1. Patent Search
  2. Details

DEVICES AND METHODS FOR OPERATING A COMPUTING SYSTEM COMPRISING A DATA RELAY

20220353188 · 2022-11-03

    Inventors

    Cpc classification

    International classification

    Abstract

    A computing system includes a computing device and an input data path connecting an interface device to the computing device. The input data path has at least two data relays and at least one buffer memory temporarily storing data. Each of the data relays has first and second terminals and a central terminal and selectively interconnects the first and central terminals or the second and central terminals and leaves the first and second terminals constantly separated from each other. The first terminal of a first relay is connected to the interface device, and the second terminal is connected to the computing device. The central terminal of the first data relay is connected to the buffer memory. The intermediate buffer memory is selectively connected by the first data relay solely to the interface device or the second terminal of the first data relay, but not to both simultaneously.

    Claims

    1-14. (canceled)

    15. A computing system, comprising: a computing device; an interface device; an input data path connecting said interface device to said computing device, said input data path having at least two data relays and at least one buffer memory for temporarily storing data each of said at least two data relays having respective first and second terminals and a respective central terminal, and each of said at least two data relays configured to selectively interconnect either said first terminal and said central terminal thereof or said second terminal and said central terminal thereof, and to leave said first and second terminals constantly disconnected from each other; said at least two data relays including a first data relay, said first terminal of said first data relay being connected to said interface device and said second terminal of said first data relay being connected to said computing device; and said central terminal of said first data relay being connected to said at least one buffer memory, and said at least one buffer memory being selectively connected by said first data relay exclusively to said interface device or to said second terminal of said first data relay, but not simultaneously to both of said interface device and said second terminal of said first data relay.

    16. The computing system according to claim 15, wherein said at least two data relays include a second data relay, and at least one intermediate computing device is connected to said first terminal of said second data relay.

    17. The computing system according to claim 16, wherein: said at least two data relays include one or more additional data relays; said second terminal of said first data relay is connected to said central terminal of said second data relay; said second terminal of said second data relay is directly connected to said computing device or is indirectly connected by said one or more additional data relays to said computing device; and said data relays are configured to enter a suitable relay position permitting a direct data access from said computing device to said buffer memory.

    18. The computing system according to claim 16, wherein: said at least two data relays include one or more additional data relays forming a relay cascade having said first data relay and a last data relay; said first terminal of said first data relay in said relay cascade is connected to said interface device and said second terminal of said last data relay in said relay cascade is connected to said computing device; and said second terminal and said central terminal in all of said data relays of said relay cascade configured to be interconnected to permit direct data access from said computing device to said buffer memory through said data relays.

    19. The computing system according to claim 18, which further comprises: intermediate computing devices each being associated with a respective one of two or more data relays of said relay cascade, said intermediate computing devices each being connected to said first terminal of said respective associated data relay; and each of said intermediate computing devices configured to check data stored by said interface device in said at least one buffer memory for forwarding to said computing device and, in turn, to issue an enable signal for a through-connection of said relay cascade when the check does not indicate a reason for obstruction.

    20. The computing system according to claim 19, which further comprises: a relay control unit for controlling said at least two data relays; and said relay control unit controlling said at least two data relays to permit direct data access from said computing device to said at least one buffer memory when at least one or all of said intermediate computing devices issue an enable signal to said relay control device for direct data access.

    21. The computing system according to claim 19, wherein: at least one of said intermediate computing devices is connected to said second terminal of said first data relay and said first terminal of said second data relay; an additional buffer memory is connected to said central terminal of said second data relay; and said at least one intermediate computing device checks data stored by said interface device in said at least one buffer memory connected to said first data relay for forwarding to said computing device and forwards the data to said additional buffer memory connected to said second data relay when the check does not indicate a reason for obstruction.

    22. The computing system according to claim 21, which further comprises: one or more additional data relays forming said relay cascade with said first and second data relays, said first terminal of said first data relay in said relay cascade being connected to said interface device and said second terminal of said last data relay in said relay cascade being connected to said computing device; said relay cascade including pairs of consecutive data relays, each relay pair having a frontal data relay and a rear data relay, as viewed in a cascade direction toward said computing device; and at least one or all of said relay pairs of said consecutive data relays each being associated with a respective one of said intermediate computing devices being connected to said first terminal of said frontal data relay of a respective relay pair and to said second terminal of said rear data relay of a respective relay pair, for checking the data stored in said at least one buffer memory connected to said rear data relay and for forwarding to said computing device, and forwarding the data to said at least one buffer memory connected to said frontal data relay when the check does not indicate a reason for obstruction.

