Using Arduino to create a hardware RAM drive

I have a project where I need to transfer about 1mb of data from Computer1 to Computer2 regular intervals. Computer2 has no network connection whatsoever, and so the data has to be transferred by some other means than a network connection.

The initial idea was to use an external hardware RAM drive (similar to this ACARD product: http://www.acard.com/english/fb01-product.jsp?idno_no=270&prod_no=ANS-9010&type1_idno=5&ino=28): The RAM drive would be externally powered. Data from Computer1 would be transferred to the drive. The data connection from Computer1 to the drive would be unplugged. A data connection from the drive to Computer2 would be established, and the data could be transferred to Computer2. To prevent any data leakage back from Computer2, power to the RAM drive would be cut for a few seconds after the data was transferred. Then the cycle could repeat. Because RAM is volatile, it would be very easy to keep Computer2 isolated.

The ACARD product mentioned clearly has excessive capacity for this application—it can store gigabytes of data, and I only need to transfer about 1mb. I was thinking perhaps I could use Arduino to build a similar piece of hardware with much less storage.

An approach that might work using Arduino could be this: Build an Arduino device with external RAM module. Connect Computer1 to the Arduino device using network cable. Data could then be transferred from Computer1 to the external Arduino RAM. The external Arduino RAM module would get its power externally and could be disconnected from the Arduino with a switch. While still connected to power, the external Arduino RAM module could be plugged into Computer2 (using USB?) and the data would be transferred.

After breifly looking through the specifications of several Arduino boards, it appears that the following may be required to increase the memory to 1mb: http://majolsurf.net/wordpress/?p=1899

I know very little of Arduino, and was wondering if any forum members could see this as a feasible objective.

you could use an Arduino with an External I2C EEPROM as storage, but why not use an SD card?
There are several shields that support SD cards.

If computer 1 can write to SDCard you just need to insert the SD card to the Arduino which is permannently connected to computer 2.
After insertion trigger the transfer process.

my 2 cents..

Seems a $2.00 card reader in each computer would solve your problem. If you are worried about bad stuff getting back to computer number one, set up a one way parallel port on it and then receive data on a two way parallel port on computer number two. I guess you coudl use an Arduino to blink a light when it sees data so this can be an Arduino project. Larry

robtillaart,

Thank you for the response. I would prefer to store the data to volatile memory, because as soon as power is disconnected, any data will be lost. This will ensure that no data leakage from Computer2 occurs. To ensure the same with any non-volatile memory would require scrubbing the drive, which will be too time consuming.

trotterlg,

This is an idea that I had not thought of... I will have to give it some thought.

Computer1 receives data over the internet and I have to transfer that data to Computer2. Data must not flow back from Computer2 to Computer1. In other words, it has to be one way traffic into Computer2, with nothing (no data, no file information, etc.) flowing back to Computer1--absolutely nothing.

With this in mind, would the one way parallel port connecting the computers prevent malware from getting data from Computer2?

Yes, a parallel port can be set up to be one way (send only) or bi directional, so you could send data from the one way port to the computer with the bi-directional port. but not the other way around. You set the parallel port type in the BIOS. Larry

Larry,

Thanks for the confirmation. I'm going look into this in some detail over the next day or so.

What about using an Arduino as an intermediary that is connected to the two PCs by two separate USB connections (perhaps use an FTDI cable for one of the connections). A Mega with multiple USARTs would be best but you could use SoftwareSerial on an Uno.

PC "A" sends data to the Arduino and the Arduino immediately echoes the bytes to PC "B". Because the Arduino isn't programmed to receive data from PC "B" it acts like a data diode.

...R

This was discussed - amongst many other things - on Steve Gibson's "Security now" show (some time ago, in respect of the Iranian centrifuges and SCADA).

The involvement of RAM drives or such is an unnecessary complication. Clearly all you need, is a one-way serial link, which is easily arranged - two wires. If you want even more compete electrical isolation use a fibre link.

Yes, if you do not have RS-232 serial ports, you just connect two USB to TTL converters together - in one direction.

The only concern here is handshaking - it may be appropriate to pass the RTS/ CTS connection back from the second computer, but an intermediate Arduino offers no advantage here.

The only concern here is handshaking - it may be appropriate to pass the RTS/ CTS connection back from the second computer, but an intermediate Arduino offers no advantage here.

it is in there for the sniffing

The comments made by Paul and Robtillaart suggest that handshaking occurs even in a one way serial link.

