Patents

High Security Labs innovation is expressed via dozens of patent applications submitted to the USPTO. Below is a summary of the main patents already approved and published:

Isolated Multi-Network Computer System and Apparatus

Read application
3-Dimensional Multi-Layered Modular Computer Architecture

Read application
Server Having Remotely Manageable Emulated Functions

Read application
Secure KVM System Having Remote Controller-Indicator

Read application
Computer Motherboard Having Peripheral Security Functions

Read application
Secure KVM System Having Multiple Emulated EDID Functions Read application

 

Technology Overview: Possible solutions for isolated networks integration at the user's desktop

Existing Solution # 1 – Multiple PCs and peripherals
The most straightforward method is to connect two or more independent sets of computers and peripherals. This method becomes unpractical when more than three isolated networks are needed as the user desktop becomes a jungle of wiring and peripherals.

 

Advantage Disadvantages
  • Very secure - Strong isolation between networks as no integration point exist. Only TEMPEST leakages are possible
  • Easy for the user to identify the security level (network) in use
  • Fast switching time between environments
  • Medium cost – no special equipment needed but still 2 or more sets of equipment need to be maintained for each user
  • Large desktop space needed for PC and duplicated sets of peripherals
  • Difficult to use – two isolated environments
  • Lower reliability, a lot of cabling
  • User authentication in multiple networks is replicated
  • Heavier user workload and fatigue. Potential spoofing attack

 
Existing Solution # 2 – Multiple PCs and Conventional KVM
This method is by far the most popular one as KVMs are readily available for low cost. Conventional KVM setup is shown in bellow - networks integration takes place at the user’s desktop. Video and peripheral lines are connected between the isolated PCs and the KVM by cables. Simple solid state video MUX route one video input to the single video output based on user inputs. User can select one output using key combinations (keyboard pattern detection) or by means of rotary switch or push-buttons.Peripheral channels are normally connected to microcontroller to enable error free boot of connected PCs. This microcontroller setup is typically the vulnerable point in the conventional KVM as it may leak data between channels. Due to security vulnerabilities many organizations would not allow conventional KVMs in top secret environments.

Advantage Disadvantages
  • Reasonable isolation between networks. Unless the organization is targeted by a capable attacker
  • Medium cost – low cost KVM needed still 2 or more PCs need to be maintained for each user
  • Fast switching time between environments.
  •  Security risk due to the use of COTS KVM. Attack can be initiated remotely to create data leakage across the KVM
  • Ease of use – medium. Two isolated environments but simple switching between
  • Difficult for the user to identify the security level (network) in use
  • User authentication in multiple networks is replicated
  • Exposed data I/O (USB) ports
  • Poor galvanic isolation between PCs (unless one network is fiber)

 

HSL innovative patented solutions

Solution # 1 – Multiple PCs and HSL 3rd Generation Secure KVM
This method was developed and patented by HSL as a secure KVM solution for high security organizations requiring physical isolation of networks. From the user standpoint this method operates at the same way that conventional KVM operates.
In this setup two or more PCs are connected to separate networks. The USB or PS/2 of each computer is connected to the secure KVM through a cable. Optional galvanic isolation enables the two computers ground planes to be floating (isolated). Each video input channel is passed through data diode to assure isolation and unidirectional flow. Display EDID (Plug & Play) is emulated by isolated devices (not shown here). Video switch implemented by MUX connect one video input to the video output port based on user selection.
USB or PS/2 keyboard / mouse connected to the Secure KVM via two isolated host emulators. These host emulators assures that all bi-directional protocols will be reduced to a uniform unidirectional data flow passed through a switch and another set of optical data-diodes. The unidirectional peripheral data stream is then routed to the device emulators connected to the attached hosts through cables. This peripheral path implementation enables absolute peripheral devices filtering – no storage devices will be supported.Optional anti-tampering circuitry enables tampering detection and reporting when needed.

Read more on HSL KVM Switches.

Advantage Disadvantages
  • Very high security - Optical isolation between channels. Will maintain isolation even if two connected computers are infected with a hostile code that targets the KVM

  • Complete protection of peripheral ports – USB / PS/2 ports are unidirectional by optical isolators. Strong peripherals filtering

  •  Medium cost – higher cost KVM needed - still two or more PCs need to be maintained for each user

  • Fast switching time between environments

  • Optional high galvanic isolation and anti-tampering

  • Ease of use – medium. Two isolated environments but simple switching between

  •  Difficult for the user to identify the security level (network) in use

  • User authentication in multiple networks is replicated


Solution # 2 – Multiple PCs and HSL Secure KVM Combiner
This method was developed and patented by HSL to further improve user experience while maintaining highest level of security. To enable easy work across isolated networks, the KVM Combiner uses advanced video processor to create interactive “Windows like” user experience. The video section of the KVM Combiner uses fast Field Programmable Gate Array (FPGA) and DDR memory to process video received from connected sources and generate high-quality, high-resolution, dynamic desktop at the connected display. Windowing commands and interaction data are received by the video processor via optical data diode connected to the peripheral controller section. Host emulators connected to the keyboard and mouse manage the user interaction. USB / PS/2 switch couples the active channel to the appropriate device emulator of that channel through optical data diodes.

Read more on HSL KVM Combiner Switches.

 

 

Advantage Disadvantages
  • Very high security - Optical isolation between channels
  • Simultaneous work in windowing environment between different networks
  • Easy for the user to identify the security level (network) in use through colored frames
  • Complete protection of peripheral ports – USB / PS/2 ports are unidirectional by optical isolators
  • Fast switching time between environments
  • User authentication in multiple networks is replicated

  • Higher cost – higher cost KVM needed (and two or more PCs need to be maintained for each user)