WO2021152740A1 - Network device, computing method and computer readable medium - Google Patents

Network device, computing method and computer readable medium Download PDF

Info

Publication number
WO2021152740A1
WO2021152740A1 PCT/JP2020/003224 JP2020003224W WO2021152740A1 WO 2021152740 A1 WO2021152740 A1 WO 2021152740A1 JP 2020003224 W JP2020003224 W JP 2020003224W WO 2021152740 A1 WO2021152740 A1 WO 2021152740A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
program
network
network device
queue
Prior art date
Application number
PCT/JP2020/003224
Other languages
French (fr)
Inventor
Takayuki Sasaki
Seng Pei LIEW
VAERE Piet DE
Seyedali TABAEIAGHDAEI
Adrian Perrig
Original Assignee
Nec Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Corporation filed Critical Nec Corporation
Priority to JP2022541704A priority Critical patent/JP7334864B2/en
Priority to PCT/JP2020/003224 priority patent/WO2021152740A1/en
Publication of WO2021152740A1 publication Critical patent/WO2021152740A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes

Definitions

  • the present disclosure relates to a network device, computing method and computer readable medium.
  • a technique of performing trusted computing has Secure boot (a technique that measures the integrity of BIOS, OS, and application using secure HW (Trusted platform module)) and Attestation (Verifies a program is compromised or not).
  • Patent Literatures 1 to 6 various trusted computing systems and methods are being considered.
  • Patent Literature 1 discloses a system, method and computer program product for guaranteeing a data transaction over a network are disclosed.
  • Patent Literature 2 discloses an anti-virus method and apparatus and a firewall device, to solve the problem of low processing performance caused by performing AV detection on a file of a compressed format in the prior art.
  • Patent Literature 3 discloses the inventive subject matter, there is described herein as a method and apparatus for securely and efficiently managing packet buffers between protection domains on an Intra-partitioned system using packet queues and triggers.
  • Patent Literature 4 discloses method and system for network access control.
  • Patent Literature 5 discloses the invention is to present a method, a computing device and a computer program product for detecting a threat in a communications network.
  • Patent Literature 6 discloses a communication apparatus capable to improve a resistivity to data-plane attack to enhance a network security.
  • PTL 1 International Publication No. WO2004/015524
  • PTL 2 The description of EP Publication of Unexamined Patent Application No. 2797278
  • PTL 3 The description of US Publication of Unexamined Patent Application No. 2008/0244725
  • PTL 4 The description of US Publication of Unexamined Patent Application No. 2017/0339172
  • PTL 5 The description of US Publication of Unexamined Patent Application No. 2014/0259160
  • PTL 6 International Publication No. WO2018/055654
  • Time-of-Check Time-of-Use For outgoing packets; Assuming periodical integrity measurement, it does not ensure that all outgoing packets are sent by trusted (non-tampered) software; and Packets after tampering until the next check are sent by tampered software.
  • a purpose of the present disclosure is to provide a network device, computing method and computer readable medium capable of protecting network device(s) and keeping it secure during its operation.
  • One aspect of a network device is a network device comprising: a monitoring means configured to measure the integrity of at least one program repeatedly; and a packet queue configured to queue at least one packet sent by the program, wherein the monitoring means configured to send a trigger to the packet queue when the measured result is integrity; the packet queue configured to send the at least one packet sent to a network when the packet queue receives the trigger.
  • One aspect of a computing method according to the present invention is a computing method performed by a network device comprising: measuring the integrity of at least one program repeatedly; queueing at least one packet sent by the program; sending a trigger to the packet queue when the measured result is integrity; and sending at least one packet sent by the program to a network when the packet queue receives the trigger.
  • One aspect of a computer readable medium is a non-transitory computer readable medium storing a program for causing a computer, the program causing the computer to execute: a measuring step for measuring the integrity of at least one program repeatedly; a queueing step for queueing at least one packet sent by the program; a sending step for sending a trigger to the packet queue when the measured result is integrity; and a sending step for sending at least one packet sent by the program to a network when the packet queue receives the trigger.
  • Fig. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment
  • Fig. 2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment
  • Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment
  • Fig. 4 is a timing chart of a network device according to the second exemplary embodiment
  • Fig. 5 is a timing chart of a network device according to the second exemplary embodiment
  • Fig. 6 is a flow chart of a network device according to the second exemplary embodiment
  • Fig. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment
  • Fig. 2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment
  • Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment
  • Fig. 4 is a timing chart of a network device according to the second exemplary embodiment
  • FIG. 7 is a block diagram showing a schematic configuration of a network device according to a third exemplary embodiment
  • Fig. 8 is a block diagram showing a schematic configuration of a network device according to a fourth exemplary embodiment
  • Fig. 9 is a timing chart of a network device according to a fifth exemplary embodiment
  • Fig. 10 is a block diagram showing a schematic configuration of a network device according to a sixth exemplary embodiment
  • Fig. 11 is a block diagram showing a schematic configuration of a network device according to a seventh exemplary embodiment.
  • FIG. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment.
  • a network device 10 comprises a monitor 11, a packet queue 12 and at least one program 13.
  • the monitor 11 measures the integrity of at least one program 13 repeatedly.
  • the monitor 11 sends a trigger to the packet queue 12 when the measured result is integrity.
  • the packet queue 12 queues at least one packet sent by the program 13.
  • the packet queue 12 sends the at least one packet sent to a network when the packet queue 12 receives the trigger.
  • the network device stores outgoing packets until the next time of check of the packet queue and sends the packet(s) by the packet queue after verifying the integrity of the program by the monitor, and it is thereby possible to protect network device(s) and keep it secure during its operation.
  • Second Exemplary embodiment Fig.2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment.
  • a network device 100 comprises Secure World 101, Normal World 102 and NIC 103.
  • the OS operates in Normal World 102 and cannot read or write the protected storage in Secure World 101.
  • the network device 100 is implemented by CPU (e.g. TrustZone TM Hardware Architecture like ARM TM architecture processor), Memory and I/O circuit.
  • the Secure World 101 is the environment not capable to access from the Normal World 102.
  • the Secure World 101 comprises the Monitor 111 and the packet queues 112-1 ⁇ 112-n.
  • the Normal World 102 is the environment capable to access from the Secure World 101.
  • the Normal World 102 comprises programs 121-1 ⁇ 121-n, packet proxy 122, an OS network stack 123 and a NIC driver 124.
  • the monitor 111 measures the integrity of at least one program 121-1 ⁇ 121-n repeatedly.
  • the monitor 111 may perform integrity measurement of the programs 121-1 ⁇ 121-n respectively. For example, the monitor 111 periodically may measure whether each program's 121-1 ⁇ 121-n has been tampered with or not. And the monitor 111 sends a result of the integrity measurement to the packet queues 112-1 ⁇ 112-n.
  • the monitor 111 sends a trigger to the packet queue when the measured result is integrity.
  • the trigger means starting to send the packet from the packet queues 112-1 ⁇ 112-n to a computer network.
  • the monitor 111 sends a report to the packet queue when the measured result is the program is tampered.
  • the report means that the program is tampered and should delete the packet send by the tampered program.
