1 / 32

Covert Channels

Covert Channels. Daniel D. Salloum. Overview. Introduction and background General options CCA Methods More recent work Future work. Building Blocks. Origin- Butler Lampson MLS No read up No write down Definitions Murdoch  Plethora of others. Building Blocks.

lacy
Télécharger la présentation

Covert Channels

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Covert Channels Daniel D. Salloum

  2. Overview • Introduction and background • General options • CCA Methods • More recent work • Future work

  3. Building Blocks • Origin- Butler Lampson • MLS • No read up • No write down • Definitions • Murdoch • Plethora of others

  4. Building Blocks “Any object attribute that may be both modified and read by system operations is a candidate for a covert channel”- Murdoch • To distinguish in network setting- • Steganography involves packet content • Covert Channel involves header fields or transmission time

  5. Building Blocks • Storage Channel • “involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process” • Require storage variables • Timing Channel • “involves a process that signals information to another by modulating its own use of system resources in such a way that this manipulation affects the real response time observed by the second process” • Require common time reference

  6. Building Blocks • Timing • Generally more difficult to detect • Resolution usually carries heavy consequences • Time partitioning CPU can affect wanted process throughput • Affected by noise • Storage • Tools for its detection • More noise resilient

  7. Boundaries • Bandwidth is measured as bits/sec as opposed to hertz • Error correcting methods are proposed but will affect throughput

  8. Why do we care? • Keeping information within rightful owner boundaries • Trojans releasing important information without detection • MLS leaks to another level • Positives • Observed system/network with a need to release information • Plausible Deniability

  9. Applications • Gaming • Connect four championship due to collusion • Communication via move response time or redundancy • Attacking TOR (An anonymity system) • Uses traffic analysis as opposed to content information due to the “onion encryption” • Obtaining database information • SSN’s and other private info

  10. Problems • Covert channels are very hard to detect due to • Implementation possibilities • Looking like normal activity • Policy change may open some channels and close others • Some techniques are infeasible due to performance loss • Memory sharing • CPU allowance

  11. General Examples • Another process can find another process’ CPU time, more processes will create noise (timing) • Disc head movement (timing) • Files created or destroyed (storage) • I/O devices (storage) • Page faults

  12. Covert Channel Analysis • Information flow analysis • Detects false illegal flow as well • Usually a small percentage can actually be utilized as covert channel • SRM (Shared Resource Matrix) • Covert communication when process A can read, process B can write, and security level of A < B.

  13. COVERT CHANNEL ANALYSIS • Noninterference analysis • Deals with machine states • “if inputs from one user process could not affect the outputs of another, then no information could be transmitted from the first to the second” – Goguen and Meseguer • Semantic component addition to flow analysis • Evaluates the kernel code • Manually implemented by skilled personnel

  14. Timing Channel Countermeasures • Virtualize clock in system by resetting clock at very context switch • Could make the system useless • Addition of noise • Addition of processes on a system may reduce channel bandwidth, but adds unwanted overhead to the system.

  15. Passive Network Timing Channel • Using passive network covert channels allows attackers to obtain information without triggering network firewalls. • Encryption prevents unauthorized parties from decoding communication

  16. Passive Network Timing Channel • Network timing channels detected by looking at changes in header files • A.I. is often used • Elimination by making these fields standard • Detection by packet transmission time modulation • Elimination via network jammers

  17. On Passive… • Harder to identify and eliminate passive channels • They do not generate packets which avoids security speculation. • To construct: • Buffer media packets • Traffic fluctuation

  18. Passive Network Timing Channel • How it works • When the media packets arrive at the sender’s location, the sender temporarily buffers the packets and then forwards them at a carefully planned time, instead of forwarding them as quickly as possible. The information transmitted over the channel is encoded into the forwarding time of the media packets. • Receiver observes packet transmission from another node either on the path or at the destination

  19. Problems • Interval jitter • Thus FI0 and FI1 must be negotiated • Packet loss • Uses a type of error correction based on a selected length for data sections, and encapsulate these into a serial of frames • Buffer overflow • Packet exhaustion

