29
Covert Channels Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 1 Coming up: Is BLP Secure? 1
Coming up: Is BLP Secure?
Covert ChannelsDan FleckCS 469: Security Engineering
These slides are modified with permission from Bill Young (Univ of Texas)
11
Coming up: A Simple BLP System
Is BLP Secure?
Consider the simple lattice of labels in the diagram, where H > L. There are no need-to-know categories in this system.
If this represents a BLP lattice, then information flow is permitted from L to H, but not vice versa. This captures the metapolicy of this simple system.
If we can instantiate this system such that BLP is satisfied, but information flows in violation of the metapolicy, something is clearly wrong.
H
L
22
Coming up: A BLP System (Cont.)
A Simple BLP System
Consider a simple system that has READ and WRITE operations with the following semantics:
READ (S, O): if object O exists and LS ≥ LO, then return its current value; otherwise, return a zero.
WRITE (S, O, V): if object exists O and LS ≤ LO, change its value to V; otherwise, do nothing.
These operations pretty clearly are acceptable instances of READ and WRITE for a BLP system.
33
Coming up: Covert Channel Example
A BLP System (Cont.)
Suppose we want to add two new operations, CREATE and DESTROY to the system, with the following semantics:
CREATE (S, O): if no object with name O exists anywhere on the system, create a new object O at level LS ; otherwise, do nothing.
DESTROY (S, O): if an object with name O exists and the LS ≤ LO, destroy it; otherwise, do nothing.
These operations seem to satisfy the BLP rules, but are they “secure” from the standard of the metapolicy? Why or why not?
44
Coming up: So What?
Covert Channel Example
In this system, a high level subject SH can signal one bit of information to a low level subject SL as follows:
In the first case, SL sees a value of 0; in the second case, SL sees a value of 1. Thus, SH can signal one bit of information to SL by varying its behavior.
SH Transmits 0 SH transmits 1
Create (SH, F0) do nothing
Create (SL, F0) Create (SL, F0)
Write (SL, F0, 1) Write (SL, F0, 1)
Read (SL, F0) Read (SL, F0)
Destroy (SL, F0) Destroy (SL, F0)
55
Coming up: Covert Channels
So What?
Who cares if one bit flows from high to low?
• It’s enough to show that BLP cannot guarantee that the metapolicy is satisfied.
• If SL and SH can coordinate their activities, SH can transfer arbitrary amounts of information to SL, given enough time.
In an access control policy like BLP, objects are the only entities recognized to carry information.
For the channel above, the “information” is not in the contents of any object. It’s in the answer to the question: can SL read an object named O?
66
Coming up: Lessons
Covert Channels
If SL ever sees varying results depending on varying actions by SH, that could be used to send a bit of information from SH to SL, in violation of the metapolicy.
Such a mechanism is called a covert channel.
77
Coming up: Covert Channel
Lessons
• An access control policy constrains information flowing by subjects reading or writing objects.
• There may be other system features that could be manipulated to convey information.
• Such channels are called “covert channels.”
88
Coming up: Covert Channel #1
Covert Channel
One Definition: A covert channel is a path for the illegal flow of information between subjects within a system, utilizing system resources that were not designed to be used for inter-subject communication.
Note several features of this definition:
• Information flows in violation of the security metapolicy though not necessarily in violation of the policy.
• The flow is between subjects within the system; two human users talking over coffee is not a covert channel.
• The flow occurs via system resources (file attributes, flags, clocks, etc.) that were not intended as communication channels.
99
Coming up: Covert Channel #2
Covert Channel #1
Attempted access by SL to a high level resource returns one of two error messages: Resource not found or Access denied. By modulating the status of the resource, SH can send a bit of information on each access attempt by SL.
This is called a covert storage channel because SH is recording information within the system state.
1010
Coming up: Covert Channel #3
Covert Channel #2
The KVM/370 operating system isolated processes on separate virtual machines. They shared the processor on a time-sliced basis. Processes alternated using the CPU, with each allowed t units of processing time. However, a process could relinquish the CPU early.
Process p could send a bit to process q by either using its total allocation or relinquishing the processor immediately. Process q reads the bit by consulting the system clock to see how much time has elapsed since it was last scheduled.
This is a covert timing channel because the information is recorded in the ordering or duration of events on the system.
1111
Coming up: Covert Channel #4
Covert Channel #3
Processes p and q are not allowed to communicate, but they share access to a disk drive. The scanning algorithm services requests in the order of which cylinder is currently closest to the read head.
Process p either accesses cylinder 140 or 160. Process q requests accesses on cylinders 139 and 161. Thus, q receives values from 139 and then 161, or from 161 and then 139, depending on p’s most recent read.
Is this a timing or storage channel? Neither? Both?1212
Coming up: Types of Covert Channels
Covert Channel #4
An implicit channel is one that uses the control flow of a program. For example, consider the following program fragment:
h := h mod 2;l := 0;if h = 1 then l := 1 else skip;
The resulting value of l depends on the value of h.
There are sophisticated language-based information flow tools that check for these kinds of dependencies in programming languages. 1313
Coming up: Lessons
Types of Covert Channels
It is possible to distinguish many types of covert channels, depending on the attribute manipulated:
Timing: how much time did a computation take?Implicit: what control path does the program take?Termination: does a computation terminate?Probability: what is the distribution of system events?Resource exhaustion: is some resource depleted?Power: how much energy is consumed?
In practice, many researchers distinguish only storage and timing channels.