  • the monitor 111 sends the trigger or the report of the program 121-1 to packet queue 112-1.
  • the monitor 111 sends the trigger or the report of the program 121-2 to the packet queue 112-2.
  • the monitor 111 sends the trigger or the report of the program 121-n to the packet queue 112-n.
  • the packet queues 112-1 ⁇ 112-n are queues of at least one packet.
  • the packet queues 112-1 ⁇ 112-n are prepared per the programs 121-1 ⁇ 121-n in the Secure World 101.
  • the packet queues 112-1 ⁇ 112-n receive packets sent from the programs 121-1 ⁇ 121-n and queue the packet(s).
  • the packet queues 112-1 ⁇ 112-n send each packet to the packet proxy 122 when the packet queues 112-1 ⁇ 112-n receive the trigger.
  • the packet queues 112-1 ⁇ 112-n send each packet to the packet proxy 122 when the packet queues 112-1 ⁇ 112-n receive the valid result corresponding to the programs 121-1 ⁇ 121-n.
  • the packet queues 112-1 ⁇ 112-n delete the packet(s) corresponding to tampered program in the programs 121-1 ⁇ 121-n when the packet queues 112-1 ⁇ 112-n receive the report that the program is tampered. In other words, when the result corresponding to the programs 121-1 ⁇ 121-n is invalid, the packet queues 112-1 ⁇ 112-n delete the packet(s) corresponding to invalid program in the programs 121-1 ⁇ 121-n. Specifically, the packet queues 112-1 ⁇ 112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
  • the packet queues 112-1 ⁇ 112-n may embed a signature to each packet using a pre-shared key and may send the packet(s) to the packet proxy 122.
  • the Packet receiving device drops packets without signature (directly sent by the compromised program) and packets with invalid signature (modified by the compromised program). It is thereby possible to avoid packet sending by compromised program and to avoid modification of the packet(s) sent by the packet queue.
  • the programs 121-1 ⁇ 121-n are programs that are processed on the Normal World 102.
  • the programs 121-1 ⁇ 121-n send output one or more packets to the packet queues 112-1 ⁇ 112-n, respectively.
  • the packet proxy 122 forwards the packet(s) from the packet queues 112-1 ⁇ 112-n to the OS network stack 123.
  • the packet proxy 122 may cache the packet(s).
  • the OS network stack 123 processes the packet(s) according to a predetermined network protocol and sends the processed packet(s) to the NIC driver 124.
  • the NIC driver 124 is a device driver that controls the NIC 103.
  • the NIC 103 is a network interface card that connects the network device 100 to the computer network.
  • the NIC 103 is controlled by the NIC driver 124 in the normal world 102.
  • Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment.
  • the program 121-1 sends each packet to the packet queue 112-1.
  • the packet queue 112-1 receives the packet(s) from the program 121-1 and queues the packet(s).
  • the monitor 111 measures whether the program 121-1 has been tampered with or not.
  • the monitor 111 sends a signal with the measurement result to the packet queues 112-1.
  • the packet queue 112-1 sends the packet(s) to the computer network when the measurement result is valid.
  • the packet queue 112-1 deletes the packet(s) to the computer network when the measurement result is invalid.
  • Fig.3 shows an example in which one program sends the packet(s)
  • a plurality of programs may send the packet(s)
  • each program may be measured, and the packet(s) of each program may be sent or deleted based on each measurement result.
  • Fig. 4 is a timing chart of a network device according to the second exemplary embodiment. Fig. 4 shows an example when the measurement result is valid.
  • the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
  • the program 121-1 sends a packet 421, and the packet queue 112-1 queues the packet 421 and has not sent the packet 421 until next check timing t404.
  • the program 121-1 sends a packet 431, and the packet queue 112-1 queues the packet 431 and has not sent the packet 431 until next check timing t404.
  • the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t404, the program has been verified integrity from timing t401 to timing t404.
  • the packet queue 112-1 sends the packet(s) 421 and 431 at timing t404 (or immediately after timing t404).
  • the program 121-1 sends a packet 451, and the packet queue 112-1 queues the packet 451 and has not sent the packet 451 until next check timing t407.
  • the program 121-1 sends a packet 461, and the packet queue 112-1 queues the packet 461 and has not sent the packet 461 until next check timing t407.
  • the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t407, the program has been verified integrity from timing t404 to timing t407.
  • the packet queue 112-1 sends the packet(s) 451 and 461 at timing t407 (or immediately after timing t407).
  • Fig. 5 is a timing chart of a network device according to the second exemplary embodiment.
  • Fig. 5 shows an example when the measurement result is invalid after a valid result.
  • the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
  • the program 121-1 sends a packet 521, and the packet queue 112-1 queues the packet 521 and has not sent the packet 521 until next check timing t504.
  • the program 121-1 sends a packet 531, and the packet queue 112-1 queues the packet 531 and has not sent the packet 531 until next check timing t504.
  • the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t504, the program has been verified integrity from timing t501 to timing t504.
  • the packet queue 112-1 sends the packet(s) 521 and 531 at timing t504 (or immediately after timing t504).
  • the program 121-1 would be compromised by an attacker.
  • a packet 561 would be sent by the compromised program, and the packet queue 112-1 queues the packet 561 and has not sent the packet 561 until next check timing t508.
  • a packet 571 would be sent by the compromised program, and the packet queue 112-1 queues the packet 571 and has not sent the packet 571 until next check timing t508.
  • the monitor 111 checks the program 121-1 and detects tampering of the program 121-1. As a result of check at timing t508, the result is that the program is tampered from timing t504 to timing t508. According to the result, the packet queue 112-1 deletes the packet(s) 561 and 571 at timing t508 (or immediately after timing t508).
  • Fig. 6 is a flow chart of a network device according to the second exemplary embodiment.
  • step S601 the program 121-1 is executed and moves to the next step S602.
  • step S602 the program 121-1 sends the at least one packet to the packet queue 112-1 and moves to the next step S603.
  • the packet queue 112-1 queues the at least one packet sent from the program 121-1 and moves to the next step S604.
  • step S604 if measurement timing has come, moves to the next step S605. If measurement timing has not come, returns to step S601.
  • the monitor 111 measures whether the program 121-1 has been tampered with or not and moves to the next step S606.
  • the monitor 111 sends a signal with the measurement result to the packet queues 112-1.
  • the signal is the trigger of sending the packet or the report that the program is tampered.
  • the signal is the trigger, moves to the next step S608.
  • the signal is not the trigger (i.e. the signal is the report), moves to the next step S609.
  • the packet queue 112-1 sends the packet(s) to the computer network and returns step S601.
  • the packet queue 112-1 deletes the packet(s).
  • the network device stores outgoing packets until the next time of check of the packet queue and deletes the packet(s) by the packet queue after detecting the tampered program by the monitor, and it is thereby possible to protect network device(s) and keep it secure during its operation.
  • the network device embeds a signature to each packet, and it is thereby possible to avoid packet sending by compromised program and to avoid modification of the packet(s) sent by the packet queue.
  • the monitor instead of adding a signature to the packet(s), before the packet queue sends the packet(s), the monitor can attests components (packet proxy and OS network stack) that handle the packet(s) in the normal world.
  • Fig. 7 is a block diagram showing a schematic configuration of a network device according to a third exemplary embodiment.
  • the Secure World 101 comprises a Monitor 711 and the packet queues 112-1 ⁇ 112-n.
  • the Monitor 711 performs integrity measurement of a network component that includes the packet proxy 122 and/or the OS network stack 123. And the monitor 711 sends a result of the integrity measurement to the packet queues 112-1 ⁇ 112-n. The integrity measurement is performed periodically by the monitor 711.
