment stores outgoing packets until the next time of check of the packet queue and deletes the packet(s) by the packet queue after detecting the tampered program by the monitor, and it is thereby possible to protect network device(s) and keep it secure during its operation.
Further, the network device according to the second exemplary embodiment embeds a signature to each packet, and it is thereby possible to avoid packet sending by compromised program and to avoid modification of the packet(s) sent by the packet queue.
Third Exemplary embodiment
In third exemplary embodiment, instead of adding a signature to the packet(s), before the packet queue sends the packet(s), the monitor can attests components (packet proxy and OS network stack) that handle the packet(s) in the normal world.
In third exemplary embodiment, instead of adding a signature to the packet(s), before the packet queue sends the packet(s), the monitor can attests components (packet proxy and OS network stack) that handle the packet(s) in the normal world.
Fig. 7 is a block diagram showing a schematic configuration of a network device according to a third exemplary embodiment. The Secure World 101 comprises a Monitor 711 and the packet queues 112-1~112-n.
The Monitor 711 performs integrity measurement of a network component that includes the packet proxy 122 and/or the OS network stack 123. And the monitor 711 sends a result of the integrity measurement to the packet queues 112-1~112-n. The integrity measurement is performed periodically by the monitor 711.
The packet queues 112-1~112-n send each packet to the packet proxy 122 when the results corresponding to the network component is valid (integrity). When the results corresponding to the network component is invalid (is tampered), the packet queues 112-1~112-n delete the packet(s). The packet queues 112-1~112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
The network device according to the third exemplary embodiment performs integrity measurement of a network component and delete the packet(s) when the network component is invalid, and it is thereby possible to protect network device(s) and keep it secure during its operation without a signature.
Fourth Exemplary embodiment
Fig. 8 is a block diagram showing a schematic configuration of a network device according to a fourth exemplary embodiment.
Fig. 8 is a block diagram showing a schematic configuration of a network device according to a fourth exemplary embodiment.
The Secure World 101 comprises the Monitor 111, the packet queues 112-1~112-n, an OS network stack 823 and a NIC driver 824
TheNormal World 102 comprises programs 121-1~121-n.
The
The packet queues 112-1~112-n send each packet to the OS network stack 823 when the result corresponding to the programs 121-1~121-n is valid. When the result corresponding to the programs 121-1~121-n is invalid, the packet queues 112-1~112-n delete the packet(s) corresponding to invalid program in the programs 121-1~121-n. The packet queues 112-1~112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
The OS network stack 823 processes the packet(s) according to a predetermined network protocol in the secure world 101 and sends the processed packet(s) to the NIC driver 824.
The NIC driver 824 is a device driver that controls the NIC 103. The NIC driver 824 controls the NIC 103 in the secure world 101.
The NIC 103 is a network interface card that connects the network device 100 to a computer network. The NIC 103 is controlled by the NIC driver 824 in the secure world 101.
The network device according to the fourth exemplary embodiment comprises at least one network component in Secure World. The network component(s) includes the NIC driver and/or the OS network stack in Secure World, and it is thereby possible to protect the NIC driver and the OS network stack and keep it secure during its operation without a signature.
In other words, NIC is controlled by OS in the secure world. In this case, the addition of the signature can be skipped because the secure world directly controls NIC and there is no risk that the compromised program sends or modifies the packet.
Fifth Exemplary embodiment
In the fifth exemplary embodiment, themonitor 111 measures the integrity of at least one program 121-1~121-n repeatedly. The monitor 111 monitors the presence of at least one received packet from the network. The monitor 111 turns off measurement the integrity until the received packet is received from the network. The monitor 111 is configured to transmit signal of queuing packet(s) or signal of stop queuing packet(s) to packet queues 112-1~112-n. The packet queues 112-1~112-n sends the packet(s) sent by the program 121-1~121-n to the network without queuing until the received packet is received.
In the fifth exemplary embodiment, the
In other words, assuming the tampering of a device is caused by an external attacker, the cause of a compromise is incoming packets. Integrity measurement and packet storing can be skipped from time of integrity measurement to time of receiving a packet.
