covert channels detection in protocols using scenarios
DESCRIPTION
Covert channels detection in protocols using scenarios. Loïc HélouëtINRIA Rennes. SAM2004. Motivations. Receiver. Sender. Security (Monitoring, firewall,…). Confinement Zone. Example : a file system. ls toto. toto. Present Or absent. Authorisation refused. 0. File not found. 1. - PowerPoint PPT PresentationTRANSCRIPT
Covert channels detection Covert channels detection in protocols using in protocols using
scenariosscenarios
Loïc Hélouët INRIA Rennes
SAM2004
Motivations 2
Confinement Zone
SenderReceiver
Security(Monitoring, firewall,…)
MotivationsMotivations
3
Example : a file system
totols toto
Authorisation refused
File not found01
PresentOr absent
threat : performance, billing, security, … all channels can not be eliminated
Recommandations: Identify covert channels Illustrate their use through scenarios Compute their bandwidth
4
SenderReceiver
message
Encoding
Decoding
messageProtocolModel(HMSC)
decisions of sender at choice nodes
Deduction of choices performed from observations on receiver
Compute bandwidth
Test on real implementation
5
PLANPLAN Message Sequence Charts Covert channels Bandwidth evaluation RMTP2 Conclusions & perspectives
6
Message Sequence ChartsMessage Sequence Charts
A B
m(v)
C
p
M = < E, , A, P, , , m,V, > E : events E x E : causal order A : action names P : Instances E x P : locality E x A : labeling m E x E : messages V : variables m x V : message parameters
bMSC M
Message Sequence Charts 7
A B
m(v)
C
p
bMSC M1
A B C
q
bMSC M2
n
A B
m(v)
C
p
bMSC M1 o M2
q
n
=
Sequential composition
Message Sequence Charts 8
A B
m(v)
C
p
bMSC M
q
n
Projection on an instance
B
m(v)p
bMSC B(M)
q
n
B(M) = { ?m(v) . !p . !n . !q }
Message Sequence Charts 9
HMSC
M1
M2
M3
M4M5
n
H= ( N, ,M, n0)
N : nodes N M N : transitions M : bMSCs n0 : initial node
10
A B
m(v)
C
p
bMSC M1
bMSC M2
A B
n
C
q
M1 M2
Events observed on instance C
events executedon instance A
?p => !m(v)
?q => !n
0 1
Covert Channel detectionCovert Channel detection
Covert channels detection 11
Definition :
A choice node n in a HMSC is controlled by an instance
p iff for all path Pi, i 1..K starting in n
! ei = min(OPi) and (ei)=p
(idem local choice)
M2M1
n
A B
m(v)
C
p
bMSC M1
bMSC M2
A B
n
C
q
Covert channels detection 12
M1
M2
M3
M4M5
Hypotheses
To transmit a message of arbitrarylength, one need to iterate some behaviors : CC appear in presence of cycles.
to encode information, the sender can perform several choices
For each choice, the observable consequences are for the receiver
n
Covert channels detection 13
M1
M2
M3
M4M5
Covert channel from Sender to Receiver
decision node controlled by Sender Several Cycles Observations by the Receivern
M1
M2
C1
M3
M4
C2
Controlled by Sender
ReceiverReceiver
14
BandwidthBandwidthA B
m
C
n
bMSC M
o
A0 B0 C0
A1 B1 C1
3
3
2
1 3
612
15 11
9
+ temporal annotations for events for messages
Definition of scenario duration dx,y(M) D(M) = max { dx,y }
1
1
2
1
1
2
Bandwidth 15
A0 B0 C0
A1 B1 C1
0
4258 10
7
D(Mn) = max { dx,y (Mn) }
Mean durations:
md(M) = lim 1 . D(Mn)
mdx,y(M) = lim 1 . dx,y(Mn)
b
If M can be used to transfert b bits from x to y :
n
n n
n
mdx,y(M)Bw =
Bandwidth :
16
Example : RMTP2Example : RMTP2Source
DR
R R R RR R R RR RR R
Rennes Paris BostonOttawa
Example 17
RMTP2 : Data RMTP2 : Data retransmissionretransmission
DR
R R R
Ottawa
Data
DRCR
Hack(P)
Loop n P
Retransmission(n)
P : bitmap representationof lost/received packets
Example 18
RMTP2 ParametersRMTP2 Parameters
DR
R R R
B : Branching Factor
Maximal number of children for a node
