Theory of Asymmetrical Communication Endpoints (ACE's)
Heinrich T. Feuerbach, February 2019
Copyright: Author, but free for Wikipedia.
Computers are more and more applied, the power of Hardware and
Programs growing rapidly, the dependency of the individuals and the
economy on the Internet is already huge, but the data on them is not
safe against intruders.
Manipulation of data happens, intruders looking into the systems, reading screens, manipulating the data and sabotage happens every day.
This short overview of a new type of endpoints for networks like the Internet shows how to avoid these scenarios. It is related to End-user-Computers, so the mass-market, typical Client-Computers. An “Asymmetrical Communication Endpoint” or ACE provides the technical platform to solve these issues for all use-cases. An ACE describes a Computer-System which consists not of just one single Computer but of two. This pair of Computers would be presented to the user as a single one Computer, so the “Duality” would be transparent to the user.
One of both Computers would be physically able only to send data into the Internet, while the other one would be physically able to only receive data from the Internet. Given that, the term of “Asymmetry” is here related to the functions of “transmitting/sending” and “receiving” of data.
Such a system would be safe against intruders from the networks to which it is willingly connected, like the Internet, in a physical manner.
As being physically safe, this high level of security would be independent of Software-Updates. All attacks via the eg. Internet against such Computer System would be ineffective, if the attacks would be initiated and performed through the Internet, so fully “from outside”.Neither espionage nor manipulation of data or sabotage could be successful against an ACE.
Only precondition would be having the data on both Computers of the ACE, or only on the transmitter because of the fact that the data on the receiver would be further in reach of attackers. I would like to call the side represented by transmitter and receiver as “Green” because having here a level of security for the data hosted on an ACE in the middle between a symmetrically with the Internet connected Computer (“Red”) and a fully isolated or “air-gapped” Computer ("Blue"). For the transmitter itself I use the color “Green”, for the receiver the color “Yellow”. These colors again showing their individual level of data security with the transmitter providing more security for the hosted data then the receiver. So Green and Yellow building together the “green side” of the ACE.
An ACE could be universally used for networked and non-networked programs.
Before explaining the ACE more in detail, here an ex-course into a classification of the different security levels.
Introduction of a Classification of all Types of Attacks against Computers
To describe the level of security for the data in a Computer System and to be at same time able to compare the levels of security of different systems, we need first to be able to classify somehow all the possible attacks on them.
In other words, every known but also every possible future type of attack must have its place in the classification.
For this, I set up a matrix, consisting of 9 main fields as 3x3. The resulting two dimensions are the “targets” and the “path’s” of attacks. Targets may be the read-out of data in a given Computer-system, the manipulation of data in a given Computer-system (writing) and the sabotage against the data or the system at all.
Path’s may be the direct network attacks, the indirect network attacks and the built-in attacks.
Given that, every possible attack is a combination of these two dimensions.
These resulting 9 fields are then each split into two, for known and unknown networks. A known network is a network which is known to the owner and user of the Computer-system, whilst an unknown network is not. An unknown network is for example a cell-phone which is connected to one of the LAN-Computers for the purpose of loading its battery. As the cable used here has also wires for data transport via USB and the cell-phone being connected to the Internet, this way the user creates, unwillingly or not, another network connection, here into the Internet. Through this connection, which is unknown to the owner of the Computer, may now the system be attacked, going simply around the possibly expensive firewall.
This is just one of many examples for unknown networks. There are found such like communication via ultra sounds from TV sets to cell (smart-) phones, LEDs on Computers and network equipment sending out data and many other ways to “extract” data from systems or manipulate data without the knowledge of the owner of that system. Such unknown networks are even used to bridge the air gap of isolated Computer-systems, monitoring or controlling them, going around all other security measures.
Coming back to the matrix of 9 fields, there is a classification of all attacks in visible to the user and invisible to the user needed. For example sabotage attacks are often soon visible to the users of the attacked systems, however not always. All depends also on the intention of the attackers. There are attacks aiming at sabotage being so long as possible not detected by the users of the target like in case of the attacks on the Uranium enrichment systems of Iran via “bridging the air gap” methods.
Other sabotage attacks don’t try to hide, they even aim at being visible, like DDoS, de-facing of Websites etc.
Given these differences in the visibility of attacks, there is a “visibility line” in the most upper row of targets, the sabotage row in the matrix. This horizontal line, however, is not always flat, it may, depending on the attack, be changing its position and form like a wave.
The defender will always try to block all 9 fields completely, whilst an attacker would try to attack where it is the easiest.
