The CSIRO’s Data61 group is preparing to commercialise the Cross-Domain Desktop Compositor (CDDC), an alternative to a KVM that offers users to ultra-secure access multiple networks while offering the benefit of a single desktop-style user interface.
The CDDC was developed by Data61 in partnership with the Defence Science and Technology Group (DSTG).
The CDDC uses hardware-based composition to display data from separate secure domains on a single monitor with a unified user interface, and provides seamless mouse and keyboard switching between the domains.
The system has been trialled by the Department of Defence.
The device is driven by the ultrasecure seL4 microkernel developed by Data61 (and its predecessor organisation, NICTA).
“We have proved that seL4 enforces very strong security requirements, and is free of many classes of security vulnerabilities that plague commodity systems,” said Toby Murray, senior researcher with Data61’s Trustworthy Systems Team.
“In the CDDC we are using seL4 to support an integrated view of information, while providing fine-grained control of information flows, including controlled cut-and-paste between separate networks.”
The system allows the domains to be treated as if they were part of a single desktop, but only one domain is able to receive input at any one point. The approach is an alternative to running multiple desktops in separate VMs, which would rely on the security of the hypervisor, or using a KVM switch.
“[T]he CDDC does not rely on trusting any software or any commercial-off-the-shelf hardware,” states a paper (PDF) authored by DSTG’s Mark Beaumont and Jim McCarthy and Data61’s Toby Murray.
“Instead, a simple trusted computing base is constructed in hardware and can be retrofitted to existing multi-desktop environments, removing any vulnerability to software-based attacks and making it more amenable to formal security evaluation.
“The computing domains themselves remain untrusted, pushing the trust boundary into the small, well controlled external hardware, which both strengthens the security guarantees, and increases the performance of the solution, whilst making it easier to accredit for high-assurance environments.”
“[Th]e CDDC presents individual windows from each domain together on a single graphical desktop interface providing a user with the cognitive benefits of operating within a single desktop environment,” the paper states.
Although the domains remain isolated, the device can be used to provide copy-and-paste style features between domains. It also makes possible applications such as a single inbox across domains by having each domain render separate parts of an email client.
Data61 said that it had developed a roadmap to commercialise the CDDC, which it says has applications beyond the defence sector.