Unidirectional (or Bidirectional) Optical Secure Link

Design and Security Analysis of a Unidirectional (or Bidirectional) Optica Secure Link

Abstract

This paper presents a design for a unidirectional (or bydirectional) secured optical link intended to transfer data from / to an external network to a high-security internal network (e.g., critical infrastructure) while maintaining strong isolation.
Two complementary implementations are examined: a screen–camera free-space optical channel and a compact optocoupler/fiber-optic data diode. Both designs rely on in-house programmed FPGAs (or ASICs) to eliminate software attack surfaces and ensure hardware-level trust. We analyze potential attack vectors—including hardware Trojans, side‑channel emissions (electromagnetic, optical, acoustic), and receiver compromise—and propose practical mitigations grounded in physical security and hardware verification. A comparative evaluation shows that while the screen–camera approach is feasible under stringent installation constraints, the optocoupler/fiber design would offer superior reliability, bandwidth, and security assurance.

1. Introduction

Modern critical infrastructures—such as power grids, water treatment plants, and industrial control systems—require occasional inbound data from external networks (e.g., software updates, configuration commands, or status requests). Yet they must remain impervious to cyber attacks originating from the internet. Traditional firewalls and intrusion detection systems, while valuable, cannot guarantee absolute protection against sophisticated adversaries.

A unidirectional gateway (often called a data diode) enforces a physical one‑way flow of information, making it impossible for an attacker to send commands back through the same channel. The canonical implementation uses optical components: a transmitter converts electrical signals to light, and a receiver converts light back to electricity, with the receiver lacking any light source. This paper explores two variants of such a diode, both built with in‑house programmable logic to achieve the highest level of trust:

  • Screen–camera system: a free‑space optical link using a flat‑panel display and an electronic camera.
  • Optocoupler/fiber system: a compact, guided‑optical link using LEDs, photodiodes, and optionally optical fiber.

We assume that the sending and receiving units are implemented on FPGAs (or ASICs) programmed in‑house from trusted source code, eliminating the risk of hidden malware in commercial off‑the‑shelf (COTS) components. The analysis addresses the full spectrum of attacks that a determined adversary might employ and shows that with appropriate countermeasures, such a system can provide extremely high assurance.

2. System Architectures

2.1 Screen–Camera Unidirectional Link

    [Internet] --(Ethernet)--> [FPGA-based Sender] --(HDMI/DVI)--> [Flat Panel Display]

    .................... free space optical (air gap) 

    [Electronic Camera] --(MIPI/parallel)--> [FPGA-based Receiver] --(Ethernet)--> [Internal Network]

The sender FPGA encapsulates outgoing data into a visual format—for instance, a sequence of high‑density QR codes or a proprietary modulated pattern—and drives a commercial flat‑panel display. The display emits light that propagates through free space (the “air gap”) to a camera. The camera captures frames and sends them to the receiver FPGA, which decodes the original data and forwards it to the internal network. The system is strictly unidirectional because the display has no light sensor and the camera has no light emitter; no backward channel exists.

2.2 Optocoupler/Fiber-Optic Data Diode

    [Internet] --(Ethernet)--> [FPGA-based Sender] --(serial line)--> [LED Driver] --(light)--> [Photodiode/Receiver] --(serial line)--> [FPGA-based Receiver] --(Ethernet)--> [Internal Network]

    or using optical fiber: LED --> fiber --> photodiode

In this compact design, the sender FPGA drives an LED (or a laser diode for fiber) with a simple line code (e.g., 8b/10b encoded serial). The light is either directly coupled to a photodiode across a small gap (optoisolator) or guided through an optical fiber to a remote photodiode. The receiver FPGA recovers the serial stream and reconstructs the data. The transmitter contains only an emitter; the receiver contains only a detector—physically incapable of sending light back. This design eliminates the need for image encoding/decoding and complex alignment.

3. Security Analysis and Mitigations

We consider a threat model where the adversary (a “magician entity”) has resources and capabilities comparable to a nation‑state. The goal is to prevent any form of data exfiltration from the internal network and to ensure that only authorized data enters. The analysis covers four main attack surfaces.