    23. The computing system according to claim 19, which further comprises: an auxiliary relay; an auxiliary buffer memory; an auxiliary computing device connected to at least one of said intermediate computing devices through said auxiliary relay and said auxiliary buffer memory; said at least one intermediate computing device performing a preliminary check of the data stored in said at least one buffer memory connected to said associated data relay for forwarding to said computing device and sending a request concerning the stored data to an external central unit; said auxiliary computing device configured to store enable information in said auxiliary buffer memory through said auxiliary relay when a positive feedback signal indicating a usability of the stored data is received from the external central unit; and when the enable information is present in said auxiliary buffer memory, said at least one intermediate computing device issuing an enable signal for switching over said associated data relay or said second relay to allow a data flow in a direction of said computing device.

    24. The computing system according to claim 19, which further comprises: an auxiliary relay; an auxiliary buffer memory; a restart device associated with at least one of at least one of said intermediate computing devices or said interface device, said restart device being coupled to said at least one intermediate computing device or said interface device through said second data relay or said auxiliary relay and said auxiliary buffer memory; and said restart device configured for generating a boot file allowing said at least one intermediate computing device or said interface device to be restarted and to store the boot file in said auxiliary buffer memory.

    25. The computing system according to claim 15, wherein said first or said second terminal of at least one of said at least two data relays is unassigned.

    26. The computing system according to claim 19, wherein: at least one of said intermediate computing devices checks the data to be transmitted to said computing device by performing at least one checking step as follows: checking sequence numbers, or checking signatures, or forming and checking checksums, or checking an origin of the data on a cryptographic basis, or virus scanning, or verifying TANs.

    27. A railway technology system or signal tower or railway vehicle, comprising a computing system according to claim 15.

    28. A method for operating a computing system, the method comprising: connecting an input data path from an interface device to a computing device; routing data to be forwarded by the interface device toward the computing system over the input data path; providing the input data path with at least two data relays and at least one buffer memory for temporarily storing data; providing each of the at least two data relays with respective first and second terminals and a respective central terminal, and using each of the at least two data relays to selectively interconnect the first terminal and the central terminal thereof or the second terminal and the central terminal thereof and leave the first and second terminals thereof constantly disconnected from each other; connecting the first terminal of a first of the at least two data relays to the interface device and connecting the second terminal of the first data relay directly or indirectly to the computing device; connecting the central terminal of the first data relay to the at least one buffer memory, and using the first data relay to selectively connect the at least one buffer memory exclusively to the interface device or to the second terminal of the first data relay, but not to both the interface device and the second terminal of the first data relay simultaneously; and using at least the first data relay and the buffer memory connected to the first data relay to forward the data.

    Description

    [0030] The invention is explained in more detail in the following by means of exemplary embodiments; in the drawings, by way of example,

    [0031] FIG. 1 shows an exemplary embodiment of a computing system according to the invention, on the basis of which a first exemplary embodiment of a method according to the invention is explained,

    [0032] FIGS. 2-4 show other possible switching states of the data relays in the first exemplary embodiment,

    [0033] FIG. 5 shows another exemplary embodiment of a computing system according to the invention, on the basis of which a second exemplary embodiment of a method according to the invention is explained,

    [0034] FIG. 6 shows a different switching state of the data relays in the second exemplary embodiment according to FIG. 5,

    [0035] FIG. 7 shows an exemplary embodiment of a TAN check,

    [0036] FIG. 8 shows an exemplary embodiment of a computing system according to the invention in which an auxiliary computing device and an auxiliary buffer memory are assigned to an intermediate computing device,

    [0037] FIG. 9 shows an exemplary embodiment of a computing system according to the invention in which a restart device is assigned to an interface device, and

    [0038] FIG. 10 shows an exemplary embodiment of a computing system according to the invention in which at least two relays have unassigned terminals for simultaneously disconnecting the buffer memory from the interface device and the computing device.

