Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Covert Channels Using File Locking

Covert Channels Using File Locking

A presentation about Covert Channels using a File Lock attribute.

The goal of the presentation was to answer 4 questions:
1) How does the covert channel work?
2) What is the likely bandwidth of the channel?
3) What are the major challenges that would arise in implementation of the channel?
4) What security control mechanisms could be used to prevent/detect this type of covert channel?

Presentation was made for a module "Topics in Privacy and Security" at the University of York in January 2015.

Aleksandrs Cudars

January 29, 2015
Tweet

More Decks by Aleksandrs Cudars

Other Decks in Technology

Transcript

  1. COVERT CHANNELS & FILE LOCKING • Covert Channels ◦ programs

    that “leak” information ◦ use entities to transfer data from Sender S to Receiver R • File-Locking ◦ limiting access to shared resources ◦ affects both files and processes ◦ operations and states ▪ write-file, read-file, lock-file, unlock-file, open-file, close-file ▪ file-locked, file-opened
  2. STORAGE CHANNEL - HOW DOES IT WORK? • minimum criteria:

    ◦ The sending and receiving processes must have access to the same attribute of a shared resource. ◦ There must be some means by which the sending process can force the shared attribute to change. ◦ There must be some means by which the receiving process can detect the attribute change. ◦ There must be some mechanism for initiating the communication between the sending and receiving processes
  3. STORAGE CHANNEL - HOW DOES IT WORK? • receiver monitors

    some global file attribute, sender modifies the attribute • pass information by using the presence or absence of objects in storage • i.e., the lock-file attribute: signals 1 on successful lock signals 0 on unsuccessful lock
  4. TIMING CHANNEL - HOW DOES IT WORK? • minimum criteria:

    ◦ The sending and receiving processes must have access to the same attribute of a shared resource ◦ The receiving process must have access to a time reference, such as a real-time clock. ◦ The sender must be capable of modulating the receiver’s response time for detecting a change in the shared attribute. ◦ There must be some mechanism for initiating the processes and for sequencing the events.
  5. TIMING CHANNEL - HOW DOES IT WORK? • pass information

    by using the speed at which things happen • i.e., the lock-file attribute: if s > n, signal 1 otherwise, signal 0 for some fixed time n the sender runs a process for s seconds; depending on the logic output 0 or 1
  6. BANDWIDTH OF THE CHANNEL • depends on many other factors!

    • affected by noise, delay and interference • affected by coding and symbol distribution • affected by system components (e.g., disk, memory, CPU) • affected by system configuration (e.g., using cache or not) • affected by configuration component size (e.g., memory/cache size) • affected by configuration initialisation • etc. • the higher the bandwidth, the greater the compromise • currently the bandwidth can achieve 1000bits/s to megabits/s and up
  7. EXAMPLE OF BANDWIDTH CALCULATION • ◦ ◦ • bandwidth may

    differ; take into account the largest • Informal way to calculate bandwidth exists as well Based on “A guide to understanding covert channel capacity analysis of a trusted system, National computer security center, November 1993, availble online at www.fas.org/irp/nsa/rainbow/tg030.htm “ state 0 state 1 0/a 1/d 0/b 1/c 2-state graph for a covert channel *not limited to just 2 states For more states the equation will be generalised to: ∑ where
  8. CHALLENGES OF IMPLEMENTATION • system access control policy must be

    taken into account • bandwidth of the channel limited to number of accessible files • may be difficult to completely isolate processes • noise
  9. DETECTION • most methods are ad hoc • use Shared

    Resource Matrix Methodology ◦ first, enumerate all shared resources ◦ then, determine whether it can be used to transfer information from one subject to another covertly ◦ must also first identify the shared resources • use Information Flow Method ◦ automated flow analysis from a program's syntax
  10. PREVENTION • block or eliminate the channel • add noise

    to the channel • impossible on hardware level • masking ◦ channels are masked by the caller • enforcement ◦ ensure that a confined program’s input to covert channels conforms to the caller’s specifications
  11. REFERENCES • A guide to understanding covert channel capacity analysis

    of a trusted system, National computer security center, November 1993, availble online at www.fas.org/irp/nsa/rainbow/tg030.htm ← primary source of Covert Channels • Charles P. Pfleeger and Shari Lawrence Pfleeger. 2006. Security in Computing (4th Edition). Prentice Hall PTR, Upper Saddle River, NJ, USA ← secondary source of Covert Channels • Kemmerer, Richard A. "A practical approach to identifying storage and timing channels: Twenty years later." Computer Security Applications Conference, 2002. Proceedings. 18th Annual. IEEE, 2002 ← Covert Channel overview • Zander, Sebastian, Grenville J. Armitage, and Philip Branch. "A survey of covert channels and countermeasures in computer network protocols." IEEE Communications Surveys and Tutorials 9.1-4 (2007): 44-57 ← Covert Channel prevention • Butler W. Lampson. 1973. A note on the confinement problem. Commun. ACM 16, 10 (October 1973), 613-615 ← Covert Channel blocking