Covert Channels Using File Locking

Transcript

1. COVERT CHANNELS USING FILE LOCKING Team F | 2015

2. COVERT CHANNELS & FILE LOCKING • Covert Channels ◦ programs

   that “leak” information ◦ use entities to transfer data from Sender S to Receiver R • File-Locking ◦ limiting access to shared resources ◦ affects both files and processes ◦ operations and states ▪ write-file, read-file, lock-file, unlock-file, open-file, close-file ▪ file-locked, file-opened

3. COVERT CHANNEL TYPES TIMING CHANNEL STORAGE CHANNEL

4. STORAGE CHANNEL - HOW DOES IT WORK? • minimum criteria:

   ◦ The sending and receiving processes must have access to the same attribute of a shared resource. ◦ There must be some means by which the sending process can force the shared attribute to change. ◦ There must be some means by which the receiving process can detect the attribute change. ◦ There must be some mechanism for initiating the communication between the sending and receiving processes

5. STORAGE CHANNEL - HOW DOES IT WORK? • receiver monitors

   some global file attribute, sender modifies the attribute • pass information by using the presence or absence of objects in storage • i.e., the lock-file attribute: signals 1 on successful lock signals 0 on unsuccessful lock

6. TIMING CHANNEL - HOW DOES IT WORK? • minimum criteria:

   ◦ The sending and receiving processes must have access to the same attribute of a shared resource ◦ The receiving process must have access to a time reference, such as a real-time clock. ◦ The sender must be capable of modulating the receiver’s response time for detecting a change in the shared attribute. ◦ There must be some mechanism for initiating the processes and for sequencing the events.

7. TIMING CHANNEL - HOW DOES IT WORK? • pass information

   by using the speed at which things happen • i.e., the lock-file attribute: if s > n, signal 1 otherwise, signal 0 for some fixed time n the sender runs a process for s seconds; depending on the logic output 0 or 1

8. BANDWIDTH OF THE CHANNEL • depends on many other factors!

   • affected by noise, delay and interference • affected by coding and symbol distribution • affected by system components (e.g., disk, memory, CPU) • affected by system configuration (e.g., using cache or not) • affected by configuration component size (e.g., memory/cache size) • affected by configuration initialisation • etc. • the higher the bandwidth, the greater the compromise • currently the bandwidth can achieve 1000bits/s to megabits/s and up

9. EXAMPLE OF BANDWIDTH CALCULATION • ◦ ◦ • bandwidth may

   differ; take into account the largest • Informal way to calculate bandwidth exists as well Based on “A guide to understanding covert channel capacity analysis of a trusted system, National computer security center, November 1993, availble online at www.fas.org/irp/nsa/rainbow/tg030.htm “ state 0 state 1 0/a 1/d 0/b 1/c 2-state graph for a covert channel *not limited to just 2 states For more states the equation will be generalised to: ∑ where

10. CHALLENGES OF IMPLEMENTATION • system access control policy must be

    taken into account • bandwidth of the channel limited to number of accessible files • may be difficult to completely isolate processes • noise

11. DETECTION • most methods are ad hoc • use Shared

    Resource Matrix Methodology ◦ first, enumerate all shared resources ◦ then, determine whether it can be used to transfer information from one subject to another covertly ◦ must also first identify the shared resources • use Information Flow Method ◦ automated flow analysis from a program's syntax

12. PREVENTION • block or eliminate the channel • add noise

    to the channel • impossible on hardware level • masking ◦ channels are masked by the caller • enforcement ◦ ensure that a confined program’s input to covert channels conforms to the caller’s specifications

13. REFERENCES • A guide to understanding covert channel capacity analysis

    of a trusted system, National computer security center, November 1993, availble online at www.fas.org/irp/nsa/rainbow/tg030.htm ← primary source of Covert Channels • Charles P. Pfleeger and Shari Lawrence Pfleeger. 2006. Security in Computing (4th Edition). Prentice Hall PTR, Upper Saddle River, NJ, USA ← secondary source of Covert Channels • Kemmerer, Richard A. "A practical approach to identifying storage and timing channels: Twenty years later." Computer Security Applications Conference, 2002. Proceedings. 18th Annual. IEEE, 2002 ← Covert Channel overview • Zander, Sebastian, Grenville J. Armitage, and Philip Branch. "A survey of covert channels and countermeasures in computer network protocols." IEEE Communications Surveys and Tutorials 9.1-4 (2007): 44-57 ← Covert Channel prevention • Butler W. Lampson. 1973. A note on the confinement problem. Commun. ACM 16, 10 (October 1973), 613-615 ← Covert Channel blocking

14. COVERT CHANNELS USING A FILE LOCK ATTRIBUTE Team F |

    2015