Individual fields may be defended absolutely with physical measure, or just partwise, so in percentiles.
An absolute coverage
of a field means that an attacker can never succeed. This is only
possible if a demonstrable, such as physical, protection takes
place. All other measures can only be hedged to an estimated
The ACE could absolutely cover the areas B3 (transmitter) and (A3 + C1) (receiver).
In this case, the area A3 would be covered for the receiver due to an upstream firewall ("FW").
Fig.1, Attack- or security matrix of computer systems
Explanations to Fig.1:
The attack matrix consists of 9 main fields with 2 dimensions, the attack paths and the attack targets. The fields are divided again, mainly into known and unknown nets.
The coloring of the graphic has nothing to do with the color scheme of the nets above and is independent of it. The color scheme of the graphic I have chosen so that this color corresponds to the potential danger of each field: green less dangerous, red most dangerous and hard to ward off. The brightness of the colors, which increases in the diagram at the top, should indicate the visibility of an attack on the associated field: the lighter the color, the sooner an attack is visible to the user.
The example case of a known network is when someone connects a computer, whether symmetrical or asymmetrical, to the Internet in a controlled manner. This connection to the Internet is then desired and can be removed by the user at any time.
The case of an unknown network is when someone has a connection unknown to him and therefore not desired by the owner of the computer or network, e.g. into the Internet, for example, via a mobile phone with GPRS data transfer option, which connects to the computer, the associated LAN, or a network device, thereby opening an unknown network connection, drain on the data or can also flow out.
This inflow or outflow of data is then beyond the control of the user or owner of the computer system or network.
Even the unshielded computer monitor is part of it, if it sends the screen data electromagnetically into the surrounding area, as well as the keyboard cable, which is not shielded, network cables, which are not shielded, etc.
A further subdivision takes place in column "C" into fields for HW, operating system and application programs. This corresponds to the various areas in which a malware, regardless of which destination, in the computer already from production or even after delivery, etc. may be installed, so even without any network connection can already be present.
Finally, there is another subdivision in Above and Below the Visibility Line, "SL". Attacks that are directly visible or tangible to the user are above the SL, all attacks that are not visible or not immediately visible are below the SL. The SL therefore corresponds to a "waterline": the further below the waterline, the harder the attack is to be detected. Unfortunately, only sabotage attacks are in many cases directly and immediately recognizable by the user of the system.
With the names of Roman numerals (I and II), letters and minus signs, each individual field can be clearly named and distinguished. In addition, the feature "above" or "below" the SL can be used.
If you want to name an area of several main fields, you name the right-uppermost field of the area. For individual fields, they are named as "Field Xn".
Multiple areas of fields can also be connected by a plus sign, such as (A3 + C1).
The common area in the attack matrix, which can be covered by both the transmitter and the receiver by the ACE only due to asymmetry, is the "L" of A3 and B1. All other fields can cover either only the transmitter (up to B3) or only the receiver (up to C1), thus the asymmetry alone gives as measure "only" a cover A3 and B1, the A3 safety of an upstream FW included - for the green side so green and yellow together.
The dividing lines in
the fields C2 and C3 are dashed, since here the meaning of the
network connections is limited: An attack on C2 can also without
completely network come into effect, since this means data
manipulation by built-in malware. If this is already on a given
computer system, a network is no longer needed to take
effect; however, if it is not already on a given computer system,
then again a network connection is needed to spread to other
computers. Otherwise it can only work locally. The same applies to
implemented or built-in sabotage software, field C3.
Now every single attack can be clearly assigned to one of the fields.
The defender should try to cover all fields, especially the ones below.
The further to the right a field lies, the harder it is to cover. The further down, the harder it is to detect an attack and thus prevent it; therefore, the most problematic field for the defender is C1.
of attacks on the individual fields:
Column A, direct attacks via networks: these are only possible on an endpoint in known networks if no firewall (FW) has been installed upstream. Unknown networks will rarely have an FW upstream, so these are the more likely routes of attack.
This can e.g. via an unknown WLAN access, via a USB cable to one of the computers located in the LAN, etc. Even unknown communication via ultrasound as with various mobile apps often as Trojan available, come here in question.
There are many possibilities for unknown nets, every espionage bug, which has been fixed under a conference table, thus represents an unknown net. Also infrared, the electrical net, etc. can come into question for the attack. Through various shielding measures, these can be prevented, via e.g. sensors it can be recognized.