Fig. 9 is a timing chart of a network device according to a fifth exemplary embodiment. At timing t901, the network device 100 receives the packet(s).
At timing t902, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
At timing t903, the monitor 111 does not check the program 121-1, because no packet has received until timing t902 to timing t903. The packet queue 112-1 does not queue the packet(s) sent by the program 121-1 and send the packet(s) to the network timing t902 to timing t903.
At timing t904, the network device 100 receives the packet(s). The packet queue 112-1 queues the packet(s) sent by the program 121-1.
At timing t905, the monitor 111 checks the program 121-1, because the packet(s) has received until timing t903 to timing t905.
The network device according to the fifth exemplary embodiment skips integrity measurement and packet storing from time of integrity measurement to time of receiving a packet, and it is thereby possible to reduce resource for checking integrity. In addition to the above process of the fifth exemplary embodiment, the integrity measurement and the packet storing can be started when data is received by other interfaces such as a serial port, a USB port, a storage, and/or a keyboard.
Sixth Exemplary embodiment
In the case of a multi-process system, packet(s) from each process are handled by its dedicated queue and each queue can be connected with a dedicated slice network.
In the case of a multi-process system, packet(s) from each process are handled by its dedicated queue and each queue can be connected with a dedicated slice network.
Fig. 10 is a block diagram showing a schematic configuration of a network device according to a sixth exemplary embodiment.
The packet(s) from process 1001-1 is handled by the packet queue 121-1. The packet queue 121-1 can be connected with a dedicated slice network 1010-1. The packet(s) from process 1010-2 is handled by the packet queue 121-2. The packet queue 121-2 can be connected with a dedicated slice network 1010-2. The packet(s) from process 1001-n is handled by the packet queue 121-n. The packet queue 121-n can be connected with a dedicated slice network 1010-n.
Seventh Exemplary embodiment
For the incoming packets, the monitor detects arrivals of packets and can perform measurement against network components such as the packet proxy and OS network stack so that the program can correctly receive the packet(s). The attestation can be performed before and after NIC driver and OS network stack handles a packet.
For the incoming packets, the monitor detects arrivals of packets and can perform measurement against network components such as the packet proxy and OS network stack so that the program can correctly receive the packet(s). The attestation can be performed before and after NIC driver and OS network stack handles a packet.
Fig. 11 is a block diagram showing a schematic configuration of a network device according to a seventh exemplary embodiment.
The Monitor 1111 monitors the presence of at least one received packet from the network. The Monitor 1111 performs integrity measurement of a network component that includes the OS network stack 123 and/or the NIC driver 124 when the monitor 1111 detects arrivals of packets. And the monitor 1111 sends a result of the integrity measurement to the NIC driver 124.
The NIC driver 124 sends packet(s) to the OS network stack 123 when the results corresponding to the network component is valid (integrity). When the results corresponding to the network component is invalid (is tampered), the NIC driver 124 deletes the packet(s).
The network device according to the seventh exemplary embodiment performs integrity measurement of a network component when NIC receives the packet(s) and delete the packet(s) when the network component is invalid, and it is thereby possible to protect network device(s) and keep it secure during its operation.
While the invention has been described in terms of several exemplary embodiments, those skilled in the art will recognize that the invention can be practiced with various modifications within the spirit and scope of the appended claims and the invention is not limited to the examples described above.
For example, checks of the packet(s) may be performed at different timings or synchronized for each program.
In the above, Monitor 111 directly measures program 102. Instead, Monitor 111 may indirectly measure the program via an agent deployed in Normal World 102. Specifically, Monitor 111 measures the agent in Normal World 102, and then the agent measures program 102.
In the above-described exemplary embodiment, the programs may be stored in various types of non-transitory computer readable media and thereby supplied to computers. The non-transitory computer readable media includes various types of tangible storage media.
Examples of the non-transitory computer readable media include a magnetic recording medium (such as a flexible disk, a magnetic tape, and a hard disk drive) and a magneto-optic recording medium (such as a magneto-optic disk).
