Download Covert Channels

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Network tap wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Deep packet inspection wikipedia , lookup

Airborne Networking wikipedia , lookup

Transcript
Covert Channels
Daniel D. Salloum
Overview
•
•
•
•
•
Introduction and background
General options
CCA Methods
More recent work
Future work
Building Blocks
• Origin- Butler Lampson
– MLS
• No read up
• No write down
• Definitions
– Murdoch
– Plethora of others
Building Blocks
“Any object attribute that may be both modified
and read by system operations is a candidate
for a covert channel”- Murdoch
• To distinguish in network setting– Steganography involves packet content
– Covert Channel involves header fields or
transmission time
Building Blocks
• Storage Channel
– “involves the direct or indirect writing of a storage location by one
process and the direct or indirect reading of the storage location by
another process”
– Require storage variables
• Timing Channel
– “involves a process that signals information to another by modulating
its own use of system resources in such a way that this manipulation
affects the real response time observed by the second process”
– Require common time reference
Building Blocks
• Timing
– Generally more difficult to detect
– Resolution usually carries heavy consequences
• Time partitioning CPU can affect wanted process
throughput
– Affected by noise
• Storage
– Tools for its detection
– More noise resilient
Boundaries
• Bandwidth is measured as bits/sec as opposed
to hertz
• Error correcting methods are proposed but
will affect throughput
Why do we care?
• Keeping information within rightful owner
boundaries
– Trojans releasing important information without
detection
– MLS leaks to another level
• Positives
– Observed system/network with a need to release
information
– Plausible Deniability
Applications
• Gaming
– Connect four championship due to collusion
– Communication via move response time or
redundancy
• Attacking TOR (An anonymity system)
– Uses traffic analysis as opposed to content
information due to the “onion encryption”
• Obtaining database information
– SSN’s and other private info
Problems
• Covert channels are very hard to detect due to
– Implementation possibilities
– Looking like normal activity
• Policy change may open some channels and
close others
• Some techniques are infeasible due to
performance loss
– Memory sharing
– CPU allowance
General Examples
• Another process can find another process’
CPU time, more processes will create noise
(timing)
• Disc head movement (timing)
• Files created or destroyed (storage)
• I/O devices (storage)
• Page faults
Covert Channel Analysis
• Information flow analysis
– Detects false illegal flow as well
• Usually a small percentage can actually be utilized as
covert channel
• SRM (Shared Resource Matrix)
– Covert communication when process A can read,
process B can write, and security level of A < B.
COVERT CHANNEL ANALYSIS
• Noninterference analysis
– Deals with machine states
• “if inputs from one user process could not affect the
outputs of another, then no information could be
transmitted from the first to the second” – Goguen and
Meseguer
• Semantic component addition to flow analysis
– Evaluates the kernel code
– Manually implemented by skilled personnel
Timing Channel Countermeasures
• Virtualize clock in system by resetting clock at
very context switch
– Could make the system useless
• Addition of noise
– Addition of processes on a system may reduce
channel bandwidth, but adds unwanted overhead
to the system.
Passive Network Timing Channel
• Using passive network covert channels allows
attackers to obtain information without
triggering network firewalls.
• Encryption prevents unauthorized parties
from decoding communication
Passive Network Timing Channel
• Network timing channels detected by looking
at changes in header files
– A.I. is often used
• Elimination by making these fields standard
• Detection by packet transmission time
modulation
• Elimination via network jammers
On Passive…
• Harder to identify and eliminate passive
channels
– They do not generate packets which avoids
security speculation.
• To construct:
– Buffer media packets
– Traffic fluctuation
Passive Network Timing Channel
• How it works
– When the media packets arrive at the sender’s location, the sender
temporarily buffers the packets and then forwards them at a carefully
planned time, instead of forwarding them as quickly as possible. The
information transmitted over the channel is encoded into the
forwarding time of the media packets.
– Receiver observes packet transmission from another node either on
the path or at the destination
Problems
• Interval jitter
– Thus FI0 and FI1 must be negotiated