In column "B" we are already dealing with attacks that are much harder to combat because they come from the inside, indirectly via the network. Examples are the Trojans that one "captures" via email attachments. After such an attachment has been opened by the recipient, the Trojan (field B1) collects data such as passwords, emails, etc. in plain text unnoticed by the person being attacked. Then he sends this in case of symmetrical networking in the Internet to the attacker. Another example is the remote control: the Trojan contains a server with which the attacker can watch the screen content live at any time without the user noticing. Field B2 could mean that the Trojan deletes or modifies files without the user's knowledge. If this has no deeper purpose than the damage, it is already an attack on field B3, ie sabotage; however, data is changed to thereby have a purpose such as e.g. the content manipulation, tracked, then it is an attack on field B2.
The most difficult fields to defend are those of column "C", since the attack is independent of the outside, ie the network, and therefore can not be detected in the network.
Examples of "C" attacks: Program built into the BIOS of the computer motherboard, which reads keystrokes and sends them directly over the network to the Internet to a given server where the data is collected. Also, a reinstallation of the operating system can do nothing here, since the BIOS of it is not affected. Likewise, malicious software for espionage, manipulation or sabotage can be installed in every operating system. Application programs often contain already such malicious software or Trojans.
To guard against attacks on the "C" column, it helps to use only trusted, tested HW and SW, with Open HW and Open SW, programs compiled from the sources, and testing the computer if it is sending out data even without any user intervention.
Unknown networks also include unknown protocols that are not desired by the user, even if these unknown protocols are operated on a known physical network. Thus, at Layer 1, data can be transmitted practically in addition to the usual protocols, without, e.g. a FW knows something about it. Such layer-1 attacks correspond to "under-flying the radar" of the FWs.
An ACE could now
physically enable the full protection of networked computers from
espionage, data manipulation and sabotage, which is initiated and
carried out over the Internet.
By asymmetry alone, however, one would still have no protection against already built in HW and SW attacks, so in the BIOS, the operating system or applications built with malicious software of any kind.
Against this very difficult to combat type of attacks on computer systems, networked or isolated, even today already, the review of the program sources, open source, open hardware, programs compiled from the sources and testing of the systems if they send something, although the user has not caused this and did not want. Contracts with the manufacturers, which state that there are no undocumented functions in HW / SW (contract penalties), can also help here. The monitoring of the transport and logistics routes is particularly important here in order to prevent manipulation of the HW and SW.
The technical safety of an ACE against hacker attacks via known networks would be permanent. This protection would also be independent of virus definitions, signatures for network attacks as in IDS / IPS systems usual etc.
The only prerequisite is that the attacker could not bypass or brake the asymmetry.
Now, the simple explanation why an ACE is physically secured against espionage via the network and why this protection could not be circumvented by the attacker sitting somewhere on the Internet: the ACE would have like said a separate computer physically only for sending to the Internet and another, separate from the former, only for receiving from the Internet.
The sender could then send to the Internet, but receive nothing from the Internet; therefore, it could not receive espionage attacks (or other attacks) from the Internet that could cause it to broadcast data into the Internet. The same would apply to data manipulation and sabotage attacks initiated over the Internet.
The receiver, on the other hand, could still receive spyware while surfing, etc., from the Internet, but it could not then send the collected data, such as passwords, texts, etc., back to the Internet!
The physically secure separation of the transmitter from the receiver would thus be the method for complete espionage security, as for such espionage attacks that are both initiated and carried out over the Internet, which probably affects most of today's Internet espionage and data espionage (so-called hacking), Industrial espionage, and also spying on individuals and decision makers.
A conventional communication endpoint ("red") communicates symmetrically as regards to communication in the network: a single PC e.g. can both receive from the Internet and send to the Internet. Thus, the end of the data circuit (transmitter to receiver and also back to the sender) already takes place at the application level, layer 7 in the ISO / OSI model. (The ISO-OSI model was established by the ITU in 1983 and co-developed by the ISO in 1984.)
An application can therefore send and receive data without user interaction and thus without any user knowledge. The browser may retrieve data about the user and user-created data, e.g. via the HTTP protocol to the Internet (passwords, etc.).
Likewise, in principle, all other programs can run on the same PC. The user or user who runs the applications can not prevent this, firewalls (FWs) only stop what externally arbitrarily requires access to the inside (PC), but not what goes from inside to outside.
From where should the FW also know, so can decide which transmissions from inside are "good" or "desirable" and which are not?
a query to the user whether an application is allowed to send is not
practical, because how often does the user have to do this? And how
should the user always know what the application xyz
is about to send and where to go? And whether this is justified or
Also, this "protection" can be easily circumvented by smuggling not only the desired data but also others without user knowledge.