Further, examples of the non-transitory computer readable media include CD-ROM (Read Only Memory), CD-R, and CD-R/W. Further, examples of the non-transitory computer readable media include a semiconductor memory. The semiconductor memory includes, for example, a mask ROM, a PROM (Programmable ROM), an EPROM (Erasable PROM), a flash ROM, and a RAM (Random Access Memory).
These programs may be supplied to computers by using various types of transitory computer readable media. Examples of the transitory computer readable media include an electrical signal, an optical signal, and an electromagnetic wave.
The transitory computer readable media can be used to supply programs to a computer through a wired communication line (e.g., electric wires and optical fibers) or a wireless communication line.
The transitory computer readable media can be used to supply programs to a computer through a wired communication line (e.g., electric wires and optical fibers) or a wireless communication line.
Note that the present disclosure is not limited to the above-described example exemplary embodiments and can be modified as appropriate without departing from the spirit and scope of the present disclosure. Further, the present disclosure may be implemented by combining these example exemplary embodiments as desired.
Although the present disclosure is explained above with reference to example exemplary embodiments, the present disclosure is not limited to the above-described example exemplary embodiments.
The first to seventh exemplary embodiments can be combined as desirable by one of ordinary skill in the art. The number of combining exemplary embodiments is not limited.
Various modifications that can be understood by those skilled in the art can be made to the configuration and details of the present disclosure within the scope of the invention.
The present invention is applicable to a network device, IOT device, router, base station.
10, 100 NETWORK DEVICE
11 MONITOR
12 PACKET QUEUE
13 PROGRAM
101 SECURE WORLD
102 NORMAL WORLD
103 NIC
111, 711, 1111 MONITOR
112-1~112-n PACKET QUEUE
121-1~121-n PROGRAM
122 PACKET PROXY
123, 823 OS NETWORK STACK
124, 824 NIC DRIVER
1001-1~1001-n PROCESS
1011-1~1011-n SLICE NETWORK
11 MONITOR
12 PACKET QUEUE
13 PROGRAM
101 SECURE WORLD
102 NORMAL WORLD
103 NIC
111, 711, 1111 MONITOR
112-1~112-n PACKET QUEUE
121-1~121-n PROGRAM
122 PACKET PROXY
123, 823 OS NETWORK STACK
124, 824 NIC DRIVER
1001-1~1001-n PROCESS
1011-1~1011-n SLICE NETWORK
Claims (10)
- A network device comprising:
a monitoring means configured to measure the integrity of at least one program repeatedly; and
a packet queue configured to queue at least one packet sent by the program, wherein
the monitoring means configured to send a trigger to the packet queue when the measured result is integrity;
the packet queue configured to send the at least one packet sent to a network when the packet queue receives the trigger. - The network device according to claim 1, wherein
the monitoring means configured to send a report to the packet queue when the measured result is the program is tampered;
the packet queue configured to delete the packet(s) when the packet queue receives the report. - The network device according to claim 1 or 2, wherein
the monitoring means and the packet queue are executable in a secure world environment;
the at least one program is executable in a normal world environment. - The network device according to claim 3, wherein
the packet queue configured to embed a signature to the at least one packet and send the at least one packet to the network. - The network device according to claim 3 or 4,
the network device further comprising at least one network component in the normal world environment, wherein
the monitoring means measures integrity of the network component(s);
the packet queue configured to send at least one packet sent by the program while the network component(s) is integrity;
the packet queue configured to delete the packet(s) sent by the program while the network component(s) is tampered. - The network device according to claim 3 or 4,
the network device further comprising at least one network component in the secure world environment. - The network device according to claim 3 or 4, wherein
the monitoring means configured to monitor the presence of at least one received packet;
the packet queue configured to send the at least one packet sent by the program to the network without queuing until the received packet is received. - The network device according to claim 5,
the network device further comprising a network interface card;
the at least one network component configured to fetch at least one packet from the network interface card while the network component(s) is integrity. - A computing method performed by a network device comprising:
measuring the integrity of at least one program repeatedly;
queueing at least one packet sent by the program;