  20. Ad Hoc Covert • Manipulates network protocols to construct covert channels • Proposes virtually undetectable covert channel • Information is hidden in the “dynamic splitting process” • Performance depends on • Network size • User mobility • Traffic rate • Transmission range

  21. Ad Hoc • Their proposal is contention based MAC • Individual nodes make their own decision • How it works • Covert transmission can be realized via controlling the splitting procedure. Upon collision, the CT decides which subset to join according to the covert symbol it wished to transmit. For example, ‘1’ is transmitted if it joins the left subset, and ‘0’ is transmitted if it joins the right subset. • CR only passively monitors channel feedback

  22. Modes of Operation • Conservative mode • Claims the channel is absolutely undetectable • CT transmits only when it has a packet • Aggressive mode • May facilitate detection of CT • Generates new packets when none are available • Strategic mode • Finds a happy medium between the two

  23. Cluster Based Channel • Presents a new, plausible deniability approach to store information in cluster based file systems • User can deny that any hidden data exists on data • Fragmentation on a disk is regular, not all of it will be hiding information • Encrypted information is easy to detect and owner can be forced to reveal password • Proposes methodology for modifying the fragmentation patterns in the cluster distribution of an existing file • Goes against the typical communication protocol avenue and routes down information hiding

  24. Based on FAT filing system How it works

  25. Cluster Based Channel • Can utilize a marker that is communicated between the concerned parties • Encounters a problem when consecutive unallocated clusters are not available

  26. Revision Breaks code into 3 bits and mods gap by 8. ex:9 mod 8 = 1

  27. Problems • Accidental overwrites are likely and will corrupt data • Disk defrag, file renaming • If other copies are made, it will use a lot of space • From results, of 160G disk, about 20M of hidden information could be held

  28. Temperature Based Channel • CPU loads on nodes will vary the clock skew • Effect can be remotely measured by requesting time stamps • Used to check whether a remote node was busy (another traffic analysis technique for evaluating TOR)

  29. Notes • Crystal oscillator driving the system clock affected by temperature • Clock skew is the ratio between actual and nominal clock frequencies • Skew deviates little at 1-2 PPM and significant difference at 50 PPM, giving a “fingerprint” • Paper assumes 1PPM, generating 4-6 bits of information

  30. Issues • Different operating systems change TCP timestamp values, with resolution from 2Hz to 1kHz • Does not work on ICMP timestamps because generated after skew adjustment • Cannot calculate the absolute clock skew • Clock skew can yield changes, not absolute temperature • Some nodes may have a temperature compensated crystal oscillator

  31. Future Work • Research on preventing collusion in internet gaming • Timing channel detection • Bandwidth of various covert channels • Further research on temperature covert channels • Design and countermeasures of and against covert attacks especially in ad hoc environments • Evaluate time stamping on network cards with on-board time stamping

  32. References • Hassan Khan, MobinJaved, Syed Ali Khayam, FauzanMirza, Designing a cluster-based covert channel to evade disk investigation and forensics, Computers &amp; Security, Volume 30, Issue 1, January 2011, Pages 35-49, ISSN 0167-4048, 10.1016/j.cose.2010.10.005. (http://www.sciencedirect.com/science/article/pii/S016740481000088X) Keywords: Information hiding; Steganography; Covert channels; Disk forensics; Digital watermarking • Song Li, Anthony Ephremides, Covert channels in ad-hoc wireless networks, Ad Hoc Networks, Volume 8, Issue 2, March 2010, Pages 135-147, ISSN 1570-8705, 10.1016/j.adhoc.2009.04.006. (http://www.sciencedirect.com/science/article/pii/S1570870509000390) Keywords: Ad-hoc networks; Security; Covert channel; Routing protocol; Media access control • XiaochaoZi, Lihong Yao, Li Pan, Jianhua Li, Implementing a passive network covert timing channel, Computers &amp; Security, Volume 29, Issue 6, September 2010, Pages 686-696, ISSN 0167-4048, 10.1016/j.cose.2009.12.010. (http://www.sciencedirect.com/science/article/pii/S0167404809001485) Keywords: Network security; Network covert channel; Passive covert timing channel; VOD traffic; Frame synchronization; Error correction • http://www.fas.org/irp/nsa/rainbow/tg030.htm • http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-706.pdf

More Related