The detailed description is provided with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of various embodiments. However, various embodiments of the invention may be practiced without the specific details. In other instances, well-known methods, procedures, components, and circuits have not been described in detail so as not to obscure the particular embodiments of the invention.
Some of the embodiments discussed herein may provide tamper resistant networking. In one embodiment, one or more instructions corresponding to a device driver are stored in a memory of a network security module that is coupled between a network adapter and a host computing device. In one embodiment, the network security module may have exclusive access to the network adapter to protect the host computing device from various security hazards that may be present on the computer network coupled to the network adapter. Further, verified third-party network services may be provisioned for execution on the network security module. In some embodiments, the tamper resistant network services may continue to function even when the host device is compromised or attacked. Also, persistent communication via a computer network may be maintained even when the host device is compromised or attacked. Further, the persistent communication may be used to recover the host device after the host device is compromised.
Additionally, some of the embodiments discussed herein may be applied in various environments, such as the networking environment discussed with reference to
The devices 104-114 may communicate with the network 102 through wired and/or wireless connections. Hence, the network 102 may be a wired and/or wireless network. For example, as illustrated in
The network 102 may utilize any communication protocol such as Ethernet, Fast Ethernet, Gigabit Ethernet, wide-area network (WAN), fiber distributed data interface (FDDI), Token Ring, leased line, analog modem, digital subscriber line (DSL and its varieties such as high bit-rate DSL (HDSL), integrated services digital network DSL (IDSL), etc.), asynchronous transfer mode (ATM), cable modem, and/or FireWire.
Wireless communication through the network 102 may be in accordance with one or more of the following: wireless local area network (WLAN), wireless wide area network (WWAN), code division multiple access (CDMA) cellular radiotelephone communication systems, global system for mobile communications (GSM) cellular radiotelephone systems, North American Digital Cellular (NADC) cellular radiotelephone systems, time division multiple access (TDMA) systems, extended TDMA (E-TDMA) cellular radiotelephone systems, third generation partnership project (3G) systems such as wide-band CDMA (WCDMA), etc. Moreover, network communication may be established by internal network interface devices (e.g., present within the same physical enclosure as a computing system) such as a network interface card (NIC) or external network interface devices (e.g., having a separate physical enclosure and/or power supply than the computing system to which it is coupled).
As shown in
The device 202 may additionally include a chipset 208 to couple the module 203 to one or more components of the host computing device 202 such as host memory 210. Alternatively, the processors 206 may include a memory controller to enable direct communication between the processors 206 and the host memory 210, rather than through the chipset 208. In an embodiment, the chipset 208 may communicate with the module 203 through a bus 212. Any suitable configuration may be utilized for the bus 212. For example, the bus 212 may comply with various types of peripheral component interconnect (PCI) standards, including PCI Local Bus Specification (Revision 3.0, Mar. 9, 2004), PCI-X Specification (Revision 2.0a, Apr. 23, 2003), and/or PCI Express (PCIe) Specifications (PCIe Specification, Revision 1.0a, June 2005). Alternatively, the bus 212 may comprise other types and configurations of interconnection networks.
In an embodiment, the host memory 210 may store one or more of the following: an operating system (OS) 232, network application 234, universal network device interface (UNDI) device driver 236, transmit buffer 238 (e.g., to store data that is to be transmitted via the network 102), and/or receive buffer 240 (e.g., to store data that is to received from the network 102). The application 234 may execute (e.g., on the processor(s) 206) to communicate one or more data packets with one or more computing devices coupled to the network 102 (such as the devices 104-114 of
Additionally, the UNDI device driver 236 may provide a programming interface for network interface cards (e.g., that may include the module 203 and adapter 204 in an embodiment) that is used by a pre-boot execution environment protocol. Generally, the pre-boot execution environment (PXE, a.k.a. Pre-Execution Environment) may be an environment to bootstrap computers using a network interface card independently of available data storage devices (such as hard disks) or installed operating systems.
