FR2990538A1 - ANTI-INTRUSION ELECTRONIC DEVICE WITH AUTOMATIC RESET - Google Patents

Abstract

An automatic reset anti-intrusion electronic device, appropriately programmed, to neutralize any malicious code attacking any computer server offering a service on any network according to a client / server protocol, characterized in that it consists of 2 servers interconnected networks, the first of which, to be connected to the network, comprises a network connection using the same communication protocol as that of the server to be protected, has, as storage memories, only memories in one read, is connected to the second server to using a connection using a communication protocol other than that of the server to be protected, and the second, to connect to the computer server to be protected, is equipped with an input / output card installed on its motherboard and connected to the power supply function of the motherboard of the first server.

Description

The present invention relates to the hardware of an anti-intrusion application server allowing, appropriately programmed, to provide inviolable protection against any intrusion, infection or manipulation (by viruses, worms, Trojans, spyware, softwares for remote computers, etc.) at any computer server providing a network service according to a client / server protocol (request / response). Currently, anti-intrusion devices are essentially of three types: anti-virus, anti-spyware (also known as anti-spyware) and firewalls (also known as firewalls, firewalls, firewall, watchdog, etc.). There is a vast amount of documentation on the Internet, reflecting the current state of the art. Essentially complementary, these anti-intrusion devices are always constituted by software (possibly installed, in the only case of firewalls, on a dedicated hardware) all based on the principle of analyzing the data intended to enter the server to protect, with the stated purpose of preventing viruses and other malicious code (commonly known as malware) from penetrating and infecting the target, using software filters that prohibit and can only prohibit access only to infected agents whose signature is known (anti-virus and anti-spyware) or only passing data meeting the criteria of pre-established filtering (firewall). Under these conditions, these devices can only oppose necessarily imperfect barriers to viruses and other malware carried by the network: the servers and data banks to be protected always remain at risk of intrusion. Indeed, considering: that viruses, worms, spyware, Trojans, etc. are constantly renewed and that, therefore, their signature is not always, or is never, previously known, that the attacks that a server can undergo depend on the imagination of the attacker and that, therefore, , these attacks, as well as the defenses that a firewall can oppose, are part of a logic of pursuit race where the attacker always has a head start, such a mechanism leads to a multiplication of the rules of filtering which, far from guaranteeing the inviolability of the system to be protected, rather testifies to their weakness to definitively pinpoint the attacker, that a server often resorts to complex or even very complex software, which does not always make it possible to formally to exclude any fault, especially in the case of the most structured systems (such as, for example, sites of large companies, banks, administrations, universities, research organizations, etc.), it is always possible (and, in fact, widely proven) that these software barriers, with their thousands of rules, of which it becomes increasingly problematic to ensure coherence, are not always able to prohibit access to infectious agents or prevent an attacker from taking control of a server.