--Is it indeed true that handshaking occurs in a one way link?

--Is there any way to avoid handshaking?

If handshaking does occur, there would be some possibility of data flowing from Computer2 to Computer1—in which case, the Arduino diode suggested by Robin may be a more complete method of isolating Computer2 from Computer1.

For the Arduino diode approach to work, it seems that two small programs would have to be written: One hosted on Computer1 that initiates the transfer to the Arduino, and a separate program hosted on Computer2 to instruct Computer2 what to do with this unrequested information.

Am I correct in assuming that a two program approach will be required to ensure absolute security? It seems on the surface that such a program would be relatively simple. To simplify matters further, perhaps an instruction could occur in the Arduino that would define the specific destination folder in Computer2.

Does anyone see a super easy programming approach that would enable the Arduino to echo the data from Computer1 to Computer2?

A1000:
I have a project where I need to transfer about 1mb of data from Computer1 to Computer2 regular intervals. Computer2 has no network connection whatsoever, and so the data has to be transferred by some other means than a network connection.

If you only want to send the data from Computer1 to Computer2 and want to ensure there is no possible return path, you could just use a unidirectional communication mechanism. For example you could use a simplex async serial connection. Although a conventional RS232 connection includes provision for hardware flow control (which constitutes a return path of sorts, although I don't see how you could ever turn that into a security vulnerability) this is optional and you can establish comms without any signals apart from the single one-way data line, and ground. If you want to avoid having any possible electrical connection between the two machines (I'm not sure what you would be protecting against in this case) then you could use an optical isolator.

I don't get it. Is this "no return path" requirement because the computers are owned by a party that is unwilling to allow a bidirectional protocol?

E.g., are you trying to copy between unclassified and classified computer systems? If so, your home-brew device is probably unacceptable just by its nature as an uncertified appliance. You're more than likely going to have to prove the device, not just say "it's one-way only, trust me!"

If this is a self-imposed restriction so you can browse unsavory websites without your girlfriend finding out, well then you're barking up the wrong tree worrying about handshaking. It's a method of saying "yes, send more data" and "hold please", nothing more. If you're in control of the software (at either end, or in the middle if you really do end up needing or using an Arduino for this), then you determine what can flow each way. RTS/CTS and Xon/Xoff do not present a viable method for malicious software to sneak across your custom sneakernet box.

If you're not dead-set on using an Arduino, an RS-232 cable and something that speaks Zmodem on each end would be perfectly adequate. That isn't a transfer mechanism that has a particularly broad appeal to virus writers these days...

--Is there any way to avoid handshaking?

Yes. In this tempest configuration, is the "red" PC equipped with a keyboard, that is "active" USB keyboard enumeration? If so, keyboard HID can offer an unhackable one-way data path.

HID with Arduino is very easy since rancidbacon has the bulk of everything in a library. Here is an example where I dump all analog and all digital pins into Excel: http://forum.arduino.cc/index.php?topic=135623.msg1027748#msg1027748

In practice, data would be transferred to the Arduino serially and the Arduino would act as a serial-to-HID_keyboard converter. What the destination PC does is irrevalent... Spool it to a file, accept it character a by a character in the application, etc.

The Arduino 328 DOES NOT need (and should not use) a bootloader. ISP programs it.

The configuration and solution, IMO, would still require security vetting. A listerner running on Computer2 could provide logging of USB port stats: time, characters, etc.

Ray

Having accidentally hit "back" and had my extensive submission trashed by the vagary of this forum system (OK, I should have written it in a proper word processor, shouldn't I?), I will for the present summarise briefly:

No reason has been put forward which indicates that the complexity of involving an Arduino would improve on simply implementing a one-way serial link over two wire RS-232 or in the absence of serial ports, a pair of USB to TTL converters or if longer cables are needed, a pair of stock USB to serial converters connected by two wires.

Thanks everyone for responding to my questions. I am really grateful for the input and think that I am beginning to see a way forward in this project.

I found some wiring diagrams at RS232 connector pin assignment that seem clarify matters for me. This site has wiring diagrams for DB9 connectors, DB25 connectors, and a DEC MMJ connector.

Is a DEC MMJ the type of connector used on a USB to TTL cable such as this one at Amazon (http://www.amazon.co.uk/UART-CP2102-Module-Serial-Converter/dp/B00AFRXKFU/)?

