Covert Channels

Daniel D. Salloum

Overview

• Introduction and background• General options• CCA Methods• More recent work• Future work

Building Blocks

• Origin- Butler Lampson– MLS• No read up• No write down

• Definitions– Murdoch– Plethora of others

Building Blocks

“Any object attribute that may be both modified and read by system operations is a candidate for a covert channel”- Murdoch

• To distinguish in network setting-– Steganography involves packet content– Covert Channel involves header fields or

transmission time

Building Blocks

• Storage Channel– “involves the direct or indirect writing of a storage location by one

process and the direct or indirect reading of the storage location by another process”

– Require storage variables

• Timing Channel– “involves a process that signals information to another by modulating

its own use of system resources in such a way that this manipulation affects the real response time observed by the second process”

– Require common time reference

Building Blocks

• Timing– Generally more difficult to detect– Resolution usually carries heavy consequences• Time partitioning CPU can affect wanted process

throughput

– Affected by noise• Storage– Tools for its detection– More noise resilient

Boundaries

• Bandwidth is measured as bits/sec as opposed to hertz

• Error correcting methods are proposed but will affect throughput

Why do we care?

• Keeping information within rightful owner boundaries– Trojans releasing important information without

detection– MLS leaks to another level

• Positives– Observed system/network with a need to release

information– Plausible Deniability

Applications

• Gaming– Connect four championship due to collusion– Communication via move response time or

redundancy • Attacking TOR (An anonymity system)– Uses traffic analysis as opposed to content

information due to the “onion encryption”• Obtaining database information– SSN’s and other private info

Problems

• Covert channels are very hard to detect due to – Implementation possibilities– Looking like normal activity

• Policy change may open some channels and close others

• Some techniques are infeasible due to performance loss– Memory sharing– CPU allowance

General Examples

• Another process can find another process’ CPU time, more processes will create noise (timing)

• Disc head movement (timing)• Files created or destroyed (storage)• I/O devices (storage)• Page faults

Covert Channel Analysis

• Information flow analysis– Detects false illegal flow as well• Usually a small percentage can actually be utilized as

covert channel

• SRM (Shared Resource Matrix)– Covert communication when process A can read,

process B can write, and security level of A < B.

COVERT CHANNEL ANALYSIS

• Noninterference analysis– Deals with machine states • “if inputs from one user process could not affect the

outputs of another, then no information could be transmitted from the first to the second” – Goguen and

Meseguer

• Semantic component addition to flow analysis– Evaluates the kernel code – Manually implemented by skilled personnel

Timing Channel Countermeasures

• Virtualize clock in system by resetting clock at very context switch– Could make the system useless

• Addition of noise– Addition of processes on a system may reduce

channel bandwidth, but adds unwanted overhead to the system.

Passive Network Timing Channel

• Using passive network covert channels allows attackers to obtain information without triggering network firewalls.

• Encryption prevents unauthorized parties from decoding communication

Passive Network Timing Channel

• Network timing channels detected by looking at changes in header files– A.I. is often used

• Elimination by making these fields standard• Detection by packet transmission time

modulation• Elimination via network jammers

On Passive…

• Harder to identify and eliminate passive channels – They do not generate packets which avoids

security speculation.• To construct:– Buffer media packets– Traffic fluctuation

Passive Network Timing Channel

• How it works– When the media packets arrive at the sender’s location, the sender

temporarily buffers the packets and then forwards them at a carefully planned time, instead of forwarding them as quickly as possible. The information transmitted over the channel is encoded into the forwarding time of the media packets.

– Receiver observes packet transmission from another node either on the path or at the destination

Problems

• Interval jitter– Thus FI0 and FI1 must be negotiated

• Packet loss– Uses a type of error correction based on a

selected length for data sections, and encapsulate these into a serial of frames

• Buffer overflow• Packet exhaustion

Ad Hoc Covert

• Manipulates network protocols to construct covert channels

• Proposes virtually undetectable covert channel• Information is hidden in the “dynamic splitting

process”• Performance depends on – Network size– User mobility– Traffic rate– Transmission range

Ad Hoc

• Their proposal is contention based MAC– Individual nodes make their own decision

• How it works– Covert transmission can be realized via controlling

the splitting procedure. Upon collision, the CT decides which subset to join according to the covert symbol it wished to transmit. For example, ‘1’ is transmitted if it joins the left subset, and ‘0’ is transmitted if it joins the right subset.

