Overview

Most organizations do not have effective defenses against targeted cyberattacks. Software-based solutions, like antivirus and firewalls, are insufficient: they can be bypassed or hacked themselves.

Data diodes offer a solution: by physically enforcing the direction of network traffic, you can ensure the confidentiality or integrity of a system.

Arrows depict data diodes. An arrow from the internet to a confidential system. An arrow from a high-integrity system to the internet.

Intuitively, if data cannot leave a system, the confidentiality of that data is guaranteed. Conversely, if data cannot enter a system, the integrity of that system is guaranteed. These principles are used to protect nuclear power plants and military intelligence. Our lab is making this technology available to everyone.

Hardware

Data diodes are based on hardware, so they are immune to remote tampering. A data diode can be built using fiber-optic network equipment. As shown below, the Ethernet media converter on the left sends data to the media converter on the right. The converter on the right physically cannot transfer data in the reverse direction, since its transmit port is taped over.

Two Ethernet fiber media converters, connected by a fiber-optic splitter. The sender is on the left, and the receiver is on the right. The receiver's transmit port is covered by electrical tape.

Our lab designed an enclosure to make data diodes portable. Data physically cannot leave the air-gapped laptop, since its wireless radios, speakers, and USB ports are disabled: the laptop can only receive data through the data diode.

An internet-connected laptop connected to an air-gapped laptop through a data diode. The data diode is contained in an enclosure under the air-gapped laptop.

Learn More About Hardware

Software

Many network protocols require bidirectional communication, which is prevented by data diodes. We developed pydiode, an open-source Python package for reliably sending data through a data diode. pydiode includes a robust command-line interface and GUI. pydiode sends streams of data, so it can easily be integrated with other software.

Diode Transfer's send and receive tabs. The send tab lets you add files to the file transfer queue. The receive tab lets you save files to a directory.

pydiode supports macOS and Linux, and is available on GitHub and pypi. We also plan to publish pydiode on the Mac App Store and as a Debian package.

pydiode on GitHub

Learn More About Software

Research

Peter Story, “Building an Affordable Data Diode to Protect Journalists,” in Workshop on Privacy Engineering in Practice (PEP ’23), Aug. 2023. [Link]

More papers coming soon!