Patent Application
20140059692
Embodiments relate generally to automated, real-time, cross domain flight data import and export and, more particularly, to methods and systems for transmitting geographic location data from a classified security domain via an unclassified transponder device.
Aircraft operating within civilian or commercial airspace may be required to provide flight data to air traffic controllers and other aircraft operating within the surrounding airspace. Military aircraft operating within this airspace may also be required to provide flight data to civilian or commercial air traffic controllers and other aircraft operating within the surrounding airspace. For military aircraft operating within civilian or commercial airspace, a need may exist to automate real-time conversion of classified flight data into an unclassified form so that a single classified mission processing system can transmit the unclassified form of the classified flight data to civilian or commercial air traffic controllers via an unclassified transponder.
One embodiment includes a computer system for transmitting data from a classified security domain via an unclassified transponder device. The computer system can include a processor and a memory coupled to the processor. The memory can store software instructions that, when executed by the processor, cause the processor to perform operations. The operations can include receiving, in a classified security domain, a send request specifying a dataset to be transmitted via an unclassified transponder device. A first subset and a second subset of the requested dataset can be determined such that the first subset contains classified data and the second subset contains unclassified data. A first portion and a second portion of the first subset can be determined such that the first portion contains only classified geographic position data and the second portion contains a remainder of other classified data. Low precision geographic position data can be created based on the classified geographic position data of the first portion. The first subset can be transformed into an unclassified form by redacting the second portion and replacing the first portion with the low precision geographic position data. The unclassified form of the first subset can be combined with the second subset to create a downgraded send request. The operations can include transmitting the downgraded send request to the transponder device that can be configured to use the downgraded send request to transmit the low precision geographic position data.
Another embodiment can include a method for transmitting data from a secure data environment via a transponder device. The method can include receiving, in a first security domain, a send request specifying a dataset to be transmitted via a transponder device located within a second security domain that has a lower classification level than the first security domain. Based on the classification level of the second security domain, the method can determine a first subset and a second subset of the requested dataset, the first subset containing data that should be modified before being transmitted to the second security domain and the second subset containing a remainder of data that may be transmitted to the secondary domain without modification. A modified version of the first subset of the requested dataset can be calculated based on the classification level of the second security domain. The method can combine the modified version of the first subset and the second subset to create a downgraded send request and transmit the downgraded send request to the transponder device that is configured to initiate a transmission based on the downgraded send request.
Another embodiment can include a nontransitory computer readable medium having stored thereon software instructions that, when executed by a computer, cause the computer to perform a series of operations. The operations can include receiving, in a first security domain, a send request specifying a dataset to be transmitted to a transponder device located within a second security domain, the second security domain having a lower classification level than the first security domain. The operations can also include, based on the classification level of the second security domain, determining a first subset and a second subset of the requested dataset, the first subset containing data that should be modified before being transmitted to the second security domain and the second subset containing a remainder of data that may be transmitted to the secondary domain without modification. A modified version of the first subset of the requested dataset can be calculated based on the classification level of the second security domain. The operations can include combining the modified version of the first subset and the second subset to create a downgraded send request and transmitting the downgraded send request to the transponder device.
Another embodiment includes a computer system for transmitting data from a classified security domain via an unclassified transponder device. The computer system can include a processor and a memory coupled to the processor. The memory can store software instructions that, when executed by the processor, cause the processor to perform operations. The operations can include receiving, in a first security domain, a send request specifying a dataset to be transmitted to a transponder device located within a second security domain, the second security domain having a lower classification level than the first security domain. The operations can also include, based on the classification level of the second security domain, determining a first subset and a second subset of the requested dataset, the first subset containing data that should be modified before being transmitted to the second security domain and the second subset containing a remainder of data that may be transmitted to the secondary domain without modification. A modified version of the first subset of the requested dataset can be calculated based on the classification level of the second security domain. The operations can include combining the modified version of the first subset and the second subset to create a downgraded send request and transmitting the downgraded send request to the transponder device.