In this context, the purpose of the present invention is to propose a device that makes it possible to make a clean sweep of all the aforementioned drawbacks and thus to ensure that any computer server offering a network service according to a client / server protocol has inviolable protection. against any intrusion, infection or manipulation by any malicious software To be installed upstream of the computer server to be protected, the device according to the invention consists of 2 interconnected servers, the first of which, to be connected to the network: includes a network connection exploiting the same communication protocol (port, address, exchange protocol, etc.) as that of the server to be protected, has, as storage memories (including the chip containing the BIOS), only memories in read only , ie, for example, Read Only Memory (ROM), write-protected memories by a slider or jumper to be moved, or any other a type of memory allowing to prohibit any writing and / or erasure operation, and this, in order to ensure the inalterability of all of its software device (BIOS, operating system, application software and management data) and thus protect it from any attack, is equipped with an operating system comprising only the modules strictly essential to its operation, to the formal exclusion, in particular, of any interpreter of program and command, except for the boot command interpreter (intended to ensure its startup and initialization) and the interpreter for the read command in text mode (intended to allow the reading and the analysis of the requests of the clients), with the aim of allowing the quickest reinitialization and prohibiting the execution of any malware that has infiltrated it, is connected to the second server using a connection operating a protocol ole of communication other than that of the network connection (different, therefore, of the communication protocol used during communications with the server to be protected), and the second, to connect to the computer server to be protected, is a standard server of the type that it is normally found in the trade, equipped: an operating system compatible with the operating system of the first server, an input / output card (such as, for example, a card I / O with relay output) installed on its motherboard and connected to the power switch on the motherboard of the first server. This being and as far as is known, there is no similar device, a little bit, to the electronic anti-intrusion device according to the invention, the only materials that can be brought to it but only at a rear level. General technology plan being those described in the following 2 patents: - US 2010/192216 Al (Komatsu Satoshi - Japan) published on July 29, 2010, - US 7,549,167 B1 (Huang Yih et al - US) published on June 16 2009. In order to better illustrate how the device according to the invention will operate, it is necessary to indicate, if only briefly, the essential characteristics and / or functions of the application software to be installed in the 2 servers of which it consists. Regarding the first server, the essential feature of its application is that it should include only the strictly necessary functions: 1. the processing of requests / responses, that is, essentially, receipt of the request, compliance analysis of each of its fields relative to the applicable protocol according to the network exploited, rejection or acceptance of the request, respectively in the event of non-compliance or of conformity, transmission of the request, in case of compliance, to the second server, reception of the latter's response and transmitting it to the client, 2. Securing communications between the two servers, transferring any data packet from the first to the second server to be authenticated using a signature of a type. (such as, for example, one-time passwords, passwords to be used in a loop, that is to say the type that English speakers call "rolling code", passwords calculated using a synchronized algorithm, integrated into the application of 2 servers, etc.), to ensure automatic recognition some by the second server in good security, and, in order to allow the fastest possible reset of the first server (cf. page 2, line 15 et seq.). With regard to the security of the communications between the 2 servers, it should be specified that the use of a communication protocol other than that used during communications with the network (see page 2, line 21 et seq.) already provides them with some degree of protection, simply because the port, address and exchange protocol used are unknown outside the system and, therefore, any possible malware would not be able to find (or easily find) the exit to the second server. Concerning the second server, the essential functions that its application software must fulfill are the following: verification of the authenticity of any data packet received from the first server, rejecting any shipment not accompanied by a signature or whose signature would be erroneous, processing of requests / responses, that is, essentially, reception of the request, reiteration of the compliance analysis of each of its fields with respect to the applicable protocol according to the network operated, rejection or acceptance of the request, respectively in case of non-compliance compliance or compliance, transmission of the request to the server to be protected, reception of the response of the latter and transmission thereof to the first server, triggering, by software, a warm reset of the first server at regular intervals fixed or configurable preset duration, triggering (using the input / output card whose second eur is equipped: see page 2, line 27 et seq.) of a cold reset of the first server (via the power switch) in the presence of any irregularity, namely either a silence of the first server exceeding one pre-established fixed or configurable duration, ie a number of successive requests that are formally inadmissible beyond a predetermined fixed or configurable limit, or a request that is not accompanied by a signature or whose signature is incorrect. To the above treatments, it is necessary to add: the sterilization, in case of conformity, of any possible field of the request not subjected to any protocol constraint (such as, for example, the field "content" of the http requests carried out according to the POST method) and likely to carry any intrusive agents, the neutralization of all files attached to the request (such as, for example, the files accompanying the couniels in a mail service), the latter may be infected.

Of course, the 2 operations above could as well be at the first server as the second. Nevertheless, it should be executed at the second server because the choice of the first would be at the expense of its reset time, its application necessarily becoming heavier, because it should include, in addition, these functions. Regarding the way in which these functions could be carried out, suffice it to say: as far as sterilization is concerned, it could be done using a mechanism to 'break' the syntax of any malicious code, and this, for example, by encapsulating one or more essential characters of any computer code (such as, for example, the signs =, $, &, etc, regardless of their encoding) between agreed characters (such as for example, single quotation marks), preceded by an escape character (such as, for example, the "escape" character): this, while preserving the informative nature of the data concerned, would make it possible to return to the original data using a simple utility, but with the advantage of being able to do so in full knowledge of the facts, that is to say after having examined them, without risking being infected; in terms of neutralization, it could be done, for example, by converting the files into another suitable format, using one or more file conversion software.

In these circumstances, considering: 1. that any malicious code that may have managed to infiltrate the first server, can not in any way damage any element of the latter's software device (see page 2, line 9 and s.), 2. that the transfer of any data packet from the first to the second server is subject to authentication by the latter, 3. that, therefore, any intrusive agent possibly present in the first server can not be exported to the second, fault, on the one hand, to find (or easily find) the outcome to the latter (see page 3, line 16 et seq.) and, secondly, to be able to be 'recognized' by the application of the first server and thus obtain the password which alone could enable him to be accepted by the second server (see page 3, line 9 et seq.), 4. that, consequently, except at remain in total inactivity, the only harmful action that would remain possible to him would consist in damage the contents of the RAM of the first server, with only possible results either a persistent silence of the latter, or a sequence of queries that are not compliant and therefore unacceptable by the second server, or requests that are not accompanied by a password or with an incorrect password, 5. that, in the above 3 cases and, in any event, at regular intervals, the second server triggers the reset of the first, any possible virus or other malware that has infiltrated the first server would be condemned to be quickly eliminated without it could permanently damage anything, or even reach the second server, and therefore, a fortiori, the server to protect.