  • the packet queues 112-1 ⁇ 112-n send each packet to the packet proxy 122 when the results corresponding to the network component is valid (integrity). When the results corresponding to the network component is invalid (is tampered), the packet queues 112-1 ⁇ 112-n delete the packet(s). The packet queues 112-1 ⁇ 112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
  • the network device performs integrity measurement of a network component and delete the packet(s) when the network component is invalid, and it is thereby possible to protect network device(s) and keep it secure during its operation without a signature.
  • FIG. 8 is a block diagram showing a schematic configuration of a network device according to a fourth exemplary embodiment.
  • the Secure World 101 comprises the Monitor 111, the packet queues 112-1 ⁇ 112-n, an OS network stack 823 and a NIC driver 824
  • the Normal World 102 comprises programs 121-1 ⁇ 121-n.
  • the packet queues 112-1 ⁇ 112-n send each packet to the OS network stack 823 when the result corresponding to the programs 121-1 ⁇ 121-n is valid.
  • the packet queues 112-1 ⁇ 112-n delete the packet(s) corresponding to invalid program in the programs 121-1 ⁇ 121-n.
  • the packet queues 112-1 ⁇ 112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
  • the OS network stack 823 processes the packet(s) according to a predetermined network protocol in the secure world 101 and sends the processed packet(s) to the NIC driver 824.
  • the NIC driver 824 is a device driver that controls the NIC 103.
  • the NIC driver 824 controls the NIC 103 in the secure world 101.
  • the NIC 103 is a network interface card that connects the network device 100 to a computer network.
  • the NIC 103 is controlled by the NIC driver 824 in the secure world 101.
  • the network device comprises at least one network component in Secure World.
  • the network component(s) includes the NIC driver and/or the OS network stack in Secure World, and it is thereby possible to protect the NIC driver and the OS network stack and keep it secure during its operation without a signature.
  • NIC is controlled by OS in the secure world.
  • the addition of the signature can be skipped because the secure world directly controls NIC and there is no risk that the compromised program sends or modifies the packet.
  • the monitor 111 measures the integrity of at least one program 121-1 ⁇ 121-n repeatedly.
  • the monitor 111 monitors the presence of at least one received packet from the network.
  • the monitor 111 turns off measurement the integrity until the received packet is received from the network.
  • the monitor 111 is configured to transmit signal of queuing packet(s) or signal of stop queuing packet(s) to packet queues 112-1 ⁇ 112-n.
  • the packet queues 112-1 ⁇ 112-n sends the packet(s) sent by the program 121-1 ⁇ 121-n to the network without queuing until the received packet is received.
  • Integrity measurement and packet storing can be skipped from time of integrity measurement to time of receiving a packet.
  • Fig. 9 is a timing chart of a network device according to a fifth exemplary embodiment.
  • the network device 100 receives the packet(s).
  • the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
  • the monitor 111 does not check the program 121-1, because no packet has received until timing t902 to timing t903.
  • the packet queue 112-1 does not queue the packet(s) sent by the program 121-1 and send the packet(s) to the network timing t902 to timing t903.
  • the network device 100 receives the packet(s).
  • the packet queue 112-1 queues the packet(s) sent by the program 121-1.
  • the monitor 111 checks the program 121-1, because the packet(s) has received until timing t903 to timing t905.
  • the network device skips integrity measurement and packet storing from time of integrity measurement to time of receiving a packet, and it is thereby possible to reduce resource for checking integrity.
  • the integrity measurement and the packet storing can be started when data is received by other interfaces such as a serial port, a USB port, a storage, and/or a keyboard.
  • packet(s) from each process are handled by its dedicated queue and each queue can be connected with a dedicated slice network.
  • Fig. 10 is a block diagram showing a schematic configuration of a network device according to a sixth exemplary embodiment.
  • the packet(s) from process 1001-1 is handled by the packet queue 121-1.
  • the packet queue 121-1 can be connected with a dedicated slice network 1010-1.
  • the packet(s) from process 1010-2 is handled by the packet queue 121-2.
  • the packet queue 121-2 can be connected with a dedicated slice network 1010-2.
  • the packet(s) from process 1001-n is handled by the packet queue 121-n.
  • the packet queue 121-n can be connected with a dedicated slice network 1010-n.
  • the monitor detects arrivals of packets and can perform measurement against network components such as the packet proxy and OS network stack so that the program can correctly receive the packet(s).
  • the attestation can be performed before and after NIC driver and OS network stack handles a packet.
  • Fig. 11 is a block diagram showing a schematic configuration of a network device according to a seventh exemplary embodiment.
  • the Monitor 1111 monitors the presence of at least one received packet from the network.
  • the Monitor 1111 performs integrity measurement of a network component that includes the OS network stack 123 and/or the NIC driver 124 when the monitor 1111 detects arrivals of packets. And the monitor 1111 sends a result of the integrity measurement to the NIC driver 124.
  • the NIC driver 124 sends packet(s) to the OS network stack 123 when the results corresponding to the network component is valid (integrity). When the results corresponding to the network component is invalid (is tampered), the NIC driver 124 deletes the packet(s).
  • the network device performs integrity measurement of a network component when NIC receives the packet(s) and delete the packet(s) when the network component is invalid, and it is thereby possible to protect network device(s) and keep it secure during its operation.
  • checks of the packet(s) may be performed at different timings or synchronized for each program.
  • Monitor 111 directly measures program 102. Instead, Monitor 111 may indirectly measure the program via an agent deployed in Normal World 102. Specifically, Monitor 111 measures the agent in Normal World 102, and then the agent measures program 102.
  • the programs may be stored in various types of non-transitory computer readable media and thereby supplied to computers.
  • the non-transitory computer readable media includes various types of tangible storage media.
  • non-transitory computer readable media examples include a magnetic recording medium (such as a flexible disk, a magnetic tape, and a hard disk drive) and a magneto-optic recording medium (such as a magneto-optic disk).
  • a magnetic recording medium such as a flexible disk, a magnetic tape, and a hard disk drive
  • a magneto-optic recording medium such as a magneto-optic disk
  • examples of the non-transitory computer readable media include CD-ROM (Read Only Memory), CD-R, and CD-R/W. Further, examples of the non-transitory computer readable media include a semiconductor memory.
  • the semiconductor memory includes, for example, a mask ROM, a PROM (Programmable ROM), an EPROM (Erasable PROM), a flash ROM, and a RAM (Random Access Memory).
  • Transitory computer readable media examples include an electrical signal, an optical signal, and an electromagnetic wave.
  • the transitory computer readable media can be used to supply programs to a computer through a wired communication line (e.g., electric wires and optical fibers) or a wireless communication line.
  • the first to seventh exemplary embodiments can be combined as desirable by one of ordinary skill in the art.
  • the number of combining exemplary embodiments is not limited.
  • the present invention is applicable to a network device, IOT device, router, base station.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A network device (10) comprising: a monitoring means (11) configured to measure the integrity of at least one program repeatedly; and a packet queue (12) configured to queue at least one packet sent by the program (13), wherein the monitoring means (11) configured to send a trigger to the packet queue when the measured result is integrity; the packet queue (12) configured to send the at least one packet sent to a network when the packet queue (12) receives the trigger.