– CR only passively monitors channel feedback

Modes of Operation

• Conservative mode– Claims the channel is absolutely undetectable– CT transmits only when it has a packet

• Aggressive mode– May facilitate detection of CT– Generates new packets when none are available

• Strategic mode– Finds a happy medium between the two

Cluster Based Channel

• Presents a new, plausible deniability approach to store information in cluster based file systems– User can deny that any hidden data exists on data

• Fragmentation on a disk is regular, not all of it will be hiding information

• Encrypted information is easy to detect and owner can be forced to reveal password

• Proposes methodology for modifying the fragmentation patterns in the cluster distribution of an existing file

• Goes against the typical communication protocol avenue and routes down information hiding

Based on FAT filing system

How it works

Cluster Based Channel

• Can utilize a marker that is communicated between the concerned parties

• Encounters a problem when consecutive unallocated clusters are not available

Revision

Breaks code into 3 bits and mods gap by 8.

ex:9 mod 8 = 1

Problems

• Accidental overwrites are likely and will corrupt data– Disk defrag, file renaming

• If other copies are made, it will use a lot of space

• From results, of 160G disk, about 20M of hidden information could be held

Temperature Based Channel

• CPU loads on nodes will vary the clock skew• Effect can be remotely measured by

requesting time stamps• Used to check whether a remote node was

busy (another traffic analysis technique for evaluating TOR)

Notes

• Crystal oscillator driving the system clock affected by temperature

• Clock skew is the ratio between actual and nominal clock frequencies

• Skew deviates little at 1-2 PPM and significant difference at 50 PPM, giving a “fingerprint”

• Paper assumes 1PPM, generating 4-6 bits of information

Issues

• Different operating systems change TCP timestamp values, with resolution from 2Hz to 1kHz

• Does not work on ICMP timestamps because generated after skew adjustment

• Cannot calculate the absolute clock skew• Clock skew can yield changes, not absolute

temperature• Some nodes may have a temperature

compensated crystal oscillator

Future Work

• Research on preventing collusion in internet gaming• Timing channel detection• Bandwidth of various covert channels• Further research on temperature covert channels• Design and countermeasures of and against covert

attacks especially in ad hoc environments• Evaluate time stamping on network cards with on-

board time stamping

References• Hassan Khan, Mobin Javed, Syed Ali Khayam, Fauzan Mirza, Designing a cluster-based covert channel to evade disk

investigation and forensics, Computers &amp; Security, Volume 30, Issue 1, January 2011, Pages 35-49, ISSN 0167-4048, 10.1016/j.cose.2010.10.005.(http://www.sciencedirect.com/science/article/pii/S016740481000088X)Keywords: Information hiding; Steganography; Covert channels; Disk forensics; Digital watermarking

• Song Li, Anthony Ephremides, Covert channels in ad-hoc wireless networks, Ad Hoc Networks, Volume 8, Issue 2, March 2010, Pages 135-147, ISSN 1570-8705, 10.1016/j.adhoc.2009.04.006.(http://www.sciencedirect.com/science/article/pii/S1570870509000390)Keywords: Ad-hoc networks; Security; Covert channel; Routing protocol; Media access control

• Xiaochao Zi, Lihong Yao, Li Pan, Jianhua Li, Implementing a passive network covert timing channel, Computers &amp; Security, Volume 29, Issue 6, September 2010, Pages 686-696, ISSN 0167-4048, 10.1016/j.cose.2009.12.010.(http://www.sciencedirect.com/science/article/pii/S0167404809001485)Keywords: Network security; Network covert channel; Passive covert timing channel; VOD traffic; Frame synchronization; Error correction

• http://www.fas.org/irp/nsa/rainbow/tg030.htm

• http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-706.pdf