    [0039] For the sake of clarity, the same reference signs are always used in the figures for identical or comparable elements.

    [0040] FIG. 1 shows an exemplary embodiment of a computing system 10, which can form part of a railway technology system, for example. The computing system 10 is equipped with a computing device 11 to which data D can be transmitted from an external data source 20. For this purpose, the computing system 10 comprises an interface device 12, which can communicate with the external data source 20, for example, via the internet or another communication network NET.

    [0041] An input data path 13 connects the interface device 12 to the computing device 11. The input data path 13 comprises a first data relay R1, a second data relay R2 and additional data relays R3 and R4, which form a relay cascade 14. Each data relay R1-R4 has a first terminal A1, a second terminal A2, and a central terminal A3. The data relays R1-R4 are each designed in such a way that they can either connect their first terminal A1 to the central terminal A3 or their second terminal A1 to the central terminal A3; the first and second terminals A1, A2 are constantly disconnected from each other.

    [0042] The first terminal A1 of the first data relay R1 is connected to the interface device 12, the second terminal A2 of the first data relay R1 is connected to the central terminal A3 of the second data relay R2. The central terminal A3 of the first data relay R1 is connected to a buffer memory ZS.

    [0043] The inner data relays R2-R3 of the relay cascade 14 are interconnected in such a way that the second terminal A2 of the upstream data relay in the relay cascade 14 is connected to the central terminal A3 of the downstream data relay in the relay cascade 14.

    [0044] The last data relay R4 in the relay cascade 14 is connected with its second terminal A2 to the computing device 11.

    [0045] FIG. 1 shows that direct data access from the computing device 11 to the buffer memory ZS is possible if the second terminal A2 is connected to the central terminal A3 in all data relays R1-R4 of the relay cascade 14.

    [0046] An intermediate computing device ZRE1-ZRE3 is connected to the first terminal A1 of the second data relay R2 and the additional data relays R3-R4 of the relay cascade 14. The task of each of the intermediate computing devices ZRE1-ZRE3 is to check the data D stored in the buffer memory ZS by the interface device 12 for forwarding to the computing device 11 and to issue an enable signal for the through-connection of the relay cascade 14 if the check does not indicate a reason for obstruction, or returns a positive test result. If a reason for obstruction is detected, a blocking signal for blocking the relay cascade 14 is generated instead.

    [0047] A relay control unit 16 is provided for controlling the data relays R of the relay cascade 14. The relay control unit 16 is connected to the intermediate computing devices ZRE1-ZRE3 via cables, not shown, and evaluates their test results. The relay control unit 16 controls the data relays in such a way that direct data access from the computing device 11 to the buffer memory ZS is possible only if all intermediate computing devices ZRE1-ZRE3 of the relay control unit 16 issue an enable signal for direct data access.

    [0048] For example, the arrangement according to FIG. 1 can be operated as follows:

    [0049] First, the relay control unit 16 sets the data relays R1-R4 of the relay cascade 14 to a defined initial state (see FIG. 1), in which the central terminal A3 is connected to the first terminal A1 in each case.

    [0050] If the interface device 12 receives data D from the external data source 20, it stores the data D in the buffer memory ZS. If data D has been saved, the interface device 12 notifies the relay control unit 16 of this.

    [0051] In subsequent steps the relay control unit 16 will change over the data relays R of the relay cascade 14 successively:

    [0052] In a first step, the first data relay R1 is switched over (see FIG. 2) and the buffer memory ZS is thus connected to the intermediate computing device ZRE1 (hereafter referred to as the first intermediate computing device ZRE1) connected to the first data relay R1. The first intermediate computing device ZRE1 checks the data D. If, from the point of view of the first intermediate computing device ZRE1, this data is suitable for forwarding to the computing device 11, it sends a corresponding enable signal to the relay control unit 16; otherwise, it sends a blocking signal.

    [0053] If an enable signal is received from the first intermediate computing device ZRE1, in a second step the relay control device 16 switches over the second data relay R2 (see FIG. 3) and thus connects the buffer memory ZS to the intermediate computing device ZRE2 (hereafter referred to as the second intermediate computing device ZRE2) connected to the second data relay R2. Now the second intermediate computing device ZRE2 checks the data D. If, from the point of view of the second intermediate computing device ZRE2, this data is suitable for forwarding to the computing device 11, the device sends a corresponding enable signal to the relay control unit 16; otherwise, it sends a blocking signal.

