Covert Channels

written by: Fred Foster; article published: year 2007, month 02;


In: Root » Computers and technology » Data security » Covert Channels

Dutch French Spanish Portuguese Italian German Japanese Chinese Korean Russian Arabic Bookmark and Share this Article

Covert channels use shared resources as paths of communication. This requires sharing of space or sharing of time.

A covert storage channel uses an attribute of the shared resource. A covert timing channel uses a temporal or ordering relationship among accesses to a shared resource.

A covert timing channel is usually defined in terms of a real-time clock or a timer, but temporal relationships sometimes use neither. An ordering of events implies a time-based relationship that involves neither a real-time clock nor a timer.

A second property distinguishes between a covert channel that only the sender and receiver have access to and a covert channel that others have access to as well.

A noiseless covert channel is a covert channel that uses a resource available to the sender and receiver only. A noisy covert channel is a covert channel that uses a resource available to subjects other than the sender and receiver, as well as to the sender and receiver.

The difference between these two types of channels lies in the need to filter out extraneous information. Any information that the receiver obtains from a noiseless channel comes from the sender. However, in a noisy channel, the sender's information is mixed with meaningless information, or noise, from other entities using the resource. A noisy covert channel requires a protocol to minimize this interference.

The key properties of covert channels are existence and bandwidth. Existence tells us that there is a channel along which information can be transmitted. Bandwidth tells us how rapidly information can be sent. Covert channel analysis establishes both properties. Then the channels can be eliminated or their bandwidths can be reduced.

Detection of Covert Channels

Covert channels require sharing. The manner in which the resource is shared controls which subjects can send and receive information using that shared resource. Detection methods begin with this observation.

Porras and Kemmerer have devised an approach to representing security violations that spring from the application of fault trees. They model the flow of information through shared resources with a tree. The paths of flow are identified in this structure. The analyst determines whether each flow is legitimate or covert.

A covert flow tree is a tree-structured representation of the sequence of operations that move information from one process to another. It consists of five types of nodes.

  1. Goal symbols specify states that must exist for the information to flow. There are several such states:

    1. A modification goal is reached when an attribute is modified.

    2. A recognition goal is reached when a modification of an attribute is detected.

    3. A direct recognition goal is reached when a subject can detect the modification of an attribute by referencing it directly or calling a function that returns it.

    4. An inferred recognition goal is reached when a subject can detect the modification of an attribute without referencing it directly and without calling a function that references the attribute directly. For example, the subject may call a function that performs one of two computations depending on the value of the attribute in question.

    5. An inferred-via goal is reached when information is passed from one attribute to other attributes using a specified primitive operation (such as a system call).

    6. A recognize-new-state goal is reached when an attribute that was modified when information was passed using it is specified by an inferred-via goal. The value need not be determined, but the fact that the attribute has been modified must be determined.

  2. An operation symbol is a symbol that represents a primitive operation. The operation symbols may vary among systems if they have different primitive operations.

  3. A failure symbol indicates that information cannot be sent along the path on which it lies. It means that the goal to which it is attached cannot be met.

  4. An and symbol is a goal that is reached when both of the following hold for all children:

    1. If the child is a goal, then the goal is reached.

    2. The child is an operation.

  5. An or symbol is a goal that is reached when either of the following holds for any children:

    1. If the child is a goal, then the goal is reached.

    2. The child is an operation.

Constructing the tree is a three-step process. To make the steps concrete, we present a simple set of operations and then ask if they can create a covert channel.

EXAMPLE: Consider a file system in which each file has three attributes. The boolean attributes locked and isopen are true when the file is locked or opened, respectively, and are false otherwise. The third attribute, inuse, is a set that contains the process ID of each process that has the file open. The function read_access(p, f ) is true if process p has read rights over file f, and empty(s) is true if set s has no members. The function random returns one of its arguments chosen at random. The following operations are defined.

(* lock the file if it is not locked and not opened *)
 (* otherwise indicate it is locked by returning false *)
 procedure Lockfile(f: file): boolean;
 begin
   if not f.locked and  empty(f.inuse) then
       f.locked :=  true;
 end;
 (* unlock the file *)
 procedure Unlockfile(f: file);
 begin
   if f.locked then
       f.locked :=  false;
 end;
 (* say whether the file is locked *)
 function Filelocked(f: file): boolean;
 begin
   Filelocked :=  f.locked;
 end;
 (* open the file if it isn't locked and the *)
 (* process has the right to read the file *)
 procedure Openfile(f: file);
 begin
   if not f.locked and  read_access(process_id, f  ) then
       (* add the  process ID to the inuse set *)
       f.inuse =  f.inuse + process_id;
 end;
 (* if the process can read the file, say if the *)
 (* file is open, otherwise return a value at random *)
 function Fileopened(f: file): boolean;
 begin
    if not read_access(process_id,  f  ) then
       Fileopened :=  random(true, false);
    else
       Fileopened :=  not isempty(f.inuse);
 end

Assuming that processes are not allowed to communicate with one another, the reader is invited to try to find a covert storage channel.