Thus, having a first server: having no element that can be permanently damaged, using no filtering logic to constantly readapt to new viruses, worms, spyware, Trojan horses, etc., or new methods of intrusion likely to be 'invented' by hackers, offering only access gabarié where only passes what has the format required by the network protocol used, not being equipped with any interpreter of program, nor not more than one general command interpreter, the only interpreted and interpretable commands being, to the exclusion of all others, the boot / initialize command and the read command in text mode, including a BIOS, an operating system and an application absolutely unassailable, because recorded in memories in only reading, prohibiting any alteration, using an operating system reduced to the only functions strictly necessary to ensure e it must do, that is to say, essentially the management of communications and that of the stack of requests / responses, - comprising a very 'lightweight' application compared to the applications normally exploited by the servers, - it can be, by its very lightened configuration, very quickly reset, and a second server: - allowing only the authenticated data packets to enter by a correct signature, reiterating the conformity check and rejecting any request including only one of the fields would not have the format required by the protocol used, triggering, at regular intervals, the hot reset of the first server (cf. page 3, line 31) or, in the presence of the slightest trouble (see page 3, line 33), the cold reset of the latter (which amounts to an inescapable 'cleaning' of any malware present in the first server ), the device according to the invention makes a clean sweep of all the aforementioned drawbacks, eliminating any possibility of illicitly entering a server thus protected. According to a first simplified embodiment, the electronic anti-intrusion device according to the invention consists of 2 interconnected servers, installed upstream of the computer server to be protected: the first of which is connected to the network using an operating connection the same communication protocol as that of the server to be protected, is connected to the second server using a communication protocol other than that of the server to be protected, is equipped with a lighter operating system, including no interpreter except the interpreter for the boot / boot command and the read command in text mode, the second of which, connected to the server to be protected, is equipped with an operating system compatible with the system. the first server, is equipped with an input / output card installed on its motherboard and connected to the power supply function of the motherboard of the first server, dec lenches the cold reset of the first server following either a silence of this server exceeding a predetermined duration, or upon receipt of a number of successive requests that are formally inadmissible, exceeding a pre-established limit, or upon receipt of an unsigned request or wrongly signed, and this, using its connection to the power supply function of the motherboard of the first server. According to this first simplified embodiment, the configuration of the two servers of the electronic anti-intrusion device according to the invention meets the lowest requirements in terms of the operation of the system. Indeed, while still ensuring the protection of the server to be protected, the anti-intrusion device according to this embodiment is not able to protect itself against the damage that possible malware could cause the first of the 2 servers which it is constituted, because the software device thereof (application software, operating system and BIOS) is stored in unprotected memories and that, therefore, in case of attack and / or intrusion, it may not be able to work anymore, with the consequence of having to reconfigure it manually. According to a variant of embodiment 1 above, the electronic anti-intrusion device according to the invention is characterized in that the operating system and the application software of the first server are stored in storage memories in single reading.

According to this second embodiment, the operating system and the application software of the first server are protected against any alteration because they are recorded in ROM type memories allowing only the operation of reading their content: which provides a better guarantee of continuity of service, without the anti-intrusion device according to this embodiment is so far protected against damage that possible malware could cause the BIOS of the first of the 2 servers which it is constituted. According to a variant of the embodiments 1 and 2 above, the anti-intrusion electronic device according to the invention is characterized in that the BIOS of the first server is stored in a storage memory in a single read. According to this third embodiment, the securing of the first server of the anti-intrusion electronic device according to the invention can be fully ensured, thus avoiding any possible human intervention aimed at restoring the configuration of the first server. According to a variant of all the embodiments above, the anti-intrusion electronic device according to the invention is characterized in that the second server triggers a hot reset of the first server at predetermined intervals, and this, in transmitting a soft reset command. According to this fourth embodiment, the anti-intrusion device according to the invention periodically initiates the hot reset of the first server, and this, using a command transmitted to the latter's software: this allows to proceed to a preventive "cleaning" of any malware present in the first server, without waiting for a more serious problem (see page 3, line 33 et seq.) and it is therefore necessary to reset it to cold. According to a variant of all the embodiments above, the anti-intrusion electronic device according to the invention is characterized in that the hot reset of the first server is triggered is triggered by the software of the first server itself. . According to this fifth embodiment, the application software of the first server itself triggers its hot reset at predetermined intervals, defined, for example, in one of the memories of the first server, or even in the software itself. According to a variant of all the embodiments above, the anti-intrusion electronic device according to the invention is characterized in that the second server is equipped with a lighter operating system.

