covert channels
DESCRIPTION
Covert Channels. Daniel D. Salloum. Overview. Introduction and background General options CCA Methods More recent work Future work. Building Blocks. Origin- Butler Lampson MLS No read up No write down Definitions Murdoch Plethora of others. Building Blocks. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/1.jpg)
Covert Channels
Daniel D. Salloum
![Page 2: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/2.jpg)
Overview
• Introduction and background• General options• CCA Methods• More recent work• Future work
![Page 3: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/3.jpg)
Building Blocks
• Origin- Butler Lampson– MLS• No read up• No write down
• Definitions– Murdoch– Plethora of others
![Page 4: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/4.jpg)
Building Blocks
“Any object attribute that may be both modified and read by system operations is a candidate for a covert channel”- Murdoch
• To distinguish in network setting-– Steganography involves packet content– Covert Channel involves header fields or
transmission time
![Page 5: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/5.jpg)
Building Blocks
• Storage Channel– “involves the direct or indirect writing of a storage location by one
process and the direct or indirect reading of the storage location by another process”
– Require storage variables• Timing Channel
– “involves a process that signals information to another by modulating its own use of system resources in such a way that this manipulation affects the real response time observed by the second process”
– Require common time reference
![Page 6: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/6.jpg)
Building Blocks
• Timing– Generally more difficult to detect– Resolution usually carries heavy consequences• Time partitioning CPU can affect wanted process
throughput– Affected by noise
• Storage– Tools for its detection– More noise resilient
![Page 7: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/7.jpg)
Boundaries
• Bandwidth is measured as bits/sec as opposed to hertz
• Error correcting methods are proposed but will affect throughput
![Page 8: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/8.jpg)
Why do we care?
• Keeping information within rightful owner boundaries– Trojans releasing important information without
detection– MLS leaks to another level
• Positives– Observed system/network with a need to release
information– Plausible Deniability
![Page 9: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/9.jpg)
Applications
• Gaming– Connect four championship due to collusion– Communication via move response time or
redundancy • Attacking TOR (An anonymity system)– Uses traffic analysis as opposed to content
information due to the “onion encryption”• Obtaining database information– SSN’s and other private info
![Page 10: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/10.jpg)
Problems
• Covert channels are very hard to detect due to – Implementation possibilities– Looking like normal activity
• Policy change may open some channels and close others
• Some techniques are infeasible due to performance loss– Memory sharing– CPU allowance
![Page 11: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/11.jpg)
General Examples
• Another process can find another process’ CPU time, more processes will create noise (timing)
• Disc head movement (timing)• Files created or destroyed (storage)• I/O devices (storage)• Page faults
![Page 12: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/12.jpg)
Covert Channel Analysis
• Information flow analysis– Detects false illegal flow as well• Usually a small percentage can actually be utilized as
covert channel
• SRM (Shared Resource Matrix)– Covert communication when process A can read,
process B can write, and security level of A < B.
![Page 13: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/13.jpg)
COVERT CHANNEL ANALYSIS
• Noninterference analysis– Deals with machine states • “if inputs from one user process could not affect the
outputs of another, then no information could be transmitted from the first to the second” – Goguen and
Meseguer
• Semantic component addition to flow analysis– Evaluates the kernel code – Manually implemented by skilled personnel
![Page 14: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/14.jpg)
Timing Channel Countermeasures
• Virtualize clock in system by resetting clock at very context switch– Could make the system useless
• Addition of noise– Addition of processes on a system may reduce
channel bandwidth, but adds unwanted overhead to the system.
![Page 15: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/15.jpg)
Passive Network Timing Channel
• Using passive network covert channels allows attackers to obtain information without triggering network firewalls.
• Encryption prevents unauthorized parties from decoding communication
![Page 16: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/16.jpg)
Passive Network Timing Channel
• Network timing channels detected by looking at changes in header files– A.I. is often used
• Elimination by making these fields standard• Detection by packet transmission time
modulation• Elimination via network jammers
![Page 17: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/17.jpg)
On Passive…
• Harder to identify and eliminate passive channels – They do not generate packets which avoids
security speculation.• To construct:– Buffer media packets– Traffic fluctuation
![Page 18: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/18.jpg)
Passive Network Timing Channel
• How it works– When the media packets arrive at the sender’s location, the sender
temporarily buffers the packets and then forwards them at a carefully planned time, instead of forwarding them as quickly as possible. The information transmitted over the channel is encoded into the forwarding time of the media packets.
