To enable real-time instant messaging on such a system, removable media must be replaced with unidirectional data transmission lines. This assumes asynchronous data transmission over mediums such as UDP packets over Ethernet, or asynchronous serial communication. But how is unidirectionality guaranteed? Running only a listener program on receiver computer is not high assurance: malware that propagates to that system can trivially add sender functionality to establish a return channel. The answer is to remove the return channel on hardware level. This is not easy: features such as auto MDI-X make it impossible to enforce unidirectional UDP transmission over Ethernet. A more simple transmission protocol is required and for that, serial interfaces like RS232 and UART fit perfectly. While serial interfaces most likely have more than just rule-based limitations on Tx/Rx pin assignment, more assurance should be sought. To guarantee unidirectional behavior, a simple hardware device called data diode is required in between sending and receiving serial interface. Data diode is a device that takes advantage of the laws of physics to limit the direction of data flow. The data diode used in TFC is a slight modification to the design by the pseudonym Sancho P. (Earlier data diode designs are based on the work and paper by Douglas W. Jones and Tom C. Bowersox on RS232 data diodes.)

This data diode makes use of two transducers that form a unidirectional gateway. On sender side, depending on whether the output bit is one or zero, the high or low signal from serial interface's Tx-pin turns the LED inside the HCPL7723 optocoupler on and off. The state of the LED is detected by the optocoupler's photodiode, and the reproduced signal is then amplified by the optocoupler's TIA and finally fed into the Rx-pin of receiving serial interface.

This optical gap is guaranteed to be one way, because while LEDs show a weak photoelectric effect, photodiodes (excluding Ternary and quaternary GaAsP photodiodes) do not emit light.

The hardware configuration that combines data diodes with split TCB has impressive security guarantees. It sets a one-time price tag on endpoint security. As long as transmitter computer doesn't output sensitive data (due to programming error or pre-existing malware), the entire system remains secure against remote key exfiltration with malware. The malware can not propagate from networked computer to transmitter computer, and malware that propagates to receiver computer is unable to exfiltrate data.

https://github.com/maqp/tfc/wiki/Security-design