1 / 36

Covert channels detection in protocols using scenarios

Covert channels detection in protocols using scenarios. Loïc Hélouët INRIA Rennes. SAM2004. Motivations. Receiver. Sender. Security (Monitoring, firewall,…). Confinement Zone. Example : a file system. ls toto. toto. Present Or absent. Authorisation refused. 0. File not found. 1.

beau-woodard
Download Presentation

Covert channels detection in protocols using scenarios

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Covert channels detection in protocols using scenarios Loïc Hélouët INRIA Rennes SAM2004

  2. Motivations Receiver Sender Security (Monitoring, firewall,…) Confinement Zone Motivations

  3. Example : a file system ls toto toto Present Or absent Authorisation refused 0 File not found 1 • threat : performance, billing, security, … • all channels can not be eliminated • Recommandations: • Identify covert channels • Illustrate their use through scenarios • Compute their bandwidth

  4. Deduction of choices • performed from • observations • on receiver decisions of sender at choice nodes Sender Receiver message message Protocol Model (HMSC) Decoding Encoding Compute bandwidth Test on real implementation

  5. PLAN • Message Sequence Charts • Covert channels • Bandwidth evaluation • RMTP2 • Conclusions & perspectives

  6. Message Sequence Charts bMSC M A B C M = < E, , A, P,  , , m,V,  > • E : events •  E x E: causal order • A : action names • P : Instances •   E x P : locality •   E x A: labeling • m  E x E : messages • V : variables •   m x V: message parameters m(v) p

  7. Sequential composition bMSC M1 A B C bMSC M1 o M2 m(v) p A B C m(v) p = bMSC M2 n A B C q n q Message Sequence Charts

  8. Projection on an instance bMSC B(M) bMSC M A B C B m(v) m(v) p p n n q q B(M) = { ?m(v) . !p . !n . !q } Message Sequence Charts

  9. HMSC • H= ( N, ,M, n0) • N : nodes •   N  M  N : transitions • M : bMSCs • n0 : initial node n M3 M1 M2 M5 M4 Message Sequence Charts

  10. 0 1 Covert Channel detection bMSC M1 A B C m(v) M2 M1 p bMSC M2 A B C n q

  11. Definition : A choice node n in a HMSC is controlled by an instance p iff for all path Pi, i 1..K starting in n ! ei = min(OPi) and (ei)=p (idem local choice) bMSC M1 A B C m(v) p bMSC M2 A B C n n q M2 M1 Covert channels detection

  12. Hypotheses • To transmit a message of arbitrary length, one need to iterate some behaviors : CC appear in presence of cycles. • to encode information, the sender can perform several choices • For each choice, the observable consequences are  for the receiver n M1 M3 M2 M5 M4 Covert channels detection

  13. Controlled by Sender C2 C1 M3 M1 M4 M2 Covert channel from Sender to Receiver • decision node controlled by Sender • Several Cycles •  Observations by the Receiver n M1 M3 Receiver(M1oM2)  Receiver(M3oM4) M2 M5 M4 Covert channels detection

  14. Bandwidth bMSC M C A B m 1 A0 B0 C0 1 6 9 12 3 n 2 11 3 1 1 15 3 o 2 C1 1 A1 B1 2 Definition of scenario duration + temporal annotations • dx,y(M) • D(M) = max { dx,y } • for events • for messages

  15. D(Mn) = max { dx,y (Mn) } Mean durations: md(Mw) = lim 1 . D(Mn) mdx,y(Mw) = lim 1 . dx,y(Mn) A0 B0 C0 2 7 4 5 8 10 0 n  n C1 A1 B1 n  n Bandwidth : If M can be used to transfert b bits from x to y : b Bw = mdx,y(Mw) Bandwidth

  16. Example : RMTP2 Source DR R R R R R R R R R R R R Rennes Ottawa Paris Boston

  17. RMTP2 : Data retransmission DR CR P : bitmap representation of lost/received packets Data Hack(P) DR Loop n P Retransmission(n) R R R Ottawa Example