Description

NETWORK DEVICE, COMPUTING METHOD AND COMPUTER READABLE MEDIUM
  The present disclosure relates to a network device, computing method and computer readable medium.
  A technique of performing trusted computing has Secure boot (a technique that measures the integrity of BIOS, OS, and application using secure HW (Trusted platform module)) and Attestation (Verifies a program is compromised or not).
  Further as mentioned below in Patent Literatures 1 to 6, various trusted computing systems and methods are being considered.
  Patent Literature 1 discloses a system, method and computer program product for guaranteeing a data transaction over a network are disclosed.
  Patent Literature 2 discloses an anti-virus method and apparatus and a firewall device, to solve the problem of low processing performance caused by performing AV detection on a file of a compressed format in the prior art.
  Patent Literature 3 discloses the inventive subject matter, there is described herein as a method and apparatus for securely and efficiently managing packet buffers between protection domains on an Intra-partitioned system using packet queues and triggers.
  Patent Literature 4 discloses method and system for network access control.
  Patent Literature 5 discloses the invention is to present a method, a computing device and a computer program product for detecting a threat in a communications network.
  Patent Literature 6 discloses a communication apparatus capable to improve a resistivity to data-plane attack to enhance a network security.
  PTL 1: International Publication No. WO2004/015524
  PTL 2: The description of EP Publication of Unexamined Patent Application No. 2797278
  PTL 3: The description of US Publication of Unexamined Patent Application No. 2008/0244725
  PTL 4: The description of US Publication of Unexamined Patent Application No. 2017/0339172
  PTL 5: The description of US Publication of Unexamined Patent Application No. 2014/0259160
  PTL 6: International Publication No. WO2018/055654
  However, existing solutions do not meet the following security property.
  Time-of-Check Time-of-Use (ToCToU) for outgoing packets;
  Assuming periodical integrity measurement, it does not ensure that all outgoing packets are sent by trusted (non-tampered) software; and
  Packets after tampering until the next check are sent by tampered software.
  A purpose of the present disclosure is to provide a network device, computing method and computer readable medium capable of protecting network device(s) and keeping it secure during its operation.
  It should be noted that the above-described object is merely one of the objects to be attained by the example exemplary embodiments disclosed herein. Other objects or problems and novel features will be made apparent from the following description and the accompanying drawings.
  One aspect of a network device according to the present invention is a network device comprising: a monitoring means configured to measure the integrity of at least one program repeatedly; and a packet queue configured to queue at least one packet sent by the program, wherein   the monitoring means configured to send a trigger to the packet queue when the measured result is integrity; the packet queue configured to send the at least one packet sent to a network when the packet queue receives the trigger.
  One aspect of a computing method according to the present invention is a computing method performed by a network device comprising: measuring the integrity of at least one program repeatedly; queueing at least one packet sent by the program; sending a trigger to the packet queue when the measured result is integrity; and sending at least one packet sent by the program to a network when the packet queue receives the trigger.
  One aspect of a computer readable medium according to the present invention is a non-transitory computer readable medium storing a program for causing a computer, the program causing the computer to execute: a measuring step for measuring the integrity of at least one program repeatedly; a queueing step for queueing at least one packet sent by the program; a sending step for sending a trigger to the packet queue when the measured result is integrity; and a sending step for sending at least one packet sent by the program to a network when the packet queue receives the trigger.
  According to the present disclosure, it is possible to provide a network device, computing method and computer readable medium capable of protecting network device(s) and keeping it secure during its operation.
  The above and other aspects, advantages and features will be more apparent from the following description of certain exemplary embodiments taken in conjunction with the accompanying drawings, in which:
Fig. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment; Fig. 2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment; Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment; Fig. 4 is a timing chart of a network device according to the second exemplary embodiment; Fig. 5 is a timing chart of a network device according to the second exemplary embodiment; Fig. 6 is a flow chart of a network device according to the second exemplary embodiment; Fig. 7 is a block diagram showing a schematic configuration of a network device according to a third exemplary embodiment; Fig. 8 is a block diagram showing a schematic configuration of a network device according to a fourth exemplary embodiment; Fig. 9 is a timing chart of a network device according to a fifth exemplary embodiment; Fig. 10 is a block diagram showing a schematic configuration of a network device according to a sixth exemplary embodiment; and Fig. 11 is a block diagram showing a schematic configuration of a network device according to a seventh exemplary embodiment.
Description of Exemplary embodiments
  Example exemplary embodiments according to the present disclosure will be described hereinafter with reference to the drawings.
  For the clarification of the description, the following description and the drawings may be omitted or simplified as appropriate. Further, each element shown in the drawings as functional blocks that perform various processing can be formed of a CPU (Central Processing Unit), a memory, and other circuits in hardware and may be implemented by programs loaded into the memory in software. Those skilled in the art will therefore understand that these functional blocks may be implemented in various ways by only hardware, only software, or the combination thereof without any limitation. Throughout the drawings, the same components are denoted by the same reference signs and overlapping descriptions will be omitted as appropriate.
  First Exemplary embodiment
  Fig. 1 is a block diagram showing a schematic configuration of a network device according to a first exemplary embodiment. A network device 10 comprises a monitor 11, a packet queue 12 and at least one program 13.
  The monitor 11 measures the integrity of at least one program 13 repeatedly. The monitor 11 sends a trigger to the packet queue 12 when the measured result is integrity.
  The packet queue 12 queues at least one packet sent by the program 13. The packet queue 12 sends the at least one packet sent to a network when the packet queue 12 receives the trigger.