sending a trigger to the packet queue when the measured result is integrity; and
sending at least one packet sent by the program to a network when the packet queue receives the trigger. - A non-transitory computer readable medium storing a program for causing a computer, the program causing the computer to execute:
a measuring step for measuring the integrity of at least one program repeatedly;
a queueing step for queueing at least one packet sent by the program;
a sending step for sending a trigger to the packet queue when the measured result is integrity; and
a sending step for sending at least one packet sent by the program to a network when the packet queue receives the trigger.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2022541704A JP7334864B2 (en) | 2020-01-29 | 2020-01-29 | Network device, calculation method and program |
PCT/JP2020/003224 WO2021152740A1 (en) | 2020-01-29 | 2020-01-29 | Network device, computing method and computer readable medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/003224 WO2021152740A1 (en) | 2020-01-29 | 2020-01-29 | Network device, computing method and computer readable medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021152740A1 true WO2021152740A1 (en) | 2021-08-05 |
Family
ID=77078113
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2020/003224 WO2021152740A1 (en) | 2020-01-29 | 2020-01-29 | Network device, computing method and computer readable medium |
Country Status (2)
Country | Link |
---|---|
JP (1) | JP7334864B2 (en) |
WO (1) | WO2021152740A1 (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005341167A (en) * | 2004-05-26 | 2005-12-08 | Toshiba Corp | Packet filtering apparatus, packet filtering method, and program and recording medium for packet filtering |
JP2013175166A (en) * | 2012-01-12 | 2013-09-05 | Alexeo Corp | Methods and systems for providing network protection by progressive degradation of service |
JP2019066995A (en) * | 2017-09-29 | 2019-04-25 | 株式会社Seltech | System capable of selectively switching between secure mode and non-secure mode |
-
2020
- 2020-01-29 JP JP2022541704A patent/JP7334864B2/en active Active
- 2020-01-29 WO PCT/JP2020/003224 patent/WO2021152740A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005341167A (en) * | 2004-05-26 | 2005-12-08 | Toshiba Corp | Packet filtering apparatus, packet filtering method, and program and recording medium for packet filtering |
JP2013175166A (en) * | 2012-01-12 | 2013-09-05 | Alexeo Corp | Methods and systems for providing network protection by progressive degradation of service |
JP2019066995A (en) * | 2017-09-29 | 2019-04-25 | 株式会社Seltech | System capable of selectively switching between secure mode and non-secure mode |
Also Published As
Publication number | Publication date |
---|---|
JP7334864B2 (en) | 2023-08-29 |
JP2023509504A (en) | 2023-03-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11089057B1 (en) | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits | |
US10666686B1 (en) | Virtualized exploit detection system | |
US8966642B2 (en) | Trust verification of a computing platform using a peripheral device | |
EP2774072B1 (en) | System and method for transitioning to a whitelist mode during a malware attack in a network environment | |
EP2645294B1 (en) | System and method for trusted platform attestation | |
US9836611B1 (en) | Verifying the integrity of a computing platform | |
CN111444519B (en) | Protecting the integrity of log data | |
US10944720B2 (en) | Methods and systems for network security | |
KR20060042149A (en) | Method and system for filtering communications to prevent exploitation of a software vulnerability | |
US11972033B2 (en) | Alert handling | |
US11188653B1 (en) | Verifying the integrity of a computing platform | |
CN106663176B (en) | Detection device and detection method | |
US11531769B2 (en) | Information processing apparatus, information processing method, and computer program product | |
WO2021152740A1 (en) | Network device, computing method and computer readable medium | |
US20100023748A1 (en) | Self checking encryption and decryption based on statistical sampling | |
WO2021250740A1 (en) | Communication device, computing method and computer readable medium | |
CN110381016A (en) | The means of defence and device, storage medium, computer equipment of CC attack | |
US10104104B1 (en) | Security alerting system with network blockade policy based on alert transmission activity | |
KR20140051486A (en) | Error management system with security function and method of controlling the same | |
JP7119537B2 (en) | Detection system and detection method | |
US20130074190A1 (en) | Apparatus and method for providing security functions in computing system | |
CN115904670A (en) | Task scheduling method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20917232 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2022541704 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20917232 Country of ref document: EP Kind code of ref document: A1 |