Hardware-enforced unidirectional communication mechanism for secure data transfer
Air-gapped systems are physically isolated from external and untrusted networks. Moreover, internal domains may operate at different privileges. Some systems / networks in an organisation may be considered as sensitive or mission-critical. The requirement for this kind of network segregation arises when complications in certain systems would result in severe consequences. This is a common practice in defence communications, financial transaction services, and industrial control systems.
The project proposes a hardware-enforced communication mechanism for interacting with such air-gapped systems. Logical access policies (role-based permissions, firewalls) are perpetually under the threat of zero-day attacks. In the present scenario, a hardware-secure solution is a practical realisation of strict data flow control.
Please read the full paper for proper reference. This page only serves to provide a brief of the work.
Air-gapped networks must still exchange information with external networks to support the operational requirements of the organisation. Supporting this interaction without compromising system isolation poses a major engineering challenge. Conventional bidirectional communication protocols introduce the risk of unintended information flows and network-level exploits.
The project aims to provide a secure unidirectional data transfer mechanism capable of preserving the security requirements of air-gapped networks, while achieving usability measures comparable to commercial-grade third-party solutions. Particularly, the architecture implements a one-to-one transfer model between two distinct client endpoints; this design choice is not an inherent limitation, but serves as an initial model to showcase the design phisolophy. This project may be specialised to support alternative network topologies (many-to-one, one-to-many).
Specifically, the project details a User Datagram Protocol (UDP) socket application that is capable of providing deterministic (reliable) file transfer behaviour. This feature is a major improvement upon previous open-source data diode implementations. This service is validated by a transparent testing procedure and result analysis.
The evaluation of the project implementation showed that the proposed data diode can uphold practical high-throughput data transfers while preserving hardware-enforced unidirectional communication. Through memory optimisations and a distinct application-level UDP transfer implementation, the system achieved a stabilised application-level throughput approaching 1 Gbit/s without requiring data redundancy or error correction mechanisms. A deployment testing process demonstrated that the data diode can integrate into existing client workflows with minimal end-user friction.
The showcased project is limited by the implemented hardware. The achievable throughput is capped at 1 Gbit/s because of the physical Ethernet link. Also, file transfer operations are constrained by the installed RAM and onboard data storage of the data diode. So, the UDP data transfer is not globally deterministic, but rather validated to be reliable under the specific deployment scenario.
Future research may focus on developing an OS-independent solution for client-end interactions. Though the presented architecture is modularised and can be implemented through any capable toolset, the design methodology visibly favours linux-based operational environments.
Computer and Communications Engineering Undergraduate