According to this sixth embodiment, the second server is also, like the first, equipped with a lighter operating system, that is to say reduced to the only modules strictly necessary for the execution of tasks that it has to accomplish: this allows to reduce the occupancy of the RAM of the second server and to accelerate in the last analysis the execution of the tasks that are to be performed by the latter. According to a variant of all the embodiments above, the anti-intrusion electronic device according to the invention is characterized in that the second server and the server to be protected are one. According to this seventh embodiment, the software content of the server to be protected is deported to the second server of the device according to the invention, and this, for example, by creating a virtual machine for hosting the operating system and all the applications of the server to protect. By acting in this way, one would avoid, in fact, any problem of compatibility between the operating systems and the second server of the device according to the invention would be allowed to simulate, during its communications with the virtual machine, the communication protocol (port, address, exchange protocol, etc.) of the server to be protected. The present invention will be better understood on reading the detailed description of the fourth embodiment, given below.

Intended to constitute the hardware support of an anti-intrusion application server making it possible to secure any computer server offering a service on any network (internet, intranet, extranet, local networks, end-to-end connections, etc.) according to a client / server protocol (http, https, ftp, ftps, rtsp, smtp, pop, proprietary protocols, etc.) against any type of malicious code (viruses, worms, Trojans, spyware, computer programs) remote, etc.), the electronic device according to the invention consists of 2 interconnected servers to be installed upstream of the server to protect, in other words between the latter and the network. The two servers of the electronic anti-intrusion device according to the invention can be connected together by means of any wired connection of a suitable type (for example, an RJ 45 cable connecting two ethernet cards installed, each , in one of the two servers, an optical fiber link, etc.), on the sole condition that the connection has a bit rate corresponding to that of the server to be protected (for example, 100 megabit / s, 1 gigabit / s, 10 gigabits / s, etc.) and that both servers have compatible or compatible operating systems. In this respect, it should be specified that the use of a wireless connection is prohibited because such a connection can be intercepted and thus does not ensure the security of transmissions between the 2 servers, except to use an infrared connection However, this has the disadvantage of being more expensive and not ensuring, to date, satisfactory rates. Similarly, the second server can be connected to the server to be protected using any wired connection of a suitable rate, while the connection of the first server with the network can be done using any Existing standard means (wired connection via ethernet card, wireless connection, satellite connection, modem connection, ADSL connection, etc.), with a bit rate corresponding to the bandwidth of the server to be protected. Furthermore, replacing the server to be protected in its communications with the network, the first server of the device according to the invention must necessarily use the same communication protocol as the server to be protected (port, address, exchange protocol, etc.).

On the other hand, the communications between the 2 servers of the device according to the invention must imperatively be done according to a protocol other than that of the server to be protected, in order thus to constitute (in association with the password authentication of any packet data transferred to the second server) a confinement zone, in other words a "no man's land" where any malware that has infiltrated there would be trapped and would be sentenced to a certain elimination thanks to the reset mechanism piloted by the second server using a command sent to the first server either by software or via the input / output card connected to the power switch of the motherboard of the first server. Regarding the storage memories to be equipped with the first server of the anti-extrusion device according to the invention, it should be specified: - they include the memory allocated to the BIOS backup (normally a chip integrated in the factory to the motherboard by the manufacturer of the latter), that they must be, physically, in single reading, because, although it may be admitted to prohibit access to writing or erasure by software means, it would be preferable that this condition is fulfilled materially, thus adopting either real ROM memories, or memories protected write by a slide or jumper to move (such as found, for example, in floppy disks of 3 and a half inches , in some flash memories, etc.), or any other type of memory to prohibit any operation other than reading using a physical device. The above constraint is intended to ensure that all and any isolated element of the first server's software device (ie BIOS, operating system, application software and any management data, c eg, reset time, passwords used to authenticate the data packets to be transferred to the second server, etc.) can not be altered by any possible intrusive agent from the server. network. Regarding the input / output card to be installed on the motherboard of the second server, it can be any type of commercial input / output card (serial, USB, etc.), ready to be connected, with the help of a relay and an appropriate connection, to the power switch function of the motherboard of the first server. Finally, concerning the communications between the second server and the server to be protected, they must, imperatively, be done according to the same protocol as that operated by the first server with respect to the network: which means that the first server and the server to be protected will have to exploit the same port (for example, in the case of the Internet, port 80), the same address (for example, concerning the internet, the IP address assigned to the server to be protected) and the same exchange protocol (for example, with regard to the internet, the TCP / IP protocol). Finally, with regard to the other constituent elements of the 2 servers of the anti-intrusion device according to the invention (motherboards, processors, RAMs, hard disks, power supply units, fans, housings, etc.) the person skilled in the art, namely a computer electronics specialist, knows that these are standardized parts that he can easily obtain commercially. As has been seen, the purpose of the present invention is to provide a universal solution for securing any computer server offering any online service according to a client / server protocol (such as, for example, with respect to internet, the sales service of a merchant website, the customer service of a banking website, an information service of a static website, a messenger service, etc., or else acting, for example, an intranet, a file sharing service, a database access service, etc.), the device according to the invention is characterized by the fact of creating a confinement zone, in other words a "sealed zone" where any intruder would remain captive and have no other possible outcome than that of being quickly eliminated.