In operation, the classified system 102 can transmit the classified high precision geographic location data 106 to the unclassified system 108 according to the process shown in
It will be appreciated that the unclassified system 108 can include an unclassified transponder device as shown in
The unclassified system 108 can include the following components which are not shown: an Automatic Dependent Surveillance-Broadcast (ADS-B) transponder and an Identification, Friend or Foe (IFF) transponder.
At 204, a data send request is received within a classified system. The data send request can specify a dataset to be transmitted via a transponder device. The transponder device can be in a security domain having a lower classification level than the security domain in which the data send request or dataset originate. For example, the data send request can be received within a classified domain requesting a dataset be transmitted via a transponder device located in an unclassified domain. Processing continues to 206.
At 206, the requested dataset is separated based on classification level. The data is separated into two subsets: a first subset containing data that should be modified prior to being exported (e.g., classified data) and a second subset containing data that can be exported without modification (e.g., unclassified data). The data classification level can be identified based on a parameter received with the data send request that indicates the data classification level. Classified data can be modified to render the data unclassified by converting the data from high precision to low precision form which it can be then sent to the cross domain down grader. Unclassified data is sent unchanged to the cross domain down grader. Processing continues to 208.
At 208, the first subset is modified so that it may be exported. For example, modification of classified data can be performed by sanitizing the data. Sanitizing can include separating the first subset into a first portion and a second portion. The first portion can contain only geographic position data (e.g. classified high precision GPS data) and the second portion can contain a remainder of other data. Sanitizing can include creating, based on the geographic position data of the first portion, low precision geographic position data having a classification level less than or equal to the classification level of the security domain in which the transponder device resides. Sanitizing can also include redacting the second portion. Redacting can include zeroing out, truncating, populating with random data, or populating with constant/default data. Redacting can also include selective deletion or alteration of data which is classified so that the resulting data is unclassified such as altering classified altitude information to contain redacted unclassified altitude information. Processing continues to 210.
At 210, the second subset and the modified version of the first subset are downgraded to a classification level less than or equal to the classification level of the transponder device. For example, unclassified data originating from a classified domain should be downgraded to unclassified before being exported to an unclassified domain. Downgrading can include verification that the data is unclassified. Downgrading can be performed utilizing a certified guard component that examines the data stream and verifies that the data conforms to a format and value range specified in predetermined downgrading guard control tables. The certified guard component can be separately certified. For example, the data send request received at 204 can assert that a subset of the dataset is releasable without modification and downgrading can include verifying that asserted subset conforms to a format and value range specified in predetermined downgrading guard control tables before the asserted dataset is downgraded and/or exported and/or released without modification. Also, for example, downgrading can include verifying that the sanitized and/or redacted data from 208 conforms to a format and value range specified in predetermined downgrading guard control tables before the asserted dataset is downgraded and/or exported and/or released without modification. This downgrading and/or verification can, for example, be performed by a certified guard component that can be implemented in hardware and/or software. For example, the certified guard component can be one or more certified products such as, but not limited to, Lockheed Martin Radiant Mercury and/or Lockheed Martin Trusted Manager (TMAN). Processing continues to 212.
At 212, the downgraded modified version of the first subset (e.g., sanitized data) and the downgraded second subset (e.g., unclassified data) are combined into a downgraded dataset and incorporated into a downgraded send request. The downgraded send request can be an unclassified message that can be in the form of an ADS-B or IFF send request or any other format used for requesting data to be transmitted by a transponder device. Processing continues to 214.
At 214, the downgraded send request is transmitted to a transponder device, causing the transponder device to transmit the downgraded dataset. Processing continues to 216, where processing ends.
It will be appreciated that operations 204-214 may be repeated in whole or in part (an example of which is indicated by line 218) to maintain current (regularly or continuously updated) data transmissions.
The system 300 can be divided into security domains or secure partitions based on classification level. The source application 302 can be located within a classified partition 328. The first stage cross domain service component 304 can be located within a classified partition 316. The automated assured cross domain data movement component 306 can be located within a cross domain partition 314, and the second stage cross domain service component 308 can be located within an unclassified partition 312.