  The network device according to the first exemplary embodiment stores outgoing packets until the next time of check of the packet queue and sends the packet(s) by the packet queue after verifying the integrity of the program by the monitor, and it is thereby possible to protect network device(s) and keep it secure during its operation.
  Second Exemplary embodiment
  Fig.2 is a block diagram showing a schematic configuration of a network device according to a second exemplary embodiment.
  A network device 100 comprises Secure World 101, Normal World 102 and NIC 103. For example, the OS operates in Normal World 102 and cannot read or write the protected storage in Secure World 101. For example, the network device 100 is implemented by CPU (e.g. TrustZoneTM Hardware Architecture like ARMTM architecture processor), Memory and I/O circuit.
  The Secure World 101 is the environment not capable to access from the Normal World 102. The Secure World 101 comprises the Monitor 111 and the packet queues 112-1~112-n.
  The Normal World 102 is the environment capable to access from the Secure World 101. The Normal World 102 comprises programs 121-1~121-n, packet proxy 122, an OS network stack 123 and a NIC driver 124.
  The monitor 111 measures the integrity of at least one program 121-1~121-n repeatedly. The monitor 111 may perform integrity measurement of the programs 121-1~121-n respectively. For example, the monitor 111 periodically may measure whether each program's 121-1~121-n has been tampered with or not. And the monitor 111 sends a result of the integrity measurement to the packet queues 112-1~112-n.
  For example, the monitor 111 sends a trigger to the packet queue when the measured result is integrity. The trigger means starting to send the packet from the packet queues 112-1~112-n to a computer network. For example, the monitor 111 sends a report to the packet queue when the measured result is the program is tampered. The report means that the program is tampered and should delete the packet send by the tampered program. The monitor 111 sends the trigger or the report of the program 121-1 to packet queue 112-1. The monitor 111 sends the trigger or the report of the program 121-2 to the packet queue 112-2. The monitor 111 sends the trigger or the report of the program 121-n to the packet queue 112-n.
  The packet queues 112-1~112-n are queues of at least one packet. The packet queues 112-1~112-n are prepared per the programs 121-1~121-n in the Secure World 101. The packet queues 112-1~112-n receive packets sent from the programs 121-1~121-n and queue the packet(s).
  The packet queues 112-1~112-n send each packet to the packet proxy 122 when the packet queues 112-1~112-n receive the trigger. In other words, the packet queues 112-1~112-n send each packet to the packet proxy 122 when the packet queues 112-1~112-n receive the valid result corresponding to the programs 121-1~121-n.
  The packet queues 112-1~112-n delete the packet(s) corresponding to tampered program in the programs 121-1~121-n when the packet queues 112-1~112-n receive the report that the program is tampered. In other words, when the result corresponding to the programs 121-1~121-n is invalid, the packet queues 112-1~112-n delete the packet(s) corresponding to invalid program in the programs 121-1~121-n. Specifically, the packet queues 112-1~112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
  The packet queues 112-1~112-n may embed a signature to each packet using a pre-shared key and may send the packet(s) to the packet proxy 122. The Packet receiving device drops packets without signature (directly sent by the compromised program) and packets with invalid signature (modified by the compromised program). It is thereby possible to avoid packet sending by compromised program and to avoid modification of the packet(s) sent by the packet queue.
  The programs 121-1~121-n are programs that are processed on the Normal World 102. The programs 121-1~121-n send output one or more packets to the packet queues 112-1~112-n, respectively.
  The packet proxy 122 forwards the packet(s) from the packet queues 112-1~112-n to the OS network stack 123. The packet proxy 122 may cache the packet(s).
  The OS network stack 123 processes the packet(s) according to a predetermined network protocol and sends the processed packet(s) to the NIC driver 124.
  The NIC driver 124 is a device driver that controls the NIC 103.
  The NIC 103 is a network interface card that connects the network device 100 to the computer network. The NIC 103 is controlled by the NIC driver 124 in the normal world 102.
  As described above, the network device 100 prevents transmission of a packet by a compromised program. The operation of the network device 100 is described below. Fig. 3 is a sequence chart of a network device according to the second exemplary embodiment.
  In Fig.3, at step from S301-1 to S301-m (m is an integer greater than or equal to 1), the program 121-1 sends each packet to the packet queue 112-1. The packet queue 112-1 receives the packet(s) from the program 121-1 and queues the packet(s).
  At step S302, the monitor 111 measures whether the program 121-1 has been tampered with or not.
  At step S303, the monitor 111 sends a signal with the measurement result to the packet queues 112-1.
  At step S304, the packet queue 112-1 sends the packet(s) to the computer network when the measurement result is valid. At step S304, the packet queue 112-1 deletes the packet(s) to the computer network when the measurement result is invalid.
  Although Fig.3 shows an example in which one program sends the packet(s), a plurality of programs may send the packet(s), each program may be measured, and the packet(s) of each program may be sent or deleted based on each measurement result.
  The above processing of step S301-1 to step S304 may be repeated periodically. Fig. 4 is a timing chart of a network device according to the second exemplary embodiment. Fig. 4 shows an example when the measurement result is valid.
  At timing t401, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
  At timing t402, the program 121-1 sends a packet 421, and the packet queue 112-1 queues the packet 421 and has not sent the packet 421 until next check timing t404.
  At timing t403, the program 121-1 sends a packet 431, and the packet queue 112-1 queues the packet 431 and has not sent the packet 431 until next check timing t404.
  At timing t404, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t404, the program has been verified integrity from timing t401 to timing t404. The packet queue 112-1 sends the packet(s) 421 and 431 at timing t404 (or immediately after timing t404).
  At timing t405, the program 121-1 sends a packet 451, and the packet queue 112-1 queues the packet 451 and has not sent the packet 451 until next check timing t407.
  At timing t406, the program 121-1 sends a packet 461, and the packet queue 112-1 queues the packet 461 and has not sent the packet 461 until next check timing t407.
  At timing t407, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t407, the program has been verified integrity from timing t404 to timing t407. The packet queue 112-1 sends the packet(s) 451 and 461 at timing t407 (or immediately after timing t407).