Furthermore, each of the buffers 238 and 240 may have a corresponding head pointer (e.g., 242; and 244, respectively), tail pointer (e.g., 246 and 248, respectively), and/or shadow head pointer (e.g., 250 and 252, respectively) as will be further discussed herein, e.g., with reference to
As shown in
In an embodiment, the application 234 may utilize the OS 232 to communicate with devices coupled to the network 102, e.g., through the device drivers 236, 262, and 260. Hence, the device driver 236 may include universal network adapter specific commands to provide a communication interface between the OS 232 and a network adapter (e.g., via the network security module 203 in an embodiment). In one embodiment, the network security module 203 may appear as a network adapter to the host computing device 202 by utilizing the UNDI emulation module 262, which may be in communication with the UNDI device driver 236. Hence, the adapter 204 may not be visible to the host device 202. For example, in embodiments where the bus 212 is a PCI bus, a non-transparent PCI-PCI bridge may be provided in the network security module 203.
In an embodiment, the device driver 236 may allocate one or more entries in the buffer 238 to store packet data for transmission over the network 102 (e.g., via the module 203 and the adapter 204). Also, the network adapter 204 (e.g., via a direct memory access (DMA) module, provided in the network adapter 204 in an embodiment) may allocate one or more entries in the buffer 240 through the module 203 to store packet data received from the network 102. As new entries are stored in or read from the buffers 238 and 240, their corresponding pointers are updated. In turn, the logic 253 may signal one or more components of the system 200, as will be discussed herein, e.g., with reference to
Furthermore, in an embodiment, the OS 232 may include a protocol stack (not shown) which may include a set of procedures or programs that when executed process packets communicated over a network (102) and stored in buffers 238 and/or 240. For example, TCP/IP (Transport Control Protocol/Internet Protocol) packets may be processed using a TCP/IP stack. Also, the memory 258 may store one or more network service modules 264, such as modules for an operation system update, virus detection, worm detection, antivirus tool, anti-worm tool, network intrusion prevention, or a firewall. The modules 264 may include third-party network services (which may be verified prior to storage in the memory 258 in one embodiment). Also, a virtual machine (VM) based framework may be utilized by the system 200 to allow for services (e.g., provided through the modules 264) to be able to provide value add, differentiation to the platform, etc., while the VM framework may limit interference of one or more modules (e.g., one or more of the modules 264) with the operation of other modules (e.g., one or more of the modules 264) executing on the system 200. In an embodiment, an out of band (OOB) channel 266 may be used to store data corresponding to the modules 264 that may be transferred over the network 102. Moreover, the channel 266 may be a secure channel, e.g., provided by encrypting the data transmitted over the OOB channel 266. In one embodiment, the OOB channel 266 may be a virtual private network (VPN) channel.
Referring to
At an operation 310, the data stored (at operation 304) and inspected (at operation 308) may be communicated. For example, in case of receiving data, once the pointer 244 (H) is updated at operation 310, the logic 253 may generate a signal (e.g., an interrupt signal) to the driver-236 to indicate that data is received and the driver 236 may read the data from the receive buffer 240 between pointers 244 (H) and 248 (T) (e.g., until the tail pointer 248 (T) is smaller than the head pointer 244 (H)). Further, in case of transmitting data, once the pointer 250 (H′) is updated at operation 310, the logic 253 may generate a signal to the network adapter 204 to cause transmission of the data stored between pointer 242 (H) and 250 (H′) (e.g., as long as the head pointer 242 (H) is smaller than the shadow pointer 250 (H′) and the shadow pointer 250 (H′) is smaller than or equal to the tail pointer 246 (T)). At an operation 312, the corresponding pointer may be updated after the stored data is communicated. For example, at operation 312, in case of receiving data, the tail pointer 248 (T) may be updated to point to the same entry as the head pointer 244 (H). Further, at operation 312, in case of transmitting data, the head pointer 242 (H) may be updated to point to the same entry as the shadow head pointer 250 (H′).
A chipset 406 may also communicate with the interconnection network 404. The chipset 406 may include a memory control hub (MCH) 408. The MCH 408 may include a memory controller 410 that communicates with the memory 412 (which may be the same or similar to the memory 210 of
The MCH 408 may also include a graphics interface 414 that communicates with a display device 416. In one embodiment of the invention, the graphics interface 414 may communicate with the display device 416 via an accelerated graphics port (AGP). In an embodiment of the invention, the display 416 (such as a flat panel display) may communicate with the graphics interface 414 through, for example, a signal converter that translates a digital representation of an image stored in a storage device such as video memory or system memory into display signals that are interpreted and displayed by the display 416. The display signals produced by the display device may pass through various control devices before being interpreted by and subsequently displayed on the display 416.
