1 / 18

Analyzing Multiple Access Covert Channels in High Assurance Computing Systems

This paper reviews the concept of covert channels in high assurance computing, focusing on quasi-anonymous channels and the analysis of discrete memoryless channels (DMC) for both single and multiple senders. It highlights communication that contravenes design intentions, examining both storage and timing channels. Through examples like file systems and time-sharing hosts, it illustrates the operational mechanisms of covert channels. The work also explores Mix-firewall models and their implications for multi-sender communication, emphasizing the complexities and limitations of collusion in covert channel capacities.

hank
Télécharger la présentation

Analyzing Multiple Access Covert Channels in High Assurance Computing Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multiple Access Covert Channels Ira Moskowitz Naval Research Lab moskowitz@nrl.itd.navy.mil Richard Newman Univ. of Florida nemo@cise.ufl.edu

  2. Focus • Review covert channels from high assurance computing and anonymity • Define quasi-anonymous channel • Review analysis of single sender DMC • Analyze 2-sender DMC

  3. Covert Channels • CC = communication contrary to design • Storage channels and timing channels • Storage channel capacity given by mutual information, in bits per symbol • Timing channel capacity analysis requires optimizing ratio of mutual information to expected time cost

  4. Storage Channel Example • File system full/not full • High fills/leaves space in FS to signal 1 or 0 • Low tries to obtain space and fails or succeeds to “read” 1 or 0 • Low returns system to previous state

  5. Timing Channel Example • High uses full time quantum in time sharing host to send 1, gives up CPU early to send 0 • Low measures time gaps between accesses to “read” 1 or 0

  6. Anonymity Systems • Started with Chaum Mixes • Mix receives encrypted, padded msg • Decrypts/re-encrypts padded msg • Delays forwarding msg • Scrambles order of msg forwarding

  7. Mixes • Mix may be timed (count number of msgs forwarded each time it fires) • Mix may fire when threshold reached (count time between firings) • Mixes may be chained • Studied timed Mix-firewalls and covert channels – now for threshold Mix-firewalls

  8. Mix-firewall CC Model • Alice behind M-F • Eve listening to output of M-F • Clueless senders behind M-F • Each sender (Alice or Clueless) may either send or not send a msg each tick • Alice modulates her behavior to try to communicate with Eve

  9. Channel Model • Discrete storage channel • Each clueless sends 0 or 1 msg per tick • Clueless are i.i.d. Bernouli random vars • Alice sends 0 or 1 msg per tick • Eve counts msgs per Mix firing • Clueless act as noise, rate decreases to zero as N increases (for fixed p)

  10. Two Transmitter Model • Now two Alices, Alice1 and Alice2 • Each Alice has a quasi-anomymous channel to Eve • Alices act as noise with respect to each other

  11. NRL Pump • NRL Network Pump considered multiple senders before • Lows send to Highs, with the timing of ACKs forming a CC from Highs to Lows • Pump modulates ACK timing to reduce the CC rate (but not eliminate it) • Highs interfere with each other’s timing • Pump uses timing channels – can’t apply

  12. Degree of Collusion • If Alices work perfectly together, then can achieve C=log 3 bits/tick data rate (assuming no clueless) • “Existence assumption” - assume Alices know of each other (stationary), and pre-arrange coding, but do not collude once transmission begins

  13. Shannon Channel • Distributions X, Y • Mutual Information I(X;Y) = I(Y;X) I(X;Y) = H(X) – H(X|Y) • Entropy H(X) and H(X|Y) conditional H • Capacity C = maxX I(X,Y)

  14. Multiple Access Channels • Now have two inputs, X1 and X2 • Existence assumption, with a priori knowledge • Achievable error-free rates are joint • Rate pair (R1,R2) • Capacity estimated (incorrectly) as: C = log n / [(TM + TR )/2]

  15. Multiple Access Channels • Mutual Information for A, B, C I(A;B|C) = H(A|C) – H(A|B,C) I(A,B;C) = H(A,B) – H(A,B|C) • Rate pair (R1,R2) must satisfy: 0 <= R1 <= I(X1;Y|X2), and 0 <= R2 <= I(X2;Y|X1), and 0 <= R1 + R2 <= I(X1 ,X2;Y)

  16. Channel Transitions 0,0 ! 0 0,1 & 1 1,0 % 1,1 ! 2

  17. Collaborating Alices • Can conspire to send data at rate 3/2 • Max possible is log2 3 = 1.58 • With feedback, can do better than 3/2: each at rate .76! (Gaarder & Wolf)

  18. Conclusions • Introduced multiple access channels into analysis of covert channels • Analyzed simple (noiseless) channel with two Alices • Noted effects of varying levels of collusion • Noted difficulties with timing channels • Can’t study CCs in isolation!

More Related