  As described above, storing outgoing packets until the next time of check by the packet queue and the packet(s) are sent after verifying the integrity of the program by the monitor.
  Fig. 5 is a timing chart of a network device according to the second exemplary embodiment. Fig. 5 shows an example when the measurement result is invalid after a valid result.
  At timing t501, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
  At timing t502, the program 121-1 sends a packet 521, and the packet queue 112-1 queues the packet 521 and has not sent the packet 521 until next check timing t504.
  At timing t503, the program 121-1 sends a packet 531, and the packet queue 112-1 queues the packet 531 and has not sent the packet 531 until next check timing t504.
  At timing t504, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1 again. As a result of check at timing t504, the program has been verified integrity from timing t501 to timing t504. The packet queue 112-1 sends the packet(s) 521 and 531 at timing t504 (or immediately after timing t504).
  At timing t505, the program 121-1 would be compromised by an attacker.
  At timing t506, a packet 561 would be sent by the compromised program, and the packet queue 112-1 queues the packet 561 and has not sent the packet 561 until next check timing t508.
  At timing t507, a packet 571 would be sent by the compromised program, and the packet queue 112-1 queues the packet 571 and has not sent the packet 571 until next check timing t508.
  At timing t508, the monitor 111 checks the program 121-1 and detects tampering of the program 121-1. As a result of check at timing t508, the result is that the program is tampered from timing t504 to timing t508. According to the result, the packet queue 112-1 deletes the packet(s) 561 and 571 at timing t508 (or immediately after timing t508).
  Fig. 6 is a flow chart of a network device according to the second exemplary embodiment.
  At step S601, the program 121-1 is executed and moves to the next step S602.
  At step S602, the program 121-1 sends the at least one packet to the packet queue 112-1 and moves to the next step S603.
  At step S603, the packet queue 112-1 queues the at least one packet sent from the program 121-1 and moves to the next step S604.
  At step S604, if measurement timing has come, moves to the next step S605. If measurement timing has not come, returns to step S601.
  At step S605, the monitor 111 measures whether the program 121-1 has been tampered with or not and moves to the next step S606.
  At step S606, the monitor 111 sends a signal with the measurement result to the packet queues 112-1. The signal is the trigger of sending the packet or the report that the program is tampered.
  At step S607, the signal is the trigger, moves to the next step S608. The signal is not the trigger (i.e. the signal is the report), moves to the next step S609.
  At step S608, the packet queue 112-1 sends the packet(s) to the computer network and returns step S601.
  At step S609, the packet queue 112-1 deletes the packet(s).
  The network device according to the second exemplary embodiment stores outgoing packets until the next time of check of the packet queue and deletes the packet(s) by the packet queue after detecting the tampered program by the monitor, and it is thereby possible to protect network device(s) and keep it secure during its operation.
  Further, the network device according to the second exemplary embodiment embeds a signature to each packet, and it is thereby possible to avoid packet sending by compromised program and to avoid modification of the packet(s) sent by the packet queue.
  Third Exemplary embodiment
  In third exemplary embodiment, instead of adding a signature to the packet(s), before the packet queue sends the packet(s), the monitor can attests components (packet proxy and OS network stack) that handle the packet(s) in the normal world.
  Fig. 7 is a block diagram showing a schematic configuration of a network device according to a third exemplary embodiment. The Secure World 101 comprises a Monitor 711 and the packet queues 112-1~112-n.
  The Monitor 711 performs integrity measurement of a network component that includes the packet proxy 122 and/or the OS network stack 123. And the monitor 711 sends a result of the integrity measurement to the packet queues 112-1~112-n. The integrity measurement is performed periodically by the monitor 711.
  The packet queues 112-1~112-n send each packet to the packet proxy 122 when the results corresponding to the network component is valid (integrity). When the results corresponding to the network component is invalid (is tampered), the packet queues 112-1~112-n delete the packet(s). The packet queues 112-1~112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
  The network device according to the third exemplary embodiment performs integrity measurement of a network component and delete the packet(s) when the network component is invalid, and it is thereby possible to protect network device(s) and keep it secure during its operation without a signature.
  Fourth Exemplary embodiment
  Fig. 8 is a block diagram showing a schematic configuration of a network device according to a fourth exemplary embodiment.
  The Secure World 101 comprises the Monitor 111, the packet queues 112-1~112-n, an OS network stack 823 and a NIC driver 824
  The Normal World 102 comprises programs 121-1~121-n.
  The packet queues 112-1~112-n send each packet to the OS network stack 823 when the result corresponding to the programs 121-1~121-n is valid. When the result corresponding to the programs 121-1~121-n is invalid, the packet queues 112-1~112-n delete the packet(s) corresponding to invalid program in the programs 121-1~121-n. The packet queues 112-1~112-n delete the packet(s) from reporting the valid result of the previous measurement to reporting the invalid result of the current measurement.
  The OS network stack 823 processes the packet(s) according to a predetermined network protocol in the secure world 101 and sends the processed packet(s) to the NIC driver 824.
  The NIC driver 824 is a device driver that controls the NIC 103. The NIC driver 824 controls the NIC 103 in the secure world 101.
  The NIC 103 is a network interface card that connects the network device 100 to a computer network. The NIC 103 is controlled by the NIC driver 824 in the secure world 101.
  The network device according to the fourth exemplary embodiment comprises at least one network component in Secure World. The network component(s) includes the NIC driver and/or the OS network stack in Secure World, and it is thereby possible to protect the NIC driver and the OS network stack and keep it secure during its operation without a signature.
  In other words, NIC is controlled by OS in the secure world. In this case, the addition of the signature can be skipped because the secure world directly controls NIC and there is no risk that the compromised program sends or modifies the packet.
  Fifth Exemplary embodiment