• Packet loss
– Uses a type of error correction based on a
selected length for data sections, and encapsulate
these into a serial of frames
• Buffer overflow
• Packet exhaustion
Ad Hoc Covert
• Manipulates network protocols to construct
covert channels
• Proposes virtually undetectable covert channel
• Information is hidden in the “dynamic splitting
process”
• Performance depends on
–
–
–
–
Network size
User mobility
Traffic rate
Transmission range
Ad Hoc
• Their proposal is contention based MAC
– Individual nodes make their own decision
• How it works
– Covert transmission can be realized via controlling
the splitting procedure. Upon collision, the CT
decides which subset to join according to the
covert symbol it wished to transmit. For example,
‘1’ is transmitted if it joins the left subset, and ‘0’
is transmitted if it joins the right subset.
– CR only passively monitors channel feedback
Modes of Operation
• Conservative mode
– Claims the channel is absolutely undetectable
– CT transmits only when it has a packet
• Aggressive mode
– May facilitate detection of CT
– Generates new packets when none are available
• Strategic mode
– Finds a happy medium between the two
Cluster Based Channel
• Presents a new, plausible deniability approach to store
information in cluster based file systems
– User can deny that any hidden data exists on data
• Fragmentation on a disk is regular, not all of it will be hiding
information
• Encrypted information is easy to detect and owner can
be forced to reveal password
• Proposes methodology for modifying the
fragmentation patterns in the cluster distribution of an
existing file
• Goes against the typical communication protocol
avenue and routes down information hiding
How it works
Based on FAT filing system
Cluster Based Channel
• Can utilize a marker that is communicated
between the concerned parties
• Encounters a problem when consecutive
unallocated clusters are not available
Revision
Breaks code
into 3 bits
and mods
gap by 8.
ex:9 mod 8 = 1
Problems
• Accidental overwrites are likely and will
corrupt data
– Disk defrag, file renaming
• If other copies are made, it will use a lot of
space
• From results, of 160G disk, about 20M of
hidden information could be held
Temperature Based Channel
• CPU loads on nodes will vary the clock skew
• Effect can be remotely measured by
requesting time stamps
• Used to check whether a remote node was
busy (another traffic analysis technique for
evaluating TOR)
Notes
• Crystal oscillator driving the system clock
affected by temperature
• Clock skew is the ratio between actual and
nominal clock frequencies
• Skew deviates little at 1-2 PPM and significant
difference at 50 PPM, giving a “fingerprint”
• Paper assumes 1PPM, generating 4-6 bits of
information
Issues
• Different operating systems change TCP
timestamp values, with resolution from 2Hz to
1kHz
• Does not work on ICMP timestamps because
generated after skew adjustment
• Cannot calculate the absolute clock skew
• Clock skew can yield changes, not absolute
temperature
• Some nodes may have a temperature
compensated crystal oscillator
Future Work
• Research on preventing collusion in internet
gaming
• Timing channel detection
• Bandwidth of various covert channels
• Further research on temperature covert channels
• Design and countermeasures of and against
covert attacks especially in ad hoc environments
• Evaluate time stamping on network cards with
on-board time stamping
References
•
Hassan Khan, Mobin Javed, Syed Ali Khayam, Fauzan Mirza, Designing a cluster-based covert channel to evade disk
investigation and forensics, Computers &amp; Security, Volume 30, Issue 1, January 2011, Pages 35-49, ISSN 01674048, 10.1016/j.cose.2010.10.005.
(http://www.sciencedirect.com/science/article/pii/S016740481000088X)
Keywords: Information hiding; Steganography; Covert channels; Disk forensics; Digital watermarking
•
Song Li, Anthony Ephremides, Covert channels in ad-hoc wireless networks, Ad Hoc Networks, Volume 8, Issue 2,
March 2010, Pages 135-147, ISSN 1570-8705, 10.1016/j.adhoc.2009.04.006.
(http://www.sciencedirect.com/science/article/pii/S1570870509000390)
Keywords: Ad-hoc networks; Security; Covert channel; Routing protocol; Media access control
•
Xiaochao Zi, Lihong Yao, Li Pan, Jianhua Li, Implementing a passive network covert timing channel, Computers
&amp; Security, Volume 29, Issue 6, September 2010, Pages 686-696, ISSN 0167-4048,
10.1016/j.cose.2009.12.010.
(http://www.sciencedirect.com/science/article/pii/S0167404809001485)
Keywords: Network security; Network covert channel; Passive covert timing channel; VOD traffic; Frame
synchronization; Error correction
•
http://www.fas.org/irp/nsa/rainbow/tg030.htm
•
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-706.pdf