The first step in constructing a covert flow tree is to determine what attributes (if any) the primitive operations reference, modify, and return.

EXAMPLE: The functions in the preceding example affect file attributes in different ways, as follows.

  Lockfile Unlockfile Filelocked Openfile Fileopened
reference locked, inuse locked locked locked, inuse inuse
modify locked Ø Ø inuse Ø
return Ø Ø locked Ø inuse

The symbol Ø means that no attribute is affected in the specified manner.

The second step begins with the goal of locating a covert storage channel that uses some attribute. The analyst constructs the covert flow tree. The type of goal controls the construction, as follows.

  1. The topmost goal requires that the attribute be modified and that the modification be recognized. Hence, it has one child (an and symbol), which in turn has two children (a modification goal symbol and a recognition goal symbol).

  2. A modification goal requires some primitive operation to modify the attribute. Hence, it has one or child, which has one child operation symbol per operation for all operations that modify the attribute.

  3. A recognition goal requires that a subject either directly recognize or infer a change in an attribute. It has an or symbol as its child. The or symbol has two children, one a direct recognition goal symbol and the other an inferred recognition goal symbol.

  4. A direct recognition goal requires that an operation access the attribute. Like the modification goal, it has one or child, and that child in turn has one child operation symbol for each operation that returns the attribute. If no operation returns the attribute, a failure symbol is attached.

  5. An inferred recognition goal requires that the modification be inferred on the basis of one or more other attributes. Hence, it has one child, an or symbol, which has one child inferred-via symbol for each operation that references an attribute and that modifies some attribute (possibly the same one that was referenced).

  6. An inferred-via goal requires that the value of the attribute be inferred via some operation and a recognition of the new state of the attribute resulting from that operation. Hence, it has one child (an and symbol), which has two children (an operation symbol representing the primitive operation used to draw the inference and a recognize-new-state goal symbol).

  7. A recognize-new-state goal requires that the value of the attribute be inferred via some operation and a recognition of the new state of the attribute resulting from that operation. The latter requires a recognition goal for the attribute. So, the child node of the recognize-new-state goal symbol is an or symbol, and for each attribute enabling the inference of the modification of the attribute in question, the or symbol has a recognition goal symbol child.

Tree construction ends when all paths through the tree terminate in either an operation symbol or a failure symbol. Because the construction is recursive, the analyst may encounter a loop in the tree construction. Should this happen, a parameter called repeat defines the number of times that the path may be traversed. This places an upper bound on the size of the tree.

The shared resource matrix model and covert flow trees spring from the idea of examining shared resources for modification and reference operations, and both can be used at any point within the software development life cycle. One advantage of covert flow trees over the SRM model is that the former identifies explicit sequences of operations that cause information to flow from one process to another. The latter identifies channels rather than sequences of operations. In comparisons involving file system access operations and the Secure Ada Target, the covert flow tree method identified sequences of operations corresponding to the covert storage channels found by the SRM method and the noninterference method, as well as one not found by the other two.

Mitigation of Covert Channels

Covert channels convey information by varying the use of shared resources. An obvious way to eliminate all covert channels is to require processes to state what resources they need before execution and provide these resources in such a manner that only the process can access them. This includes runtime, and when the stated runtime is reached, the process is terminated and the resources are released. The resources remain allocated for the full runtime even if the process terminates earlier. Otherwise, a second process could infer information from the timing of the release of the resources (including access to the CPU). This strategy effectively implements Lampson's idea of total isolation, but it is usually unworkable in practice.

An alternative approach is to obscure the amount of resources that a process uses. A receiving process cannot determine what amount of resource usage is attributable to the sender and what amount is attributable to the obfuscation. This can be done in two ways. First, the resources devoted to each process can be made uniform. This is a variant of isolation, because each process gets the same amount of resources and cannot tell whether a second process is accessing the resource by measuring the timing or amount of resources available. In essence, the system eliminates meaningful irregularities in resource allocation and use. Second, a system can inject randomness into the allocation and use of resources. The goal is to make the covert channel a noisy one and to have the noise dominate the channel. This does not close the covert channel (because it still exists) but renders it useless.

Both these techniques affect efficiency. Assigning fixed allocations and constraining use waste resources. Fixing the time slices on the KVM system means that the CPU will be unused (or will execute an idle process) when another virtual machine could run a non-idle process. Increasing the probability of aborts in the multilevel secure database system will abort some transactions that would normally commit, increasing the expected number of tries to update the database. Whether the closing of the covert channel or the limiting of the bandwidth compensates adequately for the loss in efficiency is a policy decision.

A device known as a pump is the basis of several techniques for defeating covert channels.

Disclaimer

1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here.

link to this article