    [0054] The third data relay R3 of the relay cascade 14 is then switched over in a similar manner, so that the third intermediate computing device ZRE3 can check the data D in the buffer memory ZS.

    [0055] If an enable signal is present from all intermediate computing devices ZRE1-ZRE3, the last data relay R4 of the relay cascade 14 is switched over and thus the computing device 11 is allowed access to the data D in the buffer memory ZS. This switching state of the relay cascade 14 is shown in FIG. 4. For example, the computing device 11 can copy the data D into its own memory 11a.

    [0056] The intermediate computing devices ZRE1-ZRE3 can also send their check results to a higher-level diagnostic device 17, to which they are connected, preferably via a data diode 18 in each case.

    [0057] In the exemplary embodiment according to FIGS. 1 to 4, the relay cascade 14 is used to connect the computing device 11 directly to the buffer memory ZS if the check of the data D by the intermediate computing devices ZRE1-ZRE3 returned a positive result.

    [0058] FIG. 5 shows another exemplary embodiment. In the exemplary embodiment according to FIG. 5, a buffer memory ZS1, ZS2, ZS3 is connected to the central terminals A3 of each data relay R1, R2, R3.

    [0059] Each pair of consecutive data relays R1, R2, R3 of the relay cascade 14 is assigned an intermediate computing device ZRE1, ZRE2, which is connected to the first terminal A1 of the frontal data relay of the respective relay pair—viewed in the cascade direction K toward the computing device 11—and to the second terminal A2 of the rear data relay of the respective relay pair—viewed in the cascade direction toward the computing device 11.

    [0060] Each intermediate computing device ZRE1, ZRE2 checks the data D stored in the buffer memory ZS1, ZS2 connected to the rear data relay. If the check shows that data D is suitable for forwarding to the computing device 11, it stores the data D in the buffer memory ZS2, ZS3 connected to the frontal data relay.

    [0061] FIG. 5 shows a switching state in which the first intermediate computing device ZRE1 checks the data D stored in the first buffer memory ZS1 and—if the check result is positive—stores it in the second buffer memory ZS2.

    [0062] FIG. 6 shows the next switching state. In the next switching state, the second intermediate computing device ZRE2 checks the data D stored in the second buffer memory ZS2 and stores it—if the check result is positive—in the third buffer memory ZS3.

    [0063] If the third relay R3 is then switched over, the computing device 11 can access the data D.

    [0064] FIG. 7 shows an exemplary embodiment of a computing system 10 with an intermediate computing device ZRE that can perform a TAN test step. The TAN test step examines whether data D contains a TAN sequence number that is expected or is valid according to a predefined TAN list 100. If the data D has the correct TAN sequence number or a valid TAN sequence number according to the TAN list 100, the TAN test step is considered to have been passed and further test steps are carried out if necessary. Otherwise, the data check is considered not to be passed and forwarding of the data D to the computing device 11 is blocked.

    [0065] A corresponding TAN test step can also be carried out by the intermediate computing devices in the computing systems according to FIGS. 1 to 6 and 8 to 10.

    [0066] FIG. 8 shows an exemplary embodiment of a computing system 10 with an intermediate computing device ZRE to which an auxiliary computing device HRE is assigned. The intermediate computing device ZRE is connected to the auxiliary computing device HRE via an auxiliary relay HR and an auxiliary buffer memory HS.

    [0067] The intermediate computing device ZRE performs a preliminary check of the data D stored in the buffer memory ZS by the interface device 12 for forwarding to the computing device 11. The preliminary check may include, for example, checking the origin of the data D by means of certificates or the integrity of the data D by means of a checksum test.

    [0068] If the data D is suitable for forwarding to the computing device 11 from the point of view of the intermediate computing device ZRE, it sends a request Sa concerning the stored data D to an external central unit 30 via a data diode 301 and an interface module 302.

    [0069] In turn, the external central unit 30 then checks the usability of the data D and—if the check result is positive—sends a positive feedback signal Sr indicating the usability of the stored data D to the auxiliary computing device HRE. The checking of the external central unit 30 can include, for example, checking whether certificates are valid or not.