If I wanted to create a one way connection using two of the above USB to TTL modules, would I connect the wires as follows?

USB Module plugged into Computer1 USB Module plugged into Computer1
TX- Transmit Data <-------> RX + Receive Data
TX+ Transmit Data Ground <-------> RX – Receive Data Ground

Could I also do it this way, plugging directly into the DB9 port on Computer2?

USB Module plugged into Computer1 DB9 port on Computer2
TX- Transmit Data <-------> Receive Data Pin 2
TX+ Transmit Data Ground <-------> Signal Ground Pin 5

SirNickity mentioned using Zmodem to transfer the data. I was going to ask for a link for reliable info on Zmodem until I stumbled across the website of the company that developed it. Is there other software out there that I should look into?

Ray-- I found your suggestion quite intriguing. Computer2 (red) has a USB keyboard, but what do you mean by “active” enumeration? I thought that enumeration only occurred when a USB device was initially plugged in. Physically, how would data enter Compter2 using this HID approach?

Paul-- In researching this project, I came across some really high end data diodes. If one-way data transfer using a serial connection is so effective (not to mention low cost), what are high end data diode companies really offering with one-way transfer diodes that cost thousands of dollars a piece? Taking this further, could a one-way serial connection concievably be breachable? I must admit that I know next to nothing in this field, and perhaps therefore my skepticism could in some small measure be justified, but if you could explain why a one-way serial connection would be adequate, I would be most receptive the idea.

Putting an Arduino in the middle introduces a some complexity, but as an novice, I view it as putting a comparatively simple device between two complex devices. My reasoning is that if the simple device were altered (ie hacked) it would be easier to recognize the breach because it is so simple to begin with.

I am going to continue researching this, but in the meantime if anyone has a response, please do post it!

RS-232 and TTL both have TX and RX and Gnd. TX connects to RX on the other end, and vice versa for a bi-directional path. However, you do have to be careful of nomenclature. Sometimes "RX" means "this is the pin on which I receive" and requires the TX and RX wires to be swapped in the connecting cable. Other times it means "this is the pin from which the DTE device receives", which will be the same label but a physically different pin on each end.

If you see TX+ and TX-, and perhaps RX+ and RX-, that implies you might be looking at a serial protocol that uses differential signalling. This makes it possible to compare two identical but opposite-polarity signals, which makes for very robust signal recovery in electrically noisy environments. It also allows differential input stages at each end to avoid having to use a common ground reference, which can be problematic on long cable runs. (RS-485 uses a scheme like this.) You may have dedicated TX and RX pairs (full-duplex), or it may be a bus topology where all devices transmit and receive on the same pair.

You still haven't really specified why the need for security. Not to pry, but this is somewhat relevant to the solution we might recommend. For example, if this is for peace of mind, I would advocate for bi-directional send/receive, and limit the direction of data transmission in software. This can still be very secure, since with a low-level connection like serial, each end has to be running software that is specifically designed to speak with the other side. If this software isn't running, no intrinsic transfer will occur. If the software does not use compatible protocols, no meaningful transfer can occur. That's pretty safe.

Xmodem, Ymodem, and Zmodem are three popular file transfer protocols used back when serial was still en vogue. E.g., back in the dial-up BBS days. Most terminal software can speak one or all of the above. You may also run into any number of other transfer protocols, like Kermit for example. Zmodem had some nice features, like transfer resume support, CRC error detection, and auto-receive support. Note, these protocols aren't "software", they're implemented in software. I haven't had much occasion to use them in a long while, but I remember liking Telex and RIPterm back in the day. No clue if they're still around or viable anymore.

A1000:
I found some wiring diagrams that seem clarify matters for me. This site has wiring diagrams for DB9 connectors, DB25 connectors, and a DEC MMJ connector.

All sorts of stuff there, and if it helps with the concepts, all the better. Wikipedia is pretty comprehensive of course.

A1000:
Is a DEC MMJ the type of connector used on a USB to TTL cable such as this one at Amazon?

Nothing to do with DEC MMJs. The simple pin and sleeve connectors seem to be referred to as "Dupont" connectors, the sleeves come in various geometries such as singles (as in your reference), two, three four, five, six and so on in line, where six would fit that particular device, then two by two, two by three and so on. On eBay and such, ribbon cable fitted with the (single) connector pins - female or male - is available which can be divided into strips of say, six wires and the (single) sleeves supplied carefully removed and replaced with multiple pin sleeves, re-arranging the sequence of the wires if necessary. That is what I have been doing to make connector leads for particular purposes with the Arduino modules available.