  18. RMTP2 Parameters B : Branching Factor Maximal number of children for a node A child can ask for retransmission every B data packet DR B R R R R R Example

  19. RMTP2 Parameters S : Bitmap size L: maximal loss rate allowed DR CR Data DR Hack(P) P>0  |P|1  L Eject R R R Ex: S=16, L=25% Hack(0100 1010 0110 1100) Example

  20. P>0|P|1 > 4 P>0|P|1  4 Data transmission seen from a receiver CR OthersData MyData P=0 Retrans Eject Example

  21. bMSC Eject DR CR bMSC MyData Eject Other Receivers CR DR bMSC Retransmission Data Data Other Receivers DR CR Hack(P) Loop n P Retransmission(n) Example

  22. bMSC OthersData Other Receivers CR DR Loop <0,B-2> Data Data Hack(P) alt P>0|P|1 > 4 Retransmission P>0|P|1  4 Eject P=0 Example

  23. Covert channel from CR to any receiver in Other Receivers bMSC Shortest Scenario Other Receivers CR DR Loop <0,B-2> Creation of fake bitmaps to force observable retransmissions Data Data Hack(0) Data Data Hack(P) Retransmission(1) Retransmission(1) Example

  24. 16! B = = 2516 i! . (16 - i)! i=1..4 Let L=25% , S = 16 Number of possible fake bitmaps : Number of bits transmitted at each covert channel use b = log2(2516)=11.297 Bandwidth upper bound: b Bw = mdcr,Other Receivers(Shortest) Example

  25. bMSC Shortest Scenario Other Receivers CR DR Loop <0,B-2> D : event duration T : transmissions duration Data Data T T Hack(0) T Data Data T T Hack(P) T Retransmission(1) Retransmission(1) T T Example

  26. b Bw = B=20, T=20ms Bw=11.74 b/s (4B +1).D +2B. T Bw evolution for D= 2ms

  27. Other Receivers CR bMSC Shortest Scenario DR Data Data Hack(0) B times Data Data Hack(0) Data Data Hack(P) Retransmission(1) Retransmission(1) Example

  28. B=20, T=20ms Bw=102.7 b/s b Bw = (B+5).D +3. T B=100, T=200ms Bw=22.40 b/s Bw evolution for D= 2ms

  29. Conclusion Covert channel in RMTP2 : • undetectable receiver • usable bandwidth • Future work : • More elaborated strategies under study • Covert channels with noise • Need to « desynchronize » sequential composition CMSCs ?

  30. Covert Channels Def : communication channel that violates a system’s security policy Storage channels : implies writing a value somewhere Example : a file system ls toto toto Present Or absent Authorisation refused 0 File not found 1

  31. Some facts about covert channels • threat : performance, billing, security, … • all channels can not be eliminated • Recommandations : depend on the security level required for the system under study : NSCS30 (light pink book) • Analysis: • Identify covert channels • Illustrate their use through scenarios • Compute their bandwidth Covert Channels

  32. Solutions : • Elimination (for systems with high security level) • Add noise to most important channels • monitor other channels Idea : start from informal descriptions of protocol behavious given as scenarios, try to detect potential information flows and compute their bandwidth in order to provide solutions as early as possible during design stages. Covert Channels

  33. Covert Channel detection Hypothesis 1 : To transmit a message of arbitrary length, one need to iterate some behaviors : CC can appear in presence of cycles. n M1 M3 M2 M5 M4

  34. Hypothesis 2 : To transmit a message of arbitrary length, the set of instances participating to a covert channel must cooperate to stay in a chosen set of cyclic behaviors Q where information passing is possible, and make sure that the rest of the protocol can not force them to leave Q. M1 M3 M2 M5 M4 Covert channel detection

  35. Asymptotic Durations D(Mn) = max { dx,y (Mn) } Mean durations: md(Mw) = lim 1 . D(Mn) mdx,y(Mw) = lim 1 . dx,y(Mn) A0 B0 C0 2 7 4 5 8 10 0 n n C1 A1 B1 n n Warning : asynchronous communications D(Mn)  n . D(M) and mdx,y(Mw)  dx,y(M)

More Related