1415
Using covert channels
• Another type of covert channel is used to send data out of a system:• Exfiltrate data from an otherwise secure system• Avoid detection of unauthorized access• Perform legitimate network management• Install, spread or control malware on compromised systems• Circumvent filters which may be in place limiting their freedom of
speech• Bypass firewalls for unrestricted access to the web• Malware authors use timing to detect analysis sandboxes (and evade
detection) - http://www.syssec-project.eu/m/page-media/3/disarm-raid11.pdf
• Example: Covert channel using the TCP/IP timing low order bits. Goal to hide that data is even being sent! - http://web.mit.edu/~greenie/Public/asrg.pdf
Ref: http://www.sans.org/reading-room/whitepapers/detection/covert-channels-33413
14
Coming up: Covert Channels: Who Cares
Lessons
• A covert channel is any path for information between subjects, utilizing system resources that were not designed to be used for inter-subject communication.
• A useful distinction is between storage and timing channels, though the breakdown is not always clear for specific channels.
1516
Coming up: Covert Channels
Covert Channels: Who Cares
Definition: A covert channel is a path for the illegal flow of information between subjects within a system, utilizing system resources that were not designed to be used for inter-subject communication.
It might seem that such channels would be so slow that you wouldn’t really care.
That’s not true. Covert channels on real processors operate at thousands of bits per second, with no appreciable impact on system processing.
1617
Coming up: Dealing with Covert Channels
Covert Channels
The important characteristics of a covert channel are:
Existence: is a channel present or not?Bandwidth: how much information can be transmitted per second?Noiseless/noisy: can the information be transmitted without loss or distortion?
It is usually infeasible for realistic systems to eliminate every potential covert channel.
1718
Coming up: Using a Covert Storage Channel
Dealing with Covert Channels
Once a potential covert channel is identified, several responses are possible.
• We can eliminate it by modifying the system implementation.• We can reduce the bandwidth by introducing noise into the
channel.• We can monitor it for patterns of usage that indicate someone
is trying to exploit it. This is intrusion detection.
1819
Coming up: Using a Covert Timing Channel
Using a Covert Storage Channel
For a sender and receiver to use a covert storage channel, what must be true?
1. Both sender and receiver must have access to some attribute of a shared object.
2. The sender must be able to modify the attribute.
3. The receiver must be able to reference (view) that attribute.
4. A mechanism for initiating both processes, and sequencing their accesses to the shared resource, must exist. 1920
Coming up: Lessons
Using a Covert Timing Channel
For a sender and receiver to use a covert timing channel, the following must be true:
1. Both sender and receiver must have access to some attribute of a shared object.
2. Both sender and receiver have access to a time reference (real-time clock, timer, ordering of events).
3. The sender must be able to control the timing of the detection of a change in the attribute of the receiver.
4. A mechanism for initiating both processes, and sequencing their accesses to the shared resource, must exist.
2021
Coming up: Detecting Covert Channels
Lessons
• Important characteristics of any covert channel are: existence, bandwidth, and noisy/noiseless.
• Dealing with a covert channel may include: eliminating it, restricting the bandwidth, or monitoring it.
• Certain conditions must hold for a covert channel to exist.
2122
Coming up: Finding Covert Storage Channels
Detecting Covert ChannelsDan FleckCS 469: Security Engineering
These slides are modified with permission from Bill Young (Univ of Texas)
2223
Coming up: Detecting Covert Channels
Finding Covert Storage Channels
Recall that several conditions must hold for there to be a covert storage channel:
1. Both sender and receiver must have access to some attribute of a shared object.
2. The sender must be able to modify the attribute.
3. The receiver must be able to reference (view) that attribute.
4. A mechanism for initiating both processes, and sequencing their accesses to the shared resource, must exist.
2324
Coming up: A Subtlety of SRMM
Detecting Covert Channels
Richard Kemmerer (UC Santa Barbara) introduced the Shared Resource Matrix Methodology (SRMM). The idea is to build a table describing system commands and their potential effects on shared attributes of objects.
An R means the operation References (provides information about) the attribute under some circumstances. An M means the operation Modifies the attribute under some circumstances.
Note that this works for storage channels, not for timing channels.
READ WRITE DESTROY CREATE
File existence R M M
File size R M M M
File level R M M
2425
Attrib
utes
Coming up: Working with the SRMM
A Subtlety of SRMM
Suppose you have the following operation:
CREATE (S, O): if no object with name O exists anywhere on the system, create a new object O at level LS ; otherwise, do nothing.
For the attribute file existence, should you have an R or not for this operation or not? Consider this: after this operation, you know that the file exists. Why?
That’s not enough. It’s not important that you know something about the attribute; what’s important is that the operation tells you something about the attribute.
2526
Coming up: Covert Channels and System Analysis
Working with the SRMM
If you see an R and M in the same row, that indicates a potential channel. Why?
SRMM doesn’t identify covert channels, but suggests where to look for them.
Any shared resource matrix is for a specific system. Other systems may have different semantics for the operations. 2627
Coming up: Lessons
Covert Channels and System Analysis
How might you use this methodology?
1. Use an access control policy like Bell and LaPadula to control standard information flows.
2. Use a separate technique like Kemmerer’s SRMM to identify covert channels.
3. Deal with covert channels by closing them, restricting them, or monitoring them.
2728
End of presentation
Lessons
• Kemmerer’s Shared Resource Matrix Methodology provides a systematic way to investigate potential covert channels.
• However, using it effectively requires a lot of knowledge about the semantics and implementation of system operations.
• Covert channel analysis can be used to close some of the security holes of an access control policy like BLP.
2829