A child can ask for retransmission every B data packet
B
R R
Example 19
RMTP2 ParametersRMTP2 Parameters
DR
R R R
S : Bitmap sizeL: maximal loss rate allowed
Data
DRCR
Hack(P)
Eject
P>0 |P|1 L
Ex: S=16, L=25% Hack(0100 1010 0110 1100)
Example 20
OthersData
Retrans
MyData
Eject
P=0 P>0|P|1 4P>0|P|1 > 4
Data transmission seen from areceiver CR
Example 21
bMSC MyData
Data Data
DR
bMSC Eject
CR
Eject
DRCROther
Receivers
Hack(P)
bMSC Retransmission
CRDROther
Receivers
Retransmission(n)
Loop n P
Example 22
bMSC OthersData
Data Data
DRCROther
Receivers
Hack(P)
Loop <0,B-2>
P=0
P>0|P|1 4
P>0|P|1 > 4alt
Retransmission
Eject
Example 23
bMSC Shortest Scenario
Data Data
DRCROther
Receivers
Hack(0)
Loop <0,B-2>
Data Data
Hack(P)
Retransmission(1) Retransmission(1)
Covert channel from CR to anyreceiver in Other Receivers
Creation of fake bitmapsto force observable retransmissions
Example 24
Let L=25% , S = 16
Number of possible fake bitmaps :
Number of bits transmitted at each covert channel useb = log2(2516)=11.297
Bandwidth upper bound:
= 2516B = i=1..4
16!i! . (16 - i)!
mdcr,Other Receivers(Shortest)Bw =
b
Example 25
bMSC Shortest Scenario
Data Data
DRCROther
Receivers
Hack(0)
Loop <0,B-2>
Data Data
Hack(P)
Retransmission(1) Retransmission(1)
D : event duration
T : transmissions duration T
TT
T
TT
TT
26
Bw evolution for D= 2ms
B=20, T=20msBw=11.74 b/s
(4B +1).D +2B. TBw =
b
Example 27
bMSC Shortest Scenario
DR
Data Data
Hack(P)
Retransmission(1) Retransmission(1)
Data Data
Hack(0)Data Data
Hack(0)
CR
B times
Other Receivers
28
Bw evolution for D= 2ms
B=100, T=200msBw=22.40 b/s
B=20, T=20msBw=102.7 b/s
(B+5).D +3. TBw =
b
29
ConclusionConclusionCovert channel in RMTP2 :
undetectable receiver usable bandwidth
Future work :
More elaborated strategies under study Covert channels with noise Need to « desynchronize » sequential composition
CMSCs ?
30
31
Covert ChannelsCovert Channels
Storage channels : implies writing a value somewhere
Def : communication channel that violates a system’s security policy
Example : a file system
totols toto
Authorisation refused
File not found01
PresentOr absent
Covert Channels 32
Some facts about covert channels
threat : performance, billing, security, … all channels can not be eliminated
Recommandations : depend on the security level required for the system under study : NSCS30 (light pink book)
Analysis: Identify covert channels Illustrate their use through scenarios Compute their bandwidth
Covert Channels 33
Solutions :
Elimination (for systems with high security level) Add noise to most important channels monitor other channels
Idea : start from informal descriptions of protocol behavious given as scenarios, try to detect potential information flows and compute their bandwidth in order to provide solutions as early as possible during design stages.
34
Covert Channel detectionCovert Channel detection
M1
M2
M3
M4M5
Hypothesis 1 :
To transmit a message of arbitrarylength, one need to iterate some behaviors :
CC can appear in presence of cycles.
n
Covert channel detection 35
M1
M2
M3
M4M5
Hypothesis 2 :
To transmit a message of arbitrary length, the set of instances participating to a covert channel must cooperate to stay in a chosenset of cyclic behaviors Q where information passing is possible, and make sure that the rest of the protocol can not force them to leave Q.
36
Asymptotic DurationsAsymptotic Durations
A0 B0 C0
A1 B1 C1
0
4258 10
7
D(Mn) = max { dx,y (Mn) }
Mean durations:
md(M) = lim 1 . D(Mn)
mdx,y(M) = lim 1 . dx,y(Mn)
D(Mn) n . D(M) and mdx,y(M) dx,y(M)
Warning : asynchronous communications
n
n n
n