Data flow can be prevented across partitions except for explicitly allowed channels. Classified data can be explicitly allowed to flow through a channel 324 from the source application 302 located within the classified partition 328 to the first stage cross domain service component 304 located within the classified partition 316. A client-server protocol can be used to transfer a classified plain text payload across channel 324. Data can be explicitly allowed to flow through a channel 318 from the first stage cross domain service component 304 located in the classified partition 316 to the automated assured cross domain data movement component 306 located within the cross domain partition 314. A client-server protocol can be used to transfer an unclassified plain text payload across channel 318. Unclassified data can be explicitly allowed to flow through a channel 320 from the automated assured cross domain data movement component 306 to the second stage cross domain service component 308 located within the unclassified partition 312. A client-server protocol can be used to transfer an unclassified plain text payload across channel 320. The unclassified partition 312 can be explicitly granted access to various hardware interfaces through a channel 322, including a transponder device 310 that can accessed via an optional local area network (LAN) not shown. A plain text transponder protocol can be used to transfer a plain text payload across channel 322.
It will be appreciated that the secure partitions (312, 314, 316, and 328) can be located on the same or on different computers. When run on the same computer, a multiple independent levels of security (MILS) separation kernel and a guest real-time operating system (RTOS) can be used to create the necessary partitions and prevent data flow across the partitions except for the explicitly allowed channels (324, 318, 320, and 322) described above. Partitions 328, 316, and 312 can include a guest RTOS that is POSIX compliant and includes virtual CSP/BSP board support package drivers. The cross domain partition 314 can include a minimal runtime Evaluation Assurance Level (EAL) 6+ certified RTOS. All four partitions (312, 314, 316, and 328) can include a common open standards application programming interface (API) layer.
In operation, the source application 302 can transmit a data send request to the first stage cross domain service component 304. The send request can contain or reference classified and/or unclassified data. The source application 302 can initiate the data send request using a client-server method invocation on the first stage cross domain service component 304. The first state cross domain service component 304 can include a server waiting for connections from the client source application 302. The send request can specify a transponder device located in a security domain or secure partition having a lower classification level than the security domain or secure partition from which the send request or data originates.
The first stage cross domain service component 304 can separate the requested data into two subsets based on classification level. The first subset can contain data having a classification level that is higher than the security domain in which the transponder device is located. The second subset can contain data having a classification level less than or equal to the classification of the security domain in which the transponder device is located. The first subset can be sanitized according to the process shown in
The automated assured cross domain data movement component 306 can downgrade the sanitized first subset and the second subset. The downgraded sanitized first subset and the downgraded second subset can be transmitted from the automated assured cross domain data movement component 306 to the second stage cross domain service component 308 located in the unclassified partition 312 through the explicitly allowed channel 320.
The second stage cross domain service component 308 can combine the downgraded sanitized first subset and the downgraded second subset into an unclassified or downgraded send request and transmit the downgraded send request via a transponder device 310. The downgraded send request may be in the form of an ADS-B or IFF send request or any other format used for transmitting data via a transponder device, whether the transponder device is accessed locally or remotely.
In operation, the processor 404 will execute instructions stored on the memory 406 that cause the computer 402 to transmit data to and/or receive data from the transponder device 408 according to the processes shown in
It will be appreciated that the transponder device 408 may be attached to the system using any transponder connection type now known or later developed.
The transponder device 408 can include the following components which are not shown: an Automatic Dependent Surveillance-Broadcast (ADS-B) transponder and an Identification, Friend or Foe (IFF) transponder.
At 504, a data read request is received within a classified system. The data read request can specify a type of data to be read by a transponder device. For example, the data read request can specify that the transponder is to read ADS-B and/or IFF type data. The transponder device can be in a security domain having a lower classification level than the security domain in which the read request originates. For example, the data read request can be received within a classified security domain or partition requesting data to be read by a transponder device located in an unclassified domain or partition. Processing continues to 506.
At 506, the read request is transmitted to the transponder device. The read request can be transmitted from a classified partition to an unclassified partition through the use of a cross domain partition described in
At 508, a response from the transponder device containing the data read is received. Processing continues to 510.
At 510, a classified data message is created containing the contents of the data received from the transponder device. Processing continues to 512.