– Receiver observes packet transmission from another node either on the path or at the destination
![Page 19: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/19.jpg)
Problems
• Interval jitter– Thus FI0 and FI1 must be negotiated
• Packet loss– Uses a type of error correction based on a
selected length for data sections, and encapsulate these into a serial of frames
• Buffer overflow• Packet exhaustion
![Page 20: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/20.jpg)
Ad Hoc Covert
• Manipulates network protocols to construct covert channels
• Proposes virtually undetectable covert channel• Information is hidden in the “dynamic splitting
process”• Performance depends on – Network size– User mobility– Traffic rate– Transmission range
![Page 21: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/21.jpg)
Ad Hoc
• Their proposal is contention based MAC– Individual nodes make their own decision
• How it works– Covert transmission can be realized via controlling the
splitting procedure. Upon collision, the CT decides which subset to join according to the covert symbol it wished to transmit. For example, ‘1’ is transmitted if it joins the left subset, and ‘0’ is transmitted if it joins the right subset.
– CR only passively monitors channel feedback
![Page 22: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/22.jpg)
Modes of Operation
• Conservative mode– Claims the channel is absolutely undetectable– CT transmits only when it has a packet
• Aggressive mode– May facilitate detection of CT– Generates new packets when none are available
• Strategic mode– Finds a happy medium between the two
![Page 23: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/23.jpg)
Cluster Based Channel• Presents a new, plausible deniability approach to store
information in cluster based file systems– User can deny that any hidden data exists on data
• Fragmentation on a disk is regular, not all of it will be hiding information
• Encrypted information is easy to detect and owner can be forced to reveal password
• Proposes methodology for modifying the fragmentation patterns in the cluster distribution of an existing file
• Goes against the typical communication protocol avenue and routes down information hiding
![Page 24: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/24.jpg)
Based on FAT filing system
How it works
![Page 25: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/25.jpg)
Cluster Based Channel
• Can utilize a marker that is communicated between the concerned parties
• Encounters a problem when consecutive unallocated clusters are not available
![Page 26: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/26.jpg)
Revision
Breaks code into 3 bits and mods gap by 8.
ex:9 mod 8 = 1
![Page 27: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/27.jpg)
Problems
• Accidental overwrites are likely and will corrupt data– Disk defrag, file renaming
• If other copies are made, it will use a lot of space
• From results, of 160G disk, about 20M of hidden information could be held
![Page 28: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/28.jpg)
Temperature Based Channel
• CPU loads on nodes will vary the clock skew• Effect can be remotely measured by
requesting time stamps• Used to check whether a remote node was
busy (another traffic analysis technique for evaluating TOR)
![Page 29: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/29.jpg)
Notes
• Crystal oscillator driving the system clock affected by temperature
• Clock skew is the ratio between actual and nominal clock frequencies
• Skew deviates little at 1-2 PPM and significant difference at 50 PPM, giving a “fingerprint”
• Paper assumes 1PPM, generating 4-6 bits of information
![Page 30: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/30.jpg)
Issues
• Different operating systems change TCP timestamp values, with resolution from 2Hz to 1kHz
• Does not work on ICMP timestamps because generated after skew adjustment
• Cannot calculate the absolute clock skew• Clock skew can yield changes, not absolute
temperature• Some nodes may have a temperature
compensated crystal oscillator
![Page 31: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/31.jpg)
Future Work
• Research on preventing collusion in internet gaming
• Timing channel detection• Bandwidth of various covert channels• Further research on temperature covert channels• Design and countermeasures of and against covert
attacks especially in ad hoc environments• Evaluate time stamping on network cards with on-
board time stamping
![Page 32: Covert Channels](https://reader030.vdocument.in/reader030/viewer/2022013012/56816379550346895dd45776/html5/thumbnails/32.jpg)
References• Hassan Khan, Mobin Javed, Syed Ali Khayam, Fauzan Mirza, Designing a cluster-based covert channel to evade disk
investigation and forensics, Computers & Security, Volume 30, Issue 1, January 2011, Pages 35-49, ISSN 0167-4048, 10.1016/j.cose.2010.10.005.(http://www.sciencedirect.com/science/article/pii/S016740481000088X)Keywords: Information hiding; Steganography; Covert channels; Disk forensics; Digital watermarking
• Song Li, Anthony Ephremides, Covert channels in ad-hoc wireless networks, Ad Hoc Networks, Volume 8, Issue 2, March 2010, Pages 135-147, ISSN 1570-8705, 10.1016/j.adhoc.2009.04.006.(http://www.sciencedirect.com/science/article/pii/S1570870509000390)Keywords: Ad-hoc networks; Security; Covert channel; Routing protocol; Media access control
• Xiaochao Zi, Lihong Yao, Li Pan, Jianhua Li, Implementing a passive network covert timing channel, Computers & Security, Volume 29, Issue 6, September 2010, Pages 686-696, ISSN 0167-4048, 10.1016/j.cose.2009.12.010.(http://www.sciencedirect.com/science/article/pii/S0167404809001485)Keywords: Network security; Network covert channel; Passive covert timing channel; VOD traffic; Frame synchronization; Error correction
• http://www.fas.org/irp/nsa/rainbow/tg030.htm
• http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-706.pdf