    [0070] After receiving the feedback signal from the external central unit, the auxiliary computing device HRE stores enable information I in the auxiliary buffer memory HS via the auxiliary relay HR. If the enable information I is present in the auxiliary buffer memory HS, the intermediate computing device ZRE issues an enable signal for switching over the assigned second data relay R2 to allow a data flow in the direction of the computing device 11.

    [0071] If the intermediate computing device ZRE is enabled, the relay control unit 16 switches over the second data relay R2 so that the computing device 11 can access the buffer memory ZS, as was explained above by way of example in connection with FIGS. 1 to 7.

    [0072] As an aside, corresponding auxiliary relays HR and auxiliary buffer memories HS can be assigned to the intermediate computing devices ZRE of the computing systems according to FIGS. 1 to 7 and 9 to 10.

    [0073] FIG. 9 shows an exemplary embodiment of a computing system 10 in which the interface device 12 is equipped with a reboot function. For this purpose, the interface device 12 is assigned a restart device 121 which is connected to the interface device 12 via an auxiliary relay HR and an auxiliary buffer memory HS. The auxiliary relay HR here forms a second relay R2 of the computing system 10. The restart device 121 is designed to generate a boot file SD that allows the interface device 12 to be restarted and to store this file in the auxiliary buffer memory HS. To generate the boot file, the restart device 121 can access software stored in a memory 121a, for example.

    [0074] The boot file SD allows the interface device 12 to be restarted if it is unable to operate or no longer operate reliably, due to an external attack using malicious data D, for example.

    [0075] Corresponding restart devices 121, auxiliary relays HR and auxiliary buffer memories HS can also be assigned to the intermediate computing devices ZRE in the computing systems according to FIGS. 1 to 8 and 10.

    [0076] FIG. 10 shows an exemplary embodiment of a computing system 10 in which two data relays form isolating relays Rt. In the two isolation relays Rt, the first terminal A1 is not assigned. The isolating relays Rt enable a switching position of the relay cascade 14, in which the buffer memory ZS is neither connected to the computing device 11 nor to the interface device 12.