At 512, the classified data message is transmitted to the read requestor. The read requestor can reside within a classified security domain. Processing continues to 514, where processing ends.
It will be appreciated that operations 504-512 may be repeated in whole or in part (an example of which is indicated by line 516) to maintain current (regularly or continuously updated) data imports.
As described above in
It will be appreciated that the modules, processes, systems, and sections described above can be implemented in hardware, hardware programmed by software, software instructions stored on a nontransitory computer readable medium or a combination of the above. A system for cross domain flight data import and export, for example, can include using a processor configured to execute a sequence of programmed instructions stored on a nontransitory computer readable medium. For example, the processor can include, but not be limited to, a personal computer or workstation or other such computing system that includes a processor, microprocessor, microcontroller device, or is comprised of control logic including integrated circuits such as, for example, an Application Specific Integrated Circuit (ASIC). The instructions can be compiled from source code instructions provided in accordance with a programming language such as Java, C++, C#.net or the like. The instructions can also comprise code and data objects provided in accordance with, for example, the Visual Basicâ„¢ language, or another structured or object-oriented programming language. The sequence of programmed instructions and data associated therewith can be stored in a nontransitory computer-readable medium such as a computer memory or transponder device which may be any suitable memory apparatus, such as, but not limited to ROM, PROM, EEPROM, RAM, flash memory, disk drive and the like.
Furthermore, the modules, processes systems, and sections can be implemented as a single processor or as a distributed processor. Further, it should be appreciated that the steps mentioned above may be performed on a single or distributed processor (single and/or multi-core, or cloud computing system). Also, the processes, system components, modules, and sub-modules described in the various figures of and for embodiments above may be distributed across multiple computers or systems or may be co-located in a single processor or system. Exemplary structural embodiment alternatives suitable for implementing the modules, sections, systems, means, or processes described herein are provided below.
The modules, processors or systems described above can be implemented as a programmed general purpose computer, an electronic device programmed with microcode, a hard-wired analog logic circuit, software stored on a computer-readable medium or signal, an optical computing device, a networked system of electronic and/or optical devices, a special purpose computing device, an integrated circuit device, a semiconductor chip, and a software module or object stored on a computer-readable medium or signal, for example.
Embodiments of the method and system (or their sub-components or modules), may be implemented on a general-purpose computer, a special-purpose computer, a programmed microprocessor or microcontroller and peripheral integrated circuit element, an ASIC or other integrated circuit, a digital signal processor, a hardwired electronic or logic circuit such as a discrete element circuit, a programmed logic circuit such as a PLD, PLA, FPGA, PAL, or the like. In general, any processor capable of implementing the functions or steps described herein can be used to implement embodiments of the method, system, or a computer program product (software program stored on a nontransitory computer readable medium).
Furthermore, embodiments of the disclosed method, system, and computer program product may be readily implemented, fully or partially, in software using, for example, object or object-oriented software development environments that provide portable source code that can be used on a variety of computer platforms. Alternatively, embodiments of the disclosed method, system, and computer program product can be implemented partially or fully in hardware using, for example, standard logic circuits or a VLSI design. Other hardware or software can be used to implement embodiments depending on the speed and/or efficiency requirements of the systems, the particular function, and/or particular software or hardware system, microprocessor, or microcomputer being utilized. Embodiments of the method, system, and computer program product can be implemented in hardware and/or software using any known or later developed systems or structures, devices and/or software by those of ordinary skill in the applicable art from the function description provided herein and with a general basic knowledge of the computer programming and network security arts.
Moreover, embodiments of the disclosed method, system, and computer program product can be implemented in software executed on a programmed general purpose computer, a special purpose computer, a microprocessor, or the like.
It is, therefore, apparent that there is provided, in accordance with the various embodiments disclosed herein, computer systems, methods and software for cross domain flight data import and export.
While the invention has been described in conjunction with a number of embodiments, it is evident that many alternatives, modifications and variations would be or are apparent to those of ordinary skill in the applicable arts. Accordingly, Applicants intend to embrace all such alternatives, modifications, equivalents and variations that are within the spirit and scope of the invention.
