background image
Tech Note #110: Concept for a Secure Network Computer
©
2000 Bionic Buffalo Corporation; All Rights Reserved.
         Tuesday, 11 January 2000
http://www.tatanka.com
  [tn0110]
Page 6 of 18
Host
Computer
(HC)
Interior
Internal
Network
(IIN)
Interior
Network
Adapter
(INA)
Interior
Boundary
Controller
(IBC)
Exterior
Internal
Network
(EIN)
Exterior
Boundary
Controller
(EBC)
Exterior
Network
Adapter
(ENA)
Exterior
Network
Interior SM
CPU
(ISMCPU)
Exterior
SM CPU
(ESMCPU)
hosts
hosts
tn011006 ©2000 Bionic Buffalo Corp
Protocol stacks are complex, and are rarely entirely free of errors. To reduce the possibility of
software errors (or sabotage) causing security breaches, separate teams can program each BC,
and each CPU can run a different RTOS and protocol stack. Using dissimilar CPUs can guard
against mask or other implementation errors.
Clearing the Host Computer
A given SNC may be used to access more than one information domain. In order to prevent
information from leaking inappropriately into or out of a domain, the memory in the HC must
be cleared between connections to different domains. In this context, “memory” is taken to
include all cache and register locations in the HC.
A simple procedure to zero memory, cache, and registers, or to write patterns to them, does not
comply with the design goal that no single failure can be allowed to compromise the integrity of
the system. No matter how elaborate, such a scheme is susceptible to implementation errors in
the HC, and may also be vulnerable to hostile, unverified software running in the HC.