    [0077] The exemplary embodiments described above based on FIGS. 1 to 10 can have the following features or advantages, given as bullet points, either individually or in combination: [0078] The (internal) intermediate computing devices preferably check the data D and generate a message externally via a diagnostic channel in the event of abnormalities/discrepancies. After a positive test result, the data D can be left on the data carrier and a check trace of the intermediate computing device can be left on the data carrier. [0079] The intermediate computing devices are preferably not directly accessible either from outside or from the internet or an internal network and therefore preferably cannot be modified or manipulated. This ensures that functions that have already been demonstrated to be present will continue to perform their task in the future. An external attack on the intermediate computing devices (internal computers) is thus made more difficult. [0080] The internal intermediate computing devices can check the data on the data carrier for, e.g., integrity, freedom from viruses, authenticity, file name structure, . . . , etc. It is also possible to filter out data that is only intended for a specific technical system. This data can be recognized by a separate indicator/feature in the data itself. [0081] Each computer, in particular each intermediate computing device, preferably leaves an entry or a check trace about the successful check on the data carrier, so that subsequent computers can view the results, e.g. whether a check of a particular computer has taken place. This trace can also be checked by the final system computer at the end of the chain and it can be determined whether all computers involved have been included in the check. [0082] A combination of different methods can be used. Depending on the assessment of security and robustness, it is also possible to use only one method. The tasks should preferably be carried out by different computers. However, it is also possible to carry out the above-mentioned functions consecutively on a computer. [0083] The integrity can be verified by using various checking methods and checksums, e.g. MD4, MD5, SHA1, etc. The test values are preferably prepared in advance by the data supplier and are transferred to the computing system during uploading. When determining the checksums, a secret (salt) can additionally be used, which is known only to the authorized data transmitter and the checking computer. One or more checking methods can be used for a configuration. If there is data on the data carrier that do not have the correct checksums, they are preferably deleted. In a particularly strict implementation, all the data D on the data carrier could be deleted. In the event of abnormalities, this action is preferably transmitted externally via a diagnostic channel (e.g. DataDiode DCU Data Capture Unit). This can be used outside of the method to detect the fact that abnormalities have occurred here. [0084] By the data being cryptographically signed by the data transmitter (submitter), an internal computer can check whether the data has been signed by the authorized person before the data is passed on or forwarded. The corresponding cryptographic keys are preferably also configured during the configuration of the device. Here again, data that has not been properly signed could be deleted. [0085] A further method can check the data transmitted on the data carrier for freedom from viruses and malware, and in case of abnormalities only delete the data or the entire data carrier and report the abnormality via the diagnostic channel. [0086] It is also possible to supply and set up computers with new boot images. For this purpose, the boot data carrier with the boot image for the computer is preferably decoupled after a power-off or shutdown, e.g. by a control computer, and coupled to a deployment computer. This deployment computer can, for example, format the data carrier after it has been mounted and install a fresh boot image on the computer, e.g. under Unix using the command sudo dd if=fresch_boot_iso_image.iso of=/dev/sdx bs=1M && sync. [0087] A deployment computer can hold different versions of images and provide a different boot image if necessary. After the successful installation of the new boot image, the boot data carrier is preferably reconnected to the original computer and this computer is rebooted. This causes the computer to receive a new task or return to its original state. If, for example, traces of an attack, e.g. extra user accounts, had been previously present due to attacks, these will no longer be available. If the fresh boot image has been updated to the deployment computer by a local software update, improvements can also be made to the configuration, e.g. of the operating system. It is also possible to use a plurality of data carriers at the same time. [0088] In the examples of variants described above, for example, only one data record D is transferred from one computer to the next. This procedure can be extended to n data records and n data carriers. For example, two input and two output data carriers can be used per computer. The data can then be copied from the input data carrier to the output data carrier after successful tests or checking steps. After disconnecting, the data carrier is preferably returned, which means the turnaround times can be optimized. [0089] In a single-computer configuration for a data carrier lock, only one internal computer is used. This preferably starts with different boot images which are transferred to it one after the other by a control computer and a deployment computer. For example, the internal computer boots first with the virus scanner program and terminates after a successful check. The boot image is then preferably reconfigured by the deployment server and the internal computer is rebooted, in this case, for example, with checksum test routines. This sequence is repeated as often as necessary until all the different tasks of the internal computers have been processed. [0090] More complex variants can be created using diverse inputs, routes with diverse filters and a subsequent merging operation. For example, parts of data across different input chains can be merged by a merge computer. [0091] For example, using a separate system-specific TAN sequence number for uploads, data can only be imported if the internal TAN matches the TAN provided by external sources. Used TANs are preferably removed from the list and no longer used. [0092] Using an additional construct it is possible to extend the method to include a two-factor authentication. In this case, an internal computer preferably sends a request via a data diode to an external (possibly cloud) verification computer in order to enable an external verification. For this purpose, the entire test object or a hash value can be transferred to the verification computer. This verification computer can generate a further checksum or signature for the test object. The result of the second external verification by the verification computer is then preferably transferred back to the internal computer. The data is only transferred to the next computer if the verification computer's response matches the expected response. In this case, inter alia, a kind of 2FA-method similar to Google could be used. [0093] The checks carried out by the various computers can be logged by the internal computers, cryptographically signed and transferred to the successor computer. This creates a kind of test trace over the course of the test chain. Each computer of a trace leaves its signature on the data carrier for the checks that produced a positive result. A corresponding signature for abnormalities is also possible. A configuration can be used to determine in advance which computers are to be included consecutively in the check. As a result, the last internal computer can use the configuration of the trace and the information to determine whether all the relevant computers of the trace were integrated and have left behind their signatures. [0094] Should it be necessary for the data carriers to remain in a “neutral” position between switching over two computers, the circuit can be designed accordingly. [0095] The interface device, which is formed, for example, by an external internet-enabled computer, can—as described above—be restored to its original state or rebooted. [0096] Updating of the computers, in particular the other external computer, is also very easily possible due to the distributed architecture. [0097] In the described methods, a complete protocol breach can be achieved during data transmission. [0098] It is possible that only one computer is ever connected to a data carrier at a time; thus, a clean decoupling of the data carrier can be carried out. [0099] The internal computers can even be very simple and small computers.

    [0100] Although the invention has been illustrated and described in detail by means of preferred exemplary embodiments, the invention is not restricted by the examples disclosed and other variations can be derived therefrom by the person skilled in the art without departing from the scope of protection of the invention.