Data Diodes

At ArgoCon today, Thomas Fricke gave a nice talk on Cloud Native Deployments in Air Gapped Environments describing container vulnerability scanning in the German energy sector… and since he didn’t mention data diodes, and since some of my colleagues at Oakdoor/PA Consulting make data diodes for a living, I thought this might be interesting to write about!

It’s one thing to have an air-gapped system, but eventually in order to be useful you’re going to have to move data into it, and this is going to need something better than just plugging a USB stick into your critical system. Just ask Iran how well this goes.

Eight years after Stuxnet, the UK National Cyber Security Centre published the NCSC Safely Importing Data Pattern - but I found this a bit cryptic on first reading, because it’s not clear what type of systems the pattern applies to, and deliberately uses technology-neutral language. Also, this was published around the same time GDPR was being implemented, mentions “sensitive or personal data”, and claims to be aimed at “small to medium organisations” - but I don’t know how many small businesses implement a MILS security architecture. So without picking up on the mention of “data diode”, you can be left scratching your head about how to actually implement the pattern.

One answer using Oakdoor components:

  • PySISL, a Python library which you use to transform the data into a very simple format called SISL
  • an Oakdoor™ Import Diode, which can verify the syntax of SISL in hardware, and prevent any data moving back the other way
  • then some more PySISL code to validate the semantics of SISL on the high side and reconstruct the original format

The Oakdoor diodes themselves are quite interesting - they’re electrical rather than optical like most data diodes. The other thing I’d always wondered is how on earth you could even establish a TCP handshake across one - the answer is, you can’t, so you use a UDP-based protocol like TFTP for file transfer.

In this way, you build the transform/verify and protocol break that the NCSC pattern requires.

Congratulations, you can now import your documents to your otherwise air-gapped system without also importing malicious code, and without risking data exfiltration.

Note carefully that the Safely Importing Data pattern makes no guarantees about the integrity of your documents - they could be severely modified going through this process. For the same reason, I anticipate challenges applying this pattern to software binaries.

Tim Retout

A solution architect

By Tim Retout, 2023-04-18