U.S. Navy Patents Firewall

At least, that's what it sounds like to me:

In a communication system having a plurality of networks, a method of achieving network separation between first and second networks is described. First and second networks with respective first and second degrees of trust are defined, the first degree of trust being higher than the second degree of trust. Communication between the first and second networks is enabled via a network interface system having a protocol stack, the protocol stack implemented by the network interface system in an application layer. Data communication from the second network to the first network is enabled while data communication from the first network to the second network is minimized.

Posted on July 7, 2006 at 7:06 AM • 35 Comments

Comments

PeteJuly 7, 2006 7:45 AM

I believe this is somewhat related to the NRL Pump:

"The NRL Pump forwards messages from a low-level system to a high-level
system and monitors the timing of acknowledgments from the high system
to minimize leaks. It is the keystone to a proposed architecture that uses
specialized high-assurance devices to separate data at different security levels."

See one example...http://chacs.nrl.navy.mil/publications/CHACS/1998/1998kang-IEEE.pdf

Brough TurnerJuly 7, 2006 7:48 AM

The typical strategy is applying for a patent is to make a series of claims moving from very general to more specific. Then you wait and see what you get away with. Given an application number or a publication number, you can see the entire record of "prosecution" of a patent applications, i.e. everything that has happened to date, by looking it up here:
http://portal.uspto.gov/external/portal/pair

For this patent application, it appears that some very specific claims have been granted -- look here:
http://tinyurl.com/zc83g
under "claims" on 03-07-2006.

The US patent process is certainly broken, but not quite this broken.

AnonymousJuly 7, 2006 8:30 AM

This is almost definetly a machine to sit between two physically separate networks, i.e. one network for say, unclassified work and another network for classified usage.

This would allow someone on an unclassified network to email to they higher network, but not vice versa.

David in ChicagoJuly 7, 2006 8:31 AM

IANAL, but I thought that the U.S. government couldn't own IP rights of any kind (except, I suppose, "trade" secrets). How does the Navy get a patent? Or does a private citizen have a patent that's licensed to the Navy?

Chase VentersJuly 7, 2006 9:08 AM

@David

Right? They're wasting my taxpayer dollars on this instead of finding Osama?

NealJuly 7, 2006 9:18 AM

They're not wasting your money. If they're granted a patent then they can do what every other patent troll does - sue everyone else for big bucks... or at the very least they can implement firewalls without some other patent troll suing them(us) for big bucks.

ckelsoJuly 7, 2006 9:24 AM

@David

While you would think the government couldn't own copyright or patent property, it can. In fact, The CIA owns the rights to the 1954 film of Orwell's animal farm since it commissioned the work. Despite the fact that it is a public entity, the film is not in the public domain.

MJBJuly 7, 2006 9:32 AM

I think it's probably an attempt to address the real problem they have of getting unclassified data onto a classified network in realtime. There's a lot of really good data on unclassified networks. I look forward to seeing more specific claims.

Marcus RanumJuly 7, 2006 9:57 AM

What's interesting is that every "cross domain solution" or guard that's in use within the DOD(army, navy, air force, marines) and intelligence community - pretty much matches this description. And many have been certified and in place for years and years.

A recent case I heard of introduced me to the technique known as "examiner stuffing." Basically, the way it works is this: when you apply for a patent you send along a truckload of documentation including documentation that describes all the prior art you can find. So, in this example, you'd include DEC SEAL, Firewall Toolkit, Raptor Eagle, ANS Interlock, Harris Cyberguard, etc, etc -- all the proxy firewalls and cross domain solutions you could get your hands on. The patent examiner recieves, as exhibits, this gigantic load of materials that he is supposed to review. Since examiners are evaluated on how many patent actions they perform a week(*) they can't take the 6 months to read everything and basically log it as "read" and containing no invalidating prior art. That way, when the patent is issued, and someone is trying to defend against it, they go to present invalidating prior art and discover that the examiner (supposedly) already reviewed that prior art and (supposedly) determined it was not invalidating. The doctrine of patent examiner infallability kicks in and the person defending against the patent has to find new prior art that was not already disclosed. Cute, huh? Note that none of this has anything to do with producing sensible patents, it's all just clever games invented by clever lawyers.

mjr.
(* - since examiners are rated on how many "actions" they perform, the first "action" they will take with most patents is to bounce them back a few times, because sending it back with a query for more information only takes them a few minutes. I get this information from my buddy Mike the patent attorney.)

