Abstract: A system (30) for protecting a server (20) from network attacks is provided. The system (30) comprises a data splitter (31) and a parameter extractor (33). The data splitter (31) is configured to receive network communications from a client (10); send network data comprising at least payload information included in the received network communications to the parameter extractor (33); and send network data comprising at least communication state information included in the received network communications to the server (20). The parameter extractor (33) is configured to apply predefined parameter extraction rules to network data received from the data splitter (31) in order to extract parameters, and to forward extracted parameters to the server (20).
Abstract: A secure boot computer system is provided. The system comprises a logic block comprising one or more processing units that executes instructions, the logic block being configured to request boot instructions over a first interface, according to a first communication protocol, on power-up or reset of the logic block. A controller component is configured to communicate with the logic block over the first interface according to the first communication protocol, the controller being further configured to implement a communications link to a second computer system and to receive the boot instructions from the second computer system. The logic block is preconfigured to communicate with the controller over the first interface according to the first communication protocol in a manner that cannot be altered by instructions executed by the logic block. The controller is configured to prevent the completion of any write requests from the logic block.
Abstract: A computer system for securely controlling an insecure computer is provided. The system comprises an insecure computer, a secure computer and a unidirectional dataflow enforcer. The insecure computer comprises a dedicated video output with a hardware interface, and is configured to transmit its video output to a secure computer over a first connection and to receive instructions for controlling the insecure computer over a second connection. The secure computer is configured to receive the video output of the insecure computer over the first connection and to transmit instructions for controlling the insecure computer over the second connection. The unidirectional dataflow enforcer is configured to enforce unidirectional dataflow between the secure computer and the insecure computer, such that dataflow from the secure computer to the insecure computer over the second connection is allowed, but dataflow from the insecure computer to the secure computer over the second connection is prevented.