3.1 Hardware Trojans in the FPGAs

If the FPGA bitstream or ASIC layout is compromised at the manufacturing stage, an attacker could implant logic that subtly alters the transmitted data or creates a covert backward channel. Mitigation: By programming the FPGAs in‑house from trusted, open‑source hardware description language (HDL) code, and by thoroughly verifying the bitstream (e.g., using formal equivalence checking and physical inspection), the risk of hidden Trojans can be reduced to negligible levels. For ASICs, similar assurance requires full control over the fabrication process—often impractical, hence FPGAs are preferred for high‑assurance applications.

3.2 Side‑Channel Emanations

Even if the sender is perfectly immutable, it may emit compromising signals that leak information about the data being transmitted:

  • Electromagnetic (TEMPEST): The display (in screen‑camera) or the LED driver circuitry (in optocoupler) generates electromagnetic fields that can be modulated by the data. Mitigation: Enclose the sender in a shielded Faraday cage with filtered power lines. Use differential signaling and spread‑spectrum techniques to reduce spectral peaks.
  • Optical emanations: Light from the display may escape through windows or gaps. Mitigation: Operate the system in a windowless, light‑tight room or enclosure. Use optical baffles and attenuators.
  • Acoustic emanations: Capacitors and coils can vibrate at frequencies correlated with data. Mitigation: Potting the circuits in sound‑absorbing compound, using low‑power designs, and locating the system in a room with white noise or vibration isolation.

With proper engineering, these emanations can be suppressed to levels that make remote exploitation infeasible.

3.3 Compromise of the Receiver FPGA

The receiver must decode the incoming optical signal. If the decoding logic is complex (as in screen‑camera), a specially crafted image might exploit a bug in the image parser, leading to receiver compromise. Mitigation: (a) Keep the receiver logic as simple as possible—the optocoupler approach uses a simple serial decoder, which is far easier to verify formally. (b) For the screen‑camera design, use a minimalist frame parser that expects only a fixed pattern (e.g., a known synchronization header and a simple encoding like Manchester code over pixels). Formal verification of the HDL can prove that no unexpected input can cause unintended behavior. (c) Implement the receiver as a pure hardware state machine without a processor or operating system.

3.4 Physical Layer Denial of Service

An attacker could blind the camera with a high‑power laser or physically obstruct the optical path. Mitigation: Use redundant paths (multiple cameras/screens) and monitor link integrity. If the link is critical, the system can raise an alarm and fall back to manual procedures. For the optocoupler, a simple continuity check (e.g., a keep‑alive signal) can detect disruption.

4. Comparative Evaluation

Table 1 summarizes the key characteristics of the two designs, assuming both are implemented with in‑house FPGAs and appropriate side‑channel mitigations.

Table 1: Comparison of screen–camera and optocoupler/fiber unidirectional links
FeatureScreen–Camera LinkOptocoupler/Fiber Link
Physical principleFree‑space optics (image transmission)Guided optics (LED–photodiode, fiber)
Complexity of logicHigh: requires frame buffers, image encoding/decoding, pixel synchronizationLow: simple serial line code (e.g., 8b/10b, Manchester)
BandwidthLimited by camera frame rate & resolution; practical ~10–100 MbpsHigh: up to Gbps with appropriate components
LatencyHigh: multiple frame times (milliseconds)Low: nanoseconds to microseconds
Alignment sensitivityCritical: camera must be precisely aligned to screen, focus maintainedNone: fiber connectors or fixed PCB mounting
Environmental robustnessSusceptible to ambient light, dust, vibrationImmune (fiber) or enclosed (opto)
Verifiability of unidirectionalityGood: screen cannot receive, camera cannot transmitExcellent: physical absence of emitter on receiver side
Attack surface (decoder)Complex image parser – requires rigorous formal verificationSimple line decoder – easily verifiable
Ease of testing/certificationComplex (image patterns, lighting conditions)Simple (standard bit error rate tests)
Relative costModerate (display, camera, two FPGAs)Low (few discrete components, one FPGA possible)

The optocoupler/fiber design is clearly superior in almost every technical metric. The screen–camera approach may still be considered when physical constraints forbid any wired connection (e.g., heritage buildings, temporary installations) or when very high isolation is desired and the lower bandwidth is acceptable. However, for permanent critical infrastructure, the optocoupler/fiber diode is the recommended choice.