A hub interface 418 may allow the MCH 408 and an input/output control hub (ICH) 420 to communicate. The ICH 420 may provide an interface to I/O device(s) that communicate with the computing system 400. The ICH 420 may communicate with a bus 422 through a peripheral bridge (or controller) 424, such as a peripheral component interconnect (PCI) bridge, a universal serial bus (USB) controller, or other types of peripheral bridges or controllers. The bridge 424 may provide a data path between the CPU 402 and peripheral devices. Other types of topologies may be utilized. Also, multiple buses may communicate with the ICH 420, e.g., through multiple bridges or controllers. Moreover, other peripherals in communication with the ICH 420 may include, in various embodiments of the invention, integrated drive electronics (IDE) or small computer system interface (SCSI) hard drive(s), USB port(s), a keyboard, a mouse, parallel port(s), serial port(s), floppy disk drive(s), digital output support (e.g., digital video interface (DVI)), or other devices.
The bus 422 may communicate with an audio device 426, one or more disk drive(s) 428, and a network interface device or network interface card (NIC) 430 (which is in communication with the computer network 403). Other devices may communicate via the bus 422. Also, various components (such as the network interface device 430) may communicate with the MCH 408 in some embodiments of the invention. In addition, the processor 402 and the MCH 408 may be combined to form a single chip. Furthermore, a graphics accelerator may be included within the MCH 408 in other embodiments of the invention.
As illustrated in
Furthermore, the computing system 400 may include volatile and/or nonvolatile memory (or storage). For example, nonvolatile memory may include one or more of the following: read-only memory (ROM), programmable ROM (PROM), erasable PROM (EPROM), electrically EPROM (EEPROM), a disk drive (e.g., 428), a floppy disk, a compact disk ROM (CD-ROM), a digital versatile disk (DVD), flash memory, a magneto-optical disk, or other types of nonvolatile machine-readable media that are capable of storing electronic data (e.g., including instructions).
As illustrated in
In an embodiment, the processors 502 and 504 may be one of the processors 402 discussed with reference to
The chipset 520 may communicate with a bus 540 using a PtP interface circuit 541. The bus 540 may communicate with one or more devices, such as a bus bridge 542 and 1/O devices 543. Via a bus 544, the bus bridge 542 may communicate with other devices such as a keyboard/mouse 545, communication devices 546 (such as modems, network interface devices, or other communication devices that may communicate with the computer network 403), audio I/O device 547, and/or a data storage device 548. The data storage device 548 may store code 549 that may be executed by the processors 502 and/or 504.
At least one embodiment of the invention may be provided within the communication device 546. For example, the network security module 203 of
In various embodiments of the invention, the operations discussed herein, e.g., with reference to
Additionally, such computer-readable media may be downloaded as a computer program product, wherein the program may be transferred from a remote computer (e.g., a server) to a requesting computer (e.g., a client) by way of data signals embodied in a carrier wave or other propagation medium via a communication link (e.g., a bus, a modem, or a network connection). Accordingly, herein, a carrier wave shall be regarded as comprising a machine-readable medium.
Reference in the specification to “one embodiment,” “an embodiment,” or “some embodiments” means that a particular feature, structure, or characteristic described in connection with the embodiment(s) may be included in at least an implementation. The appearances of the phrase “in one embodiment” in various places in the specification may or may not be all referring to the same embodiment.
Also, in the description and claims, the terms “coupled” and “connected,” along with their derivatives, may be used. In some embodiments of the invention, “connected” may be used to indicate that two or more elements are in direct physical or electrical contact with each other. “Coupled” may mean that two or more elements are in direct physical or electrical contact. However, “coupled” may also mean that two or more elements may not be in direct contact with each other, but may still cooperate or interact with each other.
Thus, although embodiments of the invention have been described in language specific to structural features and/or methodological acts, it is to be understood that claimed subject matter may not be limited to the specific features or acts described. Rather, the specific features and acts are disclosed as sample forms of implementing the claimed subject matter.