A1000:
If I wanted to create a one way connection using two of the above USB to TTL modules, would I connect the wires as follows?

USB Module plugged into Computer1 USB Module plugged into Computer1
TX- Transmit Data <-------> RX + Receive Data
TX+ Transmit Data Ground <-------> RX – Receive Data Ground

Exactly. And you just might wish to implement a hardware handshake connection back from the receiving one to the transmitting (if you are content that this cannot be hacked, as previously considered), in which case it is notable that (as far as I can determine from the illustration) that the particular item (and they are available much more cheaply, for what it is worth) has a design fault in the process of copying from an original design used with Arduino and other MCUs. You can however pick up the necessary handshake lines by fitting extra pins to the board for RTS and CTS.

A1000:
Could I also do it this way, plugging directly into the DB9 port on Computer2?
USB Module plugged into Computer1 DB9 port on Computer2
TX- Transmit Data <-------> Receive Data Pin 2
TX+ Transmit Data Ground <-------> Signal Ground Pin 5

No, because RS232 uses different voltages and polarities to the USB to TTL adaptor. You could however do that using one of the readily available USB to RS-232 adaptors with the DE9 ("DB9" is actually incorrect) connector and the appropriate wiring between the DE9 connectors.

{There is some understandable confusion here as the USB to TTL adaptors are commonly misleadingly advertised against the term "RS-232".}

A1000:
Paul-- In researching this project, I came across some really high end data diodes. If one-way data transfer using a serial connection is so effective (not to mention low cost), what are high end data diode companies really offering with one-way transfer diodes that cost thousands of dollars a piece?

Without knowing what these expensive products actually do, I cannot say exactly, but I can say that there is just no way that information could leak back across the two wire TTL or RS232 link.

A1000:
Taking this further, could a one-way serial connection conceivably be breachable? I must admit that I know next to nothing in this field, and perhaps therefore my scepticism could in some small measure be justified, but if you could explain why a one-way serial connection would be adequate, I would be most receptive the idea.

The one-way link, particularly without handshaking - is going to be unbreachable. Except of course, by "side channel" attacks (something also discussed by Steve Gibson on many occasions) where some other form of communication or information is collected, such as detecting radio frequency radiation, sound, lights flashing or fluctuations in the power supply. But that is a "whole different ball game". Other than that, and as with the consideration of handshaking, transmission of data in the opposite direction is only possible if both machines are complicit; it would be necessary for the machine sending the "handshake" to encode information on that line differently to the normal on-and-off handshake, and for the machine receiving it to interpret this abnormal protocol in a meaningful fashion.

A1000:
Putting an Arduino in the middle introduces a some complexity, but as an novice, I view it as putting a comparatively simple device between two complex devices. My reasoning is that if the simple device were altered (ie hacked) it would be easier to recognise the breach because it is so simple to begin with.

I don't think so - it certainly would be (much) more difficult to "hack" - change the firmware - of the Arduino (except that if it contains the bootloader, then it can easily be re-programmed from the USB side), but there is no means it would then have to alert you of the fact.

A1000:
Paul-- In researching this project, I came across some really high end data diodes. If one-way data transfer using a serial connection is so effective (not to mention low cost), what are high end data diode companies really offering with one-way transfer diodes that cost thousands of dollars a piece?

The key is component reliability, Trustability and communication reliability.

http://www.synergistscada.com/building-your-own-data-diode-with-open-source-solutions/
http://cybermatters.info/2013/02/07/diy-data-diode-for-1612/?relatedposts_exclude=1006

by "side channel" attacks

I actually witnessed this firsthand in 1970 - one can extrapolate the capabilities available today. While in a military "school" in a secure building within a Faraday cage a van parked away from the facility was able to intercept and print communications originated from within the training room between the various students. At the end of the class, a military Captain presented the class instructor with the transcripts.

Ray

mrburnette:
While in a military "school" in a secure building within a Faraday cage a van parked away from the facility was able to intercept and print communications originated from within the training room between the various students. At the end of the class, a military Captain presented the class instructor with the transcripts.

Wow - that seems quite impressive. Shouldn't the Faraday cage have prevented radiated EM transmission in or out of the cage?