360 likes | 702 Views
An Overview of the History and Current Trends in Covert Channel Technology. Nicholas Hoare ISG PhD Seminar Thursday 28 th February. Outline. Information Flows and Multi-level Security (MLS) Covert Channels in Multi-Level Security Systems Properties of Covert Channels
E N D
An Overview of the History and Current Trends in Covert Channel Technology Nicholas Hoare ISG PhD Seminar Thursday 28th February
Outline • Information Flows and Multi-level Security (MLS) • Covert Channels in Multi-Level Security Systems • Properties of Covert Channels • Prevention, Detection, Effectiveness • Modern Covert Channels • A Framework • Wardens • Network Storage Channels • Network Timing Channels • Conclusion
Information Flows and Multi-level Security (MLS) (1) • An information flow policy is typically designed to preserve: • the confidentiality and/or integrity of data within a computer system. In terms of confidentiality the policy tries to prevent the flow of information to those users not authorised to receive it. • In Multi-level Security (MLS) systems the following is important: • to allow information flows between users of the system who have sufficient security clearances; and • to prevent flows to those that do not.
Information Flows and MLS (2) • If all possible information flows can be identified then these flows can be restricted such that the goals of the security policy are preserved. • If it is not possible to identify all such flows then there is the potential for information to flow in an unauthorised manner. • If information can flow within a system in an unauthorised manner then the security boundaries defined by the security policy can be violated.
Information Flows and MLS (3) • It is therefore possible, even in systems that have security policies as well as discretionary and mandatory access controls, that information may be able to flow in a manner not expected by the designers of the system. • It has been shown that a limitation of the Bell-LaPadula Model is that it cannot constrain information flow in such a way to prevent the establishment of these types of channels.
Covert Channels in MLS Systems (1) • A channel can be defined as a communication path by which information can flow within a computer system. • An overt channel is one which is designed for the authorised transfer of data. • A covert channel is, by contrast, a path that can allow information to flow in a manner that violates the security policy of a system, allowing the transfer of information by an unauthorised process.
Covert Channels in MLS Systems (2) • Unless all possible channels can be identified there is the potential for covert channels to exist in all systems where MLS is used. • The Trusted Computer Security Evaluation Criteria (TCSEC) is a standard which allows computer systems to gain a security rating based upon the security that they provide. • TCSEC recognises the existence of such channels and certain ratings require the analysis of such channels.
Covert Channels in MLS Systems (3) • TCSEC recognises two types of covert channel that can exist in a system. The first is the covert storage channel: • A covert storage channel is a “covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g. sectors on a disk) that is shared by two subjects at different security levels.” • Examples • Shared file system. • Network protocols.
Covert Channels in MLS Systems (4) • The second type of channel that TCSEC recognises is the covert timing channel: • A covert timing channel is a “covert channel in which one process signals information to another by modulating its own use of system resources (e.g. CPU time) in such a way that this manipulation affects the real response time observed by the second process.” • Examples • Availability of a resource at certain times. • Packet inter-arrival times of Internet traffic.
Covert Channels in MLS Systems (5) • In terms of TCSEC there are several divisions of security that systems can be awarded. D,C,B and A where A is the highest. • For a B2 rating the occurrence and bandwidth of a storage channel must be analysed, and for a B3 rating the same for a timing channel. • One of the goals of TCSEC in analysing these channels is to be able to monitor and maintain the capacity of the channel below maximum acceptable levels. • This highlights the fact that covert channels are seen as a real practical threat to the security of computer systems.
Properties of Covert Channels The main properties of a covert channel are • existence. • capacity. • covertness. • A covert channel can either be • noiseless – this type of channel is simply shared by the covert communicators. • noisy – has the addition of other communicating traffic.
Prevention, Detection, Effectiveness • Has been shown that prevention of channel is very difficult. • More desirable to be able to detect channel and reduce the effectiveness (bandwidth) of the channel. • If bandwidth reduced below acceptable level then monitoring not necessary. • Various methods proposed to eliminate or reduce channels. Will be mentioned later.
Modern Covert Channels (1) • The interconnection of networks has meant covert channels present even greater challenge. • Emergence of high speed communication channels has meant the potential for higher capacity channels. • Reports indicate possibility of covert channels to • leak information out of protected networks across Internet. • allow groups to communicate and pass information without outside knowledge. • coordinate attacks such as Distributed Denial-of-Service (DDoS) attacks.