  In the fifth exemplary embodiment, the monitor 111 measures the integrity of at least one program 121-1~121-n repeatedly. The monitor 111 monitors the presence of at least one received packet from the network. The monitor 111 turns off measurement the integrity until the received packet is received from the network. The monitor 111 is configured to transmit signal of queuing packet(s) or signal of stop queuing packet(s) to packet queues 112-1~112-n. The packet queues 112-1~112-n sends the packet(s) sent by the program 121-1~121-n to the network without queuing until the received packet is received.
  In other words, assuming the tampering of a device is caused by an external attacker, the cause of a compromise is incoming packets. Integrity measurement and packet storing can be skipped from time of integrity measurement to time of receiving a packet.
  Fig. 9 is a timing chart of a network device according to a fifth exemplary embodiment. At timing t901, the network device 100 receives the packet(s).
  At timing t902, the monitor 111 checks the program 121-1 and verifies the integrity of the program 121-1.
  At timing t903, the monitor 111 does not check the program 121-1, because no packet has received until timing t902 to timing t903. The packet queue 112-1 does not queue the packet(s) sent by the program 121-1 and send the packet(s) to the network timing t902 to timing t903.
  At timing t904, the network device 100 receives the packet(s). The packet queue 112-1 queues the packet(s) sent by the program 121-1.
  At timing t905, the monitor 111 checks the program 121-1, because the packet(s) has received until timing t903 to timing t905.
  The network device according to the fifth exemplary embodiment skips integrity measurement and packet storing from time of integrity measurement to time of receiving a packet, and it is thereby possible to reduce resource for checking integrity. In addition to the above process of the fifth exemplary embodiment, the integrity measurement and the packet storing can be started when data is received by other interfaces such as a serial port, a USB port, a storage, and/or a keyboard.
  Sixth Exemplary embodiment
  In the case of a multi-process system, packet(s) from each process are handled by its dedicated queue and each queue can be connected with a dedicated slice network.
  Fig. 10 is a block diagram showing a schematic configuration of a network device according to a sixth exemplary embodiment.
  The packet(s) from process 1001-1 is handled by the packet queue 121-1. The packet queue 121-1 can be connected with a dedicated slice network 1010-1. The packet(s) from process 1010-2 is handled by the packet queue 121-2. The packet queue 121-2 can be connected with a dedicated slice network 1010-2. The packet(s) from process 1001-n is handled by the packet queue 121-n. The packet queue 121-n can be connected with a dedicated slice network 1010-n.
  Seventh Exemplary embodiment
  For the incoming packets, the monitor detects arrivals of packets and can perform measurement against network components such as the packet proxy and OS network stack so that the program can correctly receive the packet(s). The attestation can be performed before and after NIC driver and OS network stack handles a packet.
  Fig. 11 is a block diagram showing a schematic configuration of a network device according to a seventh exemplary embodiment.
  The Monitor 1111 monitors the presence of at least one received packet from the network. The Monitor 1111 performs integrity measurement of a network component that includes the OS network stack 123 and/or the NIC driver 124 when the monitor 1111 detects arrivals of packets. And the monitor 1111 sends a result of the integrity measurement to the NIC driver 124.
  The NIC driver 124 sends packet(s) to the OS network stack 123 when the results corresponding to the network component is valid (integrity). When the results corresponding to the network component is invalid (is tampered), the NIC driver 124 deletes the packet(s).
  The network device according to the seventh exemplary embodiment performs integrity measurement of a network component when NIC receives the packet(s) and delete the packet(s) when the network component is invalid, and it is thereby possible to protect network device(s) and keep it secure during its operation.
  While the invention has been described in terms of several exemplary embodiments, those skilled in the art will recognize that the invention can be practiced with various modifications within the spirit and scope of the appended claims and the invention is not limited to the examples described above.
  For example, checks of the packet(s) may be performed at different timings or synchronized for each program.
In the above, Monitor 111 directly measures program 102. Instead, Monitor 111 may indirectly measure the program via an agent deployed in Normal World 102. Specifically, Monitor 111 measures the agent in Normal World 102, and then the agent measures program 102.
  In the above-described exemplary embodiment, the programs may be stored in various types of non-transitory computer readable media and thereby supplied to computers. The non-transitory computer readable media includes various types of tangible storage media.
  Examples of the non-transitory computer readable media include a magnetic recording medium (such as a flexible disk, a magnetic tape, and a hard disk drive) and a magneto-optic recording medium (such as a magneto-optic disk).
  Further, examples of the non-transitory computer readable media include CD-ROM (Read Only Memory), CD-R, and CD-R/W. Further, examples of the non-transitory computer readable media include a semiconductor memory. The semiconductor memory includes, for example, a mask ROM, a PROM (Programmable ROM), an EPROM (Erasable PROM), a flash ROM, and a RAM (Random Access Memory).
  These programs may be supplied to computers by using various types of transitory computer readable media. Examples of the transitory computer readable media include an electrical signal, an optical signal, and an electromagnetic wave.
The transitory computer readable media can be used to supply programs to a computer through a wired communication line (e.g., electric wires and optical fibers) or a wireless communication line.
  Note that the present disclosure is not limited to the above-described example exemplary embodiments and can be modified as appropriate without departing from the spirit and scope of the present disclosure. Further, the present disclosure may be implemented by combining these example exemplary embodiments as desired.
  Although the present disclosure is explained above with reference to example exemplary embodiments, the present disclosure is not limited to the above-described example exemplary embodiments.
  The first to seventh exemplary embodiments can be combined as desirable by one of ordinary skill in the art. The number of combining exemplary embodiments is not limited.
  Various modifications that can be understood by those skilled in the art can be made to the configuration and details of the present disclosure within the scope of the invention.
  The present invention is applicable to a network device, IOT device, router, base station.
10, 100  NETWORK DEVICE
11  MONITOR
12  PACKET QUEUE
13  PROGRAM
101  SECURE WORLD
102  NORMAL WORLD
103  NIC
111, 711, 1111  MONITOR
112-1~112-n  PACKET QUEUE
121-1~121-n  PROGRAM
122  PACKET PROXY
123, 823  OS NETWORK STACK
124, 824  NIC DRIVER
1001-1~1001-n  PROCESS
1011-1~1011-n  SLICE NETWORK