TeanerTinerJuly 7, 2006 10:29 AM

Bruce, I'm disappointed with the over the top tone here. Anyone with any experience in the classified information area of the DoD knows that this is not a firewall, but a method to exchange information between networks of different classification levels. It is a very important and non-trivial issue.

cmdJuly 7, 2006 10:39 AM

--MARCUS--
Patent examiners are *not* infallible - and courts exercising appellate jurisdiction over patents can and will overturn a *valid* patent. There is a presumption of validity which a challenger [either through an intervention or as a defense to an infringement claim, for example] must overcome, but the Federal Circuit can and will review prior art references _de novo_ if need be. Additionally, if there's a suspicion on the part of the challenging party that Mr. Examiner was not diligent [i.e., negligent] per the guidelines of the PTO, they can certainly present such evidence to the court. In some cases, the examiner may be called to testify--on cross, when asked "did you thoroughly review every document of prior art disclosure for this patent application?" the examiner has two choices: LIE UNDER OATH or cop to his laziness.

cmd

Richard BraakmanJuly 7, 2006 10:50 AM

@Anonymous

"This is almost definetly a machine to sit between two physically separate networks, i.e. one network for say, unclassified work and another network for classified usage."

If a machine "sits between" two networks, and routes data between them, then the networks are not physically separate :)

dragonfrogJuly 7, 2006 11:35 AM

I think the interesting and new part comes in around claims 6 or 7 - it's a whole set of countermeasures against covert channels based on timings between acknowledgements. The rate at which ACKs go to the low-trust network is randomized, based on a moving average of the rate at which ACKs arrive from the high-trust network.

There's also a bunch of stuff about having multiple processors that are tied down to only one interface, and that communicate via IPC - presumably so that an attacker on the high-trust network can't attempt to bog down a processor and produce delays that would be observable on the low-trust network.

dhasenanJuly 7, 2006 11:51 AM

Neal:

Nobody can sue anyone else over patent violation when the violation in question is to fulfill a government contract, as I recall. Lockheed Martin, for instance, has the keys to the patent office when creating planes of the DoD. So the US government is immune to patent trolls.

As for the patent, it doesn't list the US Navy as the patent holder; it lists several researchers at a naval research lab as the applicants. There's no doubt that the Navy is going to be the primary beneficiary of the patent, but the Navy didn't personally apply for it.

Looking only at the claims, there's nothing, or at least very little, that's novel. The closest it comes is having two processors with shared memory and unshared memory to handle both sides of the network, rather than using sockets or the like. Still, it's simply the next most obvious solution to the problem rather than the most obvious.

The description of the system gives more detail, though if I had thought of the problem, I'd have probably given that solution. The diagrams might provide more information (I don't have Quicktime here), but I doubt it.

Geoff LaneJuly 7, 2006 12:06 PM

Movie terrorist threat plot becomes real(ish)

http://news.bbc.co.uk/1/hi/world/americas/...

"US authorities say they have disrupted the early stages of a plot to attack New York City's mass transit system.

The alleged plot was discovered during routine monitoring of internet chatrooms used by extremist groups. "

RudyJuly 7, 2006 12:35 PM

...so this looks like is could be the Navy's version of an anti-Submarine Patent

VanceJuly 7, 2006 4:05 PM

@all those who wonder if the US Government (USG) can own copyrights/patents

Works created by the USG cannot be copyrighted, but it can receive the copyright to works created by others (17 USC 105, http://caselaw.lp.findlaw.com/casecode/uscodes/...

The USG may apply for and receive patents (35 USC 207, http://caselaw.lp.findlaw.com/casecode/uscodes/... There is also a process known as Statutory Invention Registration (35 USC 157, http://caselaw.lp.findlaw.com/casecode/uscodes/... which publicizes the invention but does not give the right to sue for infringement.

Statutory Invention Registration is not very popular. I ran a search on the USPTO web site for utility patents and SIRs assigned to "The United States of America..." for the past five years. It found 4242 utility patents and 68 SIRs.

me firstJuly 7, 2006 4:23 PM

NRL is the corporate research laboratory for the Navy and Marine Corps. It is a for profit, only the government is paying them with your tax dollars. I have a friend that works there and he tells me of horror stories of how much money they waste.

BogtrotterJuly 7, 2006 5:00 PM

Firewall? Nah. It's a multilevel security system low-to-high guard, enhanced with a limited capability to receipt for files.

New technology? Nope. See http://www.sei.cmu.edu/str/descriptions/... written in 1997. As in JL's posting, it's based on the NRL Pump, which has been in the works for ten years. Stanley Chinchek presented a paper on it at the ACACS conference last December.
bt

TankJuly 7, 2006 5:18 PM

Right? They're wasting my taxpayer dollars on this instead of finding Osama?
Posted by: Chase Venters at July 7, 2006 09:08 AM

Yeah we wouldn't want the Navy to be distracted from their important role in the war on terror. They've got cards to play and tropical islands to recon.

foxyshadisJuly 7, 2006 7:39 PM

No matter what its specific purpose is, it's still a fairly specific form of firewall, although it's a little different from "normal" network firewalls, so Bruce's title is still correct. ;)

What bothers me is all the effort and money spent on flashy hardware that can defend against extremely fine-grained timing attacks, when time and again major government systems are compromised in much more mundane ways - insider attacks, insider incompetence, bad regulations, social engineering, lack of encryption, microsoft flaws (and others), script kiddies, even the random DDoS.