Modern Covert Channels (2) • The increased use of internetworking for communication has meant that covert channels can now be used to transfer information using arbitrary Internet traffic. Network storage channels have received much more attention than the timing channels. Several reasons for this have been highlighted, with the main ones being: • due to the nature of timing channels in networks, information is usually transferred by the monitoring of packet inter-arrival times, which means that it is not trivial to be able to achieve good synchronisation between sender and receiver; and • the bandwidth of timing channels tends to be less than that of a storage channel.
A Framework (1) • Proposed by Lucena, Pease, Yadollahpour and Chapin (2004). • Alice and Bob wish to communicate secretly through the use of arbitrary Internet traffic in a hostile environment. • Alice can be known as the sender and Bob as the receiver. • Alice is sitting behind a network which could be protected by IDS and Firewall. • Walter is the adversary of Alice and Bob and wishes to detect and remove their communication. • Alice and Bob can use a communications path which is already in place between themselves or two arbitrary processes, sender and receiver.
A Framework (2) • Alice can make modifications to packets originating from within the network. • Bob is situated outside the network and in the path of the packets leaving the network. • Walter can be positioned anywhere in the network and the location will determine how much of the traffic he can monitor.
A Framework (3) • The adversary Walter is positioned at some point between the sending and receiving processes within the network. • Walter can be either passive, that is he can try and detect the existence of a covert channel and report to a 3rd party, • or he can be active. In this situation he can actually try and remove any covert information whilst not breaking the semantics of the overt communication.
Wardens (1) • Walter has been formalised in the academic world as a warden. Work done by • Fisk, Fisk, Papadopoulos and Neil (2002) • Lucena, Lewandowski and Chapin (2003 - present) • These wardens are most useful in being able to detect and eliminate covert information that is being transferred by the use of a storage channel. • Lots of theoretical work. • Have been implemented.
Wardens (2) • The capabilities of active wardens has been extended to • Stateless Active Warden • Stateful Active Warden • Network-Aware Active Warden • These limit or extend the capabilities of removing covert information.
Storage Channels (1) • Have received a lot of attention. • Focus has been on using common networking protocols. • Hide or embed information into unused or predictable fields in the header. • Most researched is the TCP/IP suite of protocols.
Storage Channels (2) Murdoch, Lewis (2005) • The idea is to embed information in certain header fields that are either unused, immutable or mutable with certain predictability. • The embedded information is carried out of the network with the intention of avoiding detection by the warden. • Information may be placed in the payload section of the packets but this is not considered to be a valid covert method of transfer.
Storage Channels (3) • A number of header fields have been proposed for concealing the information. Several IPv4 header fields will now be considered: • Type of Service: This field holds 8 bits of information that can indicate quality of service parameters to routers on a packet’s path. This is now rarely ever used and as a default is set to zero, so a non-zero value would be detected by a passive warden. • IP Identification: This is used in the reassembling of datagram when fragmentation has been used. This field contains 16 bits and could yield a high capacity for transferring information. The only constraints on the value of this field is uniqueness over the length of time that fragments of a packet might reasonably remain in a network. Several schemes have been devised that make use of a pseudorandom sequence to embed data, but the field is not random. This could allow detection by monitoring.
Storage Channels (4) IP Header Fields cont’d • IP Fragment Offset: When IP packets are fragmented, each fragment contains an offset field to allow for the reassembly of the packet. Information can be transmitted by modulating the size of the fragments originated by the host, and thus the offsets. These can be quite easily detected, particularly as in environments where MTU discovery is used, it is unusual to see fragmented packets. • IP Flags: This flags are either Do Not Fragment (DF) or More Fragments (MF) which is 0 if the fragment is the last, or if no fragmentation has taken place. It is possible to be able to use these flags but if the context of the packets is analysed it may be obvious that the value should be zero. This channel is obviously very limited in the capacity that it can generate.
Storage Channels – Detection and Mitigation (1) • If no warden present then possible to leak information using headers. • One of the main defences proposed against these channels is the use of a traffic normaliser (Handley and Paxson). • A normaliser tries to remove possible covert information from the header of protocols by observing the implementation and semantics of the protocol. • Has to be careful of not destroying integrity of protocol but can be achieved with good results.