Claims (10)

  1.   A network device comprising:
      a monitoring means configured to measure the integrity of at least one program repeatedly; and
      a packet queue configured to queue at least one packet sent by the program, wherein
      the monitoring means configured to send a trigger to the packet queue when the measured result is integrity;
      the packet queue configured to send the at least one packet sent to a network when the packet queue receives the trigger.
  2.   The network device according to claim 1, wherein
      the monitoring means configured to send a report to the packet queue when the measured result is the program is tampered;
      the packet queue configured to delete the packet(s) when the packet queue receives the report.
  3.   The network device according to claim 1 or 2, wherein
      the monitoring means and the packet queue are executable in a secure world environment;
      the at least one program is executable in a normal world environment.
  4.   The network device according to claim 3, wherein
      the packet queue configured to embed a signature to the at least one packet and send the at least one packet to the network.
  5.   The network device according to claim 3 or 4,
      the network device further comprising at least one network component in the normal world environment, wherein
      the monitoring means measures integrity of the network component(s);
      the packet queue configured to send at least one packet sent by the program while the network component(s) is integrity;
      the packet queue configured to delete the packet(s) sent by the program while the network component(s) is tampered.
  6.   The network device according to claim 3 or 4,
      the network device further comprising at least one network component in the secure world environment.
  7.   The network device according to claim 3 or 4, wherein
      the monitoring means configured to monitor the presence of at least one received packet;
      the packet queue configured to send the at least one packet sent by the program to the network without queuing until the received packet is received.
  8.   The network device according to claim 5,
      the network device further comprising a network interface card;
      the at least one network component configured to fetch at least one packet from the network interface card while the network component(s) is integrity.
  9.   A computing method performed by a network device comprising:
      measuring the integrity of at least one program repeatedly;
      queueing at least one packet sent by the program;
      sending a trigger to the packet queue when the measured result is integrity; and
      sending at least one packet sent by the program to a network when the packet queue receives the trigger.  
  10. A non-transitory computer readable medium storing a program for causing a computer, the program causing the computer to execute:
      a measuring step for measuring the integrity of at least one program repeatedly;
      a queueing step for queueing at least one packet sent by the program;
      a sending step for sending a trigger to the packet queue when the measured result is integrity; and
      a sending step for sending at least one packet sent by the program to a network when the packet queue receives the trigger.
PCT/JP2020/003224 2020-01-29 2020-01-29 Network device, computing method and computer readable medium WO2021152740A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2022541704A JP7334864B2 (en) 2020-01-29 2020-01-29 Network device, calculation method and program
PCT/JP2020/003224 WO2021152740A1 (en) 2020-01-29 2020-01-29 Network device, computing method and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/003224 WO2021152740A1 (en) 2020-01-29 2020-01-29 Network device, computing method and computer readable medium

Publications (1)

Publication Number Publication Date
WO2021152740A1 true WO2021152740A1 (en) 2021-08-05

Family

ID=77078113

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/003224 WO2021152740A1 (en) 2020-01-29 2020-01-29 Network device, computing method and computer readable medium

Country Status (2)

Country Link
JP (1) JP7334864B2 (en)
WO (1) WO2021152740A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005341167A (en) * 2004-05-26 2005-12-08 Toshiba Corp Packet filtering apparatus, packet filtering method, and program and recording medium for packet filtering
JP2013175166A (en) * 2012-01-12 2013-09-05 Alexeo Corp Methods and systems for providing network protection by progressive degradation of service
JP2019066995A (en) * 2017-09-29 2019-04-25 株式会社Seltech System capable of selectively switching between secure mode and non-secure mode

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005341167A (en) * 2004-05-26 2005-12-08 Toshiba Corp Packet filtering apparatus, packet filtering method, and program and recording medium for packet filtering
JP2013175166A (en) * 2012-01-12 2013-09-05 Alexeo Corp Methods and systems for providing network protection by progressive degradation of service
JP2019066995A (en) * 2017-09-29 2019-04-25 株式会社Seltech System capable of selectively switching between secure mode and non-secure mode

Also Published As

Publication number Publication date
JP7334864B2 (en) 2023-08-29
JP2023509504A (en) 2023-03-08

Similar Documents

Publication Publication Date Title
US11089057B1 (en) System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
US10666686B1 (en) Virtualized exploit detection system
US8966642B2 (en) Trust verification of a computing platform using a peripheral device
EP2774072B1 (en) System and method for transitioning to a whitelist mode during a malware attack in a network environment
EP2645294B1 (en) System and method for trusted platform attestation
US9836611B1 (en) Verifying the integrity of a computing platform
CN111444519B (en) Protecting the integrity of log data
US10944720B2 (en) Methods and systems for network security
KR20060042149A (en) Method and system for filtering communications to prevent exploitation of a software vulnerability
US11972033B2 (en) Alert handling
US11188653B1 (en) Verifying the integrity of a computing platform
CN106663176B (en) Detection device and detection method
US11531769B2 (en) Information processing apparatus, information processing method, and computer program product
WO2021152740A1 (en) Network device, computing method and computer readable medium
US20100023748A1 (en) Self checking encryption and decryption based on statistical sampling
WO2021250740A1 (en) Communication device, computing method and computer readable medium
CN110381016A (en) The means of defence and device, storage medium, computer equipment of CC attack
US10104104B1 (en) Security alerting system with network blockade policy based on alert transmission activity
KR20140051486A (en) Error management system with security function and method of controlling the same
JP7119537B2 (en) Detection system and detection method
US20130074190A1 (en) Apparatus and method for providing security functions in computing system
CN115904670A (en) Task scheduling method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20917232

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2022541704

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20917232

Country of ref document: EP

Kind code of ref document: A1