5. Discussion

Both designs, when implemented with in‑house programmable logic and physical shielding, can achieve an extremely high level of security—far beyond what commercial off‑the‑shelf components can provide. The remaining risks are primarily those of supply chain interdiction (if FPGAs are obtained from untrusted sources) and insider threats. These can be mitigated by strict procurement policies, physical security, and personnel vetting.

It is important to note that neither system creates a true “air gap” in the sense of no data crossing; they are unidirectional bridges. The term “air gap” is often misused; security professionals prefer “unidirectional gateway” or “data diode.” The screen–camera version does include a physical air gap between the display and camera, but data still flows.

For scenarios where bidirectional communication is required (e.g., telemetry out and commands in), two independent diodes can be installed in opposite directions. However, this doubles the attack surface and must be carefully managed to ensure that the inward and outward paths are logically separate and cannot be combined to create a bidirectional channel.

6. Conclusion

This paper has presented a thorough design and security analysis of two high‑assurance unidirectional optical links based on in‑house programmed FPGAs. By eliminating software attack surfaces and applying physical mitigations against side‑channel emanations, both designs can withstand even nation‑state adversaries. The comparative evaluation clearly shows that the optocoupler/fiber approach is simpler, more reliable, and more secure, making it the preferred solution for protecting critical infrastructure. The screen–camera variant remains a viable alternative under specific deployment constraints. The work provides a foundation for engineers and evaluators tasked with building or certifying such systems.

© ly sandaru

Comments

Post a Comment

Popular posts from this blog

An Investigation into the Structural Behavior of Reinforced Concrete Elements Incorporating Curvilinear Reinforcement

Image
Diagram 1.0 Diagram 2.0   (Arched Rebars) Date: November 18, 2023 Author: Ly Sandaru 1.0 Abstract This proposal outlines a preliminary research investigation into the feasibility and structural implications of using non-linear, specifically curvilinear, reinforcement in concrete elements. While conventional reinforced concrete (RC) design utilizes straight reinforcing bars placed to directly resist principal tensile stresses, the question arrises to whether reinforcement optimized along stress trajectories could offer enhanced structural performance.  This project will conduct a comparative analysis of standard RC beams and columns against specimens incorporating arched reinforcement configurations. The primary objectives are to quantify any changes in flexural and shear capacity, ductility, and failure modes, and to establish a foundational understanding of the mechanical principles governing such non-traditional reinforcement layouts.  The ...
Read more

Electrically Powered Helicopter / Drone For FireFighting And Rescue Operations

Image
Introduction & Rational: Most modern Fire Fighting Firetrucks, have the limitation that their ladders cannot extend beyond a certain height (due to physical & practical limitations). Thus in cases where a fire occurs in a highriser building, the fire department / crew have no alternative but to use the stairways of the said building. But there are many recorded incidents / scenarios where this approach as well to not have had been feasible (for example not possible to reach the floors above the "fire line", in cases where the fire had had reached / breached into the stairways...) In the recent past itself there were several such highrise fires, where the fire departments / crew were rendered helpless, as they could not reach and rescue the victims. R&D Goals / Targets: Thus this R&D project intends to develop an electrically powered helicopter or drone, that can reach any high-riser building and engage in either firefighting and / or rescue operations from the...
Read more

A Personal Protective Buble Enclosure: Conceptual Analysis and Research Propositions

Image
  Diag 1. Abstract This article presents a conceptual analysis of a personal protective enclosure designed to mitigate aerosol transmission risk during mask-required activities in shared indoor spaces, particularly dining. The COVID-19 pandemic revealed a critical vulnerability in existing personal protective equipment (PPE) strategies: the necessary removal of face masks for eating and drinking in congregate settings such as workplace lunchrooms and aircraft cabins. This paper examines the theoretical basis, engineering considerations, safety parameters, and socio-behavioral dimensions of a proposed upper-body enclosure with active filtration. Rather than claiming perfection, the analysis proceeds from a harm reduction framework, acknowledging that significant risk reduction—even absent complete isolation—constitutes a meaningful public health intervention. Technical challenges including seal integrity, ventilation dynamics, and materials safety are examined, alongside ...
Read more