Storage Channels – Detection and Mitigation (2) • The Type of Service field within the IP header. • Bits used for differentiated services. • These bits can prioritise traffic according to nature of traffic being carried. • If the site is not using DiffServ then the bits should be set to zero and this would clear the channel and maintain the integrity of the header. • If DiffServ is being used then zeroing will destroy Diffserv and break protocol. Thus there is a potential problem of normalising this field but if DiffServ is being used normaliser may be able to detect this if for example it is Network-Aware.
Timing Channels (1) • Timing channels have received much less attention than storage channels because of synchronisation issues and the potentially lower bandwidth available to the channel. • One of the main methods of creating these types of channel is to monitor the inter-arrival time of packets leaving a network. • Other methods include packet-sorting channels which could be used with protocols such as IPSec. • Alice does not necessarily have to generate her own packets but can attempt to modulate the wait times between packets to encode the information. • This assumes that Alice is able to capture and re-transmit packets in the network.
Timing Channels (2) • This channel will be noisy due to general Internet noise and also delays and jitter present in the network. Forwarding devices (e.g. Routers) also may incur a small processing overhead. • Bob simply needs to be in the path of the packets leaving the network. • The nearer to the egress point of the network the higher accuracy due to the minimised number of hops that the packets traverse. • The channel itself is established by the use of a timing interval during which the reception or absence of packets is significant.
Constructing a timing channel (1) • The sender/receiver agree beforehand on a timing interval and a starting protocol to signal the start of transmission • The starting protocol may be a time or a network event, or a special packet could be used to signal transmission. • Once established if a packet is received within the time interval then this signifies a binary “1” and silence during the period signifies a “0”. • Rather than creating a continuous stream of bits one method could be to create a frame. This would consist of a pre-determined number of bits within each frame.
Constructing a timing channel (2) Cabuk, Brodley, Shields(2004) • Each frame could consist of: • data bits – the bits that are being transmitted. • parity bits – for error-correcting due to transmission errors. • synchronisation bits – used for synching between sender/receiver.
Some issues with the timing channel • There are some issues that can determine the effectiveness of the timing channel: • Performance Factors: • Network conditions – These can include delay, out of order packets, loss of packets and jitter in the network. • Sender-receiver processing capability – Could become congested under heavy load thus reducing performance. • Algorithm of the channel – needs to be efficient. • These factors will have an effect on • packet synchronisation. • Maximum capacity achievable. • noise in the channel.
Timing interval of the timing channel • The capacity of the channel is determined by the timing interval chosen. • The smaller the interval the higher the transmission rate. • There will be a trade-off in this situation as jitter, system scheduling and clock skew will increase the probability of errors as the interval is made smaller. • There is the problem of being able to optimise the timing interval so that a good transmission rate can be achieved and also so that errors can be controlled. • It is possible that if the timing interval is not correctly chosen then timing intervals could overlap between sender and receiver and the receiver would incorrectly decode the message.
Synchronisation of the timing channel • A big challenge in implementing a covert channel is to be able to achieve good synchronisation between the sender and receiver. Some methods have been proposed to try and achieve synchronisation: • Silent Intervals – These could be introduced between frames or after a set number of frames have been sent. • Interval adjusting – Makes use of a ideal timing interval on the network. The observed timings can then be compared to the ideal and adjusted accordingly to allow for changing network conditions.
Timing channels – Detection and Mitigation • Due to nature of channel, detection is typically offered by the use of statistical analysis. • Methods of reducing the capacity involve trying to alter the timings of the packets leaving the network. • There are several methods that try to reduce the transmission rates of these channel • Pump • traffic jammers • Both these devices add noise to the channel by delaying the delivery of packets. • These devices alter the timings of packets so as to try and randomise the inter-arrival times, thus corrupting the timing interval.
Conclusion • It has been shown that Covert Channels are a serious threat to the security of computer systems, e.g. TCSEC. • Network storage channels have received much research attention and this has resulted in limiting the effectiveness of these channels in practice. • Network timing channels have received less attention due to several limitations but it may be possible, if more work is done, to develop some plausible timing channels that could be used in practice.
Thank you! Questions?