Furthermore, it should be noted that, comprising only known electronic components and thus forming part of the state of the art, the electronic anti-intrusion device which is the subject of the present invention is to be regarded as a new combination of known means whose novelty and inventiveness compared to existing anti-intrusion devices or whose description is known holds, in particular, the technical result it achieves, namely an inviolable protection against any type of any intrusion that the electronic anti-intrusion device according to the invention is able to provide any server providing a network service according to a client / server protocol. The very simplicity of the principle on which essentially rests the technical solution proposed, namely the creation of a containment lock to enclose any intruder, without giving him the slightest chance of escaping or to damage anything, and to condemn it to an elimination just as fast as it is certain, makes it possible (without opening the doors to the pirates) to no longer fear their entry. Moreover, the extreme simplicity of this principle, combined with the fact that there is currently no machine somewhat similar to the device according to the invention, also testifies to the inventiveness of the proposed solution which is far from obvious from the state of the art.

Indeed, the problem of computer hacking or, more generally, intrusions into networked computer systems has existed since the very birth of these networks, that is to say, for decades, the first integrated networks, such as today internet, dating from the early seventies. Therefore, if the proposed solution had been obvious, there would have been plenty of time to develop it well before.

In this respect, it suffices to think, on the one hand, of all the problems and serious economic consequences which intrusions pose more and more to undertakings or other organizations operating a network service (and in particular, since the commercial explosion of the planned internet, which began in the mid-1990s), and the number of experts and multinational companies that have focused on and are still working on the question today, without an effective and definitive solution ever being proposed. To conclude, it should be specified: that other modules can be, of course, added to the software apparatus of the device according to the invention to meet specific needs (such as, for example, a process of detection and automatic fault reporting, additional authentication layer of the users, etc.), that the device according to the invention can be made more powerful and, in any case, redundant, in order to provide a fault-tolerant service , associating it with a second or several other devices, that, in the case above, the reinitialization of the first servers of the different devices according to the invention could be done alternately, thus eliminating any interruption of the service, would not be possible. that minimal.

Claims (7)

CLAIMS1) Electronic anti-intrusion device for neutralizing any malicious code attacking any computer server providing a service on any network according to a client / server protocol, said device consisting of 2 interconnected servers, installed upstream of the computer server to protect: the first of which is connected to the network using a connection using the same communication protocol as that of the server to be protected, whereas its connection with the second server uses a communication protocol other than that of the server to protect, and the second, connected to the server to protect, is equipped with an operating system compatible with the operating system of the first server, characterized in that the first server is equipped with an operating system lightened, not including any interpreter, except the interpreter of the boot command and the read command in text mode, and in that the second server: - is equipped with an input / output card installed on its motherboard and connected to the power supply function of the motherboard of the first server, triggers the reset to cold of the first server following either a silence of this server exceeding a pre-established duration, or upon receipt of a number of successive requests that are formally inadmissible, exceeding a pre-established limit, or upon receipt of an unsigned or erroneously signed request, and this, using its connection to the power supply function of the motherboard of the first server. 2) anti-intrusion electronic device according to claim 1 above characterized in that the operating system and the application software of the first server are stored in storage memories in single reading. 3) anti-intrusion electronic device according to claim 1 or 2 above characterized in that the BIOS of the first server is stored in a single read storage memory. 4) An intruder electronic device according to any one of the preceding claims, characterized in that the second server initiates a warm reset of the first server at pre-established intervals, by transmitting a reset command by channel software. 5) electronic anti-intrusion device according to any one of the preceding claims, characterized in that the hot reset of the first server is triggered by the software of the first server itself. 6) electronic anti-intrusion device according to any one of the preceding claims, characterized in that the second server is equipped with a lighter operating system. 7) electronic anti-intrusion device according to any one of the preceding claims, characterized in that the second server and the server to protect are one.