G MarkJuly 7, 2006 8:25 PM

I used to work at NRL - it is a subset of the Office of Naval Research (ONR), whose primary mission is to sponsor research that benefits the Navy. ONR is run by a 2-star admiral (http://www.navy.mil/navydata/bios/navybio.asp?bioID=172) and has lots of Ph.Ds working for them. ONR basically regenerated the European post-WW II scientific community, and is very highly regarded on the other side of the pond.

I think the question here isn't if your taxpayer money is going to patent whores, but rather if research that is sponsored (i.e., paid) for by the government can produce a deliverable that belongs to the government. Umm, that seems pretty straightforward.

Most scientists who work for organizations that invent things have an employment agreement that covers inventions - in exchange for a regular salary, they get credit for what they invent, but the rights to it go to the organization.

You never patent something to hide it, since the application has to describe exactly how it works. Rather, you fully describe it because you want to retain the legal rights on how your invention is deployed.

So, tempest in a teapot here, IMHO.

Check out http://www.acsa-admin.org/2005/papers/Kang.pdf for more details.

TwanJuly 8, 2006 5:12 AM

Why shouldn't the Navy not be interested in "Submarine"-patents?

A little bit late though
;-)

sidelobeJuly 8, 2006 11:40 AM

I truly hope that this thing actually works, that they've solved part of the Multi-Level Security puzzle. Seems to me that in addition to the Dept of Defense, the IRS should make use of it.

Craig HandJuly 8, 2006 2:55 PM

A couple of months ago, I came across a "similar" type of patent. Unfortunately, I cannot find the link.

As I recall, it was a patent filed by Citibank employees, basically patenting an e-commerce infrastructure.

What a crazy time we live in!

AnonymousJuly 8, 2006 6:04 PM

@GMark:

``You never patent something to hide it, since the application has to describe exactly how it works. Rather, you fully describe it because you want to retain the legal rights on how your invention is deployed.''

Actually, patents should be as vague as possible and as general as possible. The inventor can then retain the most efficient implementation as a trade secret and still benefit from the patent's protection.

You know, the NSA has some interesting patents too. As a matter of public policy, does it make sense to have the government patenting things using public dollars? I'm not really sure, I'm not an economics/polisci major, but I do know that the patent process (and IP law in general) has the public good as its ultimate purpose, ostensibly. In this age of eternal copyright on the installment plan (viz. M-I-C-K-E-Y), it's clear that this purpose has been forgotten somewhat.

I am of the opinion that the objective of government should not be "to maximize profits/revenue", which seems to be a predicate of supporting the aforementioned policy. And while we're on it, why the heck does government issue bonds? It doesn't turn a profit like corporations do, so modulo inflation, you're deeper in the hole than when you started. How is this good for the taxpayer again?

Brugte bilerJuly 9, 2006 4:53 AM

Actually, patents should be as vague as possible and as general as possible. The inventor can then retain the most efficient implementation as a trade secret and still benefit from the patent's protection.

You know, the NSA has some interesting patents too. As a matter of public policy, does it make sense to have the government patenting things using public dollars? I'm not really sure, I'm not an economics/polisci major, but I do know that the patent process (and IP law in general) has the public good as its ultimate purpose, ostensibly. In this age of eternal copyright on the installment plan it's clear that this purpose has been forgotten somewhat.

NateJuly 10, 2006 12:17 PM

Obviously this doenst work that well, seeing that there was a recent breach exposing over 100,000 identites. Is it difficult to understand how we would remain so vulnerable even after the VA incident. Makes no sense to me why the government doesn't continue to set standards on security like it did with laptops.
http://www.essentialsecurity.com/Documents/...

Leonard J HolminAugust 18, 2007 8:12 PM

But if a government contractor claims priority to an invention for government use, then wouldn't it be un-Constitutional to seize that invention from a third party without compensation? It's hard to argue with the government's priority if there is a defense application of the invention. It's the use of national security law to steal patents that is the question. I believe that is exactly what they have been doing.

Nick PJune 2, 2013 12:40 AM

"It's basically a data diode. See link."

It's a NRL Pump as previous people have stated. I've mentioned it in other posts before because it's a nice design for what it's intended to do. Anyone interested in where that research went might find this paper interesting.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..