The cause of this dilemma is that the "circuit of data streams" (analogous to electronics), can be closed, even below the user level, namely on layer 7, as in a server, where it is clear that the answers of the server requests must be automated and immediate, for performance reasons alone and without human intervention.
But with clients? That should be served only by humans? Here you can and should leave the user in control of when and if the data circuit is closed and for what purpose.
An important aspect of ACE's would be their invisibility in the network: Since the recipient can not send, an attacker can also get no feedback from this. So he would never respond to a ping from the outside.
The transmitter would then no longer be accessible via the network, so no longer move from the outside to do something undesirable.
An ACE would therefore not be remotely controllable, at least not without deliberate user intervention.
Indirect protection against DDoS attacks:
Since an ACE could not be remotely controlled, it would also be the best remedy against DDoS attacks - distributed sabotage attacks that simultaneously persuade many once acquired computers to send massive requests to specific server addresses to bring down the servers or clients - assuming all users would only use ACE's as devices for Internet use.
Standing on two legs
As described above, the ACE would have a clear separation between user-generated and other-person data. The self-generated data would be created on green, in order to be able to send them. If all users only used ACE's, all data would at least be on a green device (somewhere in the network) and would thus be globally protected against hackers, ie against all network-initiated attacks. Thus, this data could always be recovered, namely from its original on one of the “greens” (senders) of the creator of the data. This would prevent the mixing of self-created data (own copyright) and data created by other users (third-party copyright). Therefore, the ACE also allowed better protection of data from copyright abuse. An example of this would be the use of email with ACE's, whereby the forwarding of emails would be prevented and could only be done indirectly via the original sender (enforce a point to multipoint distribution of data, instead of the usual point to multipoint to multipoint distribution).
Contrary to symmetrical "end points" (SCE's) in the net one stands with the ACE on two legs and not only on one. Of course, this separation between data source and sink would have consequences for working with computers.
Further consequences of the asymmetry for dealing with computers and examples
A consequence of working with ACE's would be that the cooperation via email and with server-side programs would have to be somewhat different than with SCE's. E-mails could not be forwarded in an ACE, as in an SCE, data must never be able to reach the sender from the receiver, neither over the network nor manually. An email, which one would have received, should therefore not simply be transmitted from the receiver to the transmitter and sent from there to other participants in the email traffic. However, it would be easy to send the sender an email requesting that the same email be sent to other recipients. This would also have the privacy advantage that the copyright must be respected, as the original sender of an e-mail has control over who gets sent their email.
The ACE would add layer 8 to the ISO / OSI layer model
The well-known ISO / OSI layer model of seven-layer network communication would be extended to eight layers using the ACE, as an ACE would represent a Layer 8 device, cf. Fig.2.
The term "Layer 7 device" or "Layer 3 device" for a network device results from the lowest level or layer according to ISO-OSI model, on which the data circuit is closed for the first time. Looking at the ISO OSI model from level 1 up and looking at which of the levels the data circuit is closing for the first time, this is the level that gives the device the "layer x" label. A router e.g. closes the data circuit at level or layer 3, so it is a Layer 3 device. A repeater, on the other hand, is a Layer 1 device because it carries out signal amplification, ie it remains at the purely physical level.
The user himself would exercise control over the termination of the data circuit at the ACE, thus making the user the topmost layer on which the data circuit can be closed for the first time. Of course, in a conventional "client" computer, a SCE, the mouse, keyboard, etc. are also used by the user, and the operations in the protocol stack as described above are the same as they would be in an ACE, but the SCE can easily already have the data circuit close on layer 7, so act like a server. To put it bluntly, an SCE is therefore only a server used as a client.
So an SCE is not a real "endpoint" in a network, just a passing point. That makes him so insecure. Layer 8 would be absolutely necessary for the description of ACEs or for the assignment of ACEs in the ISO-OSI model, since the data circuit could only be closed by the user.
The following is the proposal for a graphical representation of an ISO-OSI layer model extended by Layer 8:
MD5: d66882d464d6a2c523d8c45c4b948343, SHA256: 3c2e1f9f30ed78f031976d1c8d2d2dd0a3d9dd2a104241ed812957ba929a0da1
File size: 7889043 Bytes
Fingerprint of Certificate: 92FA6FA30EF95B03346F57D8F4E66A3232C81156
Author: Heinrich T. Feuerbach, February 2019