Covert Channels Using File Locking

Transcript

1. COVERT CHANNELS USING
   FILE LOCKING
   Team F | 2015
   

   View Slide

2. COVERT CHANNELS & FILE LOCKING
   ● Covert Channels
   ○ programs that “leak” information
   ○ use entities to transfer data from Sender S to Receiver R
   ● File-Locking
   ○ limiting access to shared resources
   ○ affects both files and processes
   ○ operations and states
   ■ write-file, read-file, lock-file, unlock-file, open-file, close-file
   ■ file-locked, file-opened
   

   View Slide

3. COVERT CHANNEL TYPES
   TIMING CHANNEL
   STORAGE CHANNEL
   

   View Slide

4. STORAGE CHANNEL - HOW DOES IT WORK?
   ● minimum criteria:
   ○ The sending and receiving processes must have access to the same attribute of
   a shared resource.
   ○ There must be some means by which the sending process can force the shared
   attribute to change.
   ○ There must be some means by which the receiving process can detect the
   attribute change.
   ○ There must be some mechanism for initiating the communication between the
   sending and receiving processes
   

   View Slide

5. STORAGE CHANNEL - HOW DOES IT WORK?
   ● receiver monitors some global file attribute, sender modifies the
   attribute
   ● pass information by using the presence or absence of objects in
   storage
   ● i.e., the lock-file attribute:
   signals 1 on successful lock
   signals 0 on unsuccessful lock
   

   View Slide

6. TIMING CHANNEL - HOW DOES IT WORK?
   ● minimum criteria:
   ○ The sending and receiving processes must have access to the same attribute of a
   shared resource
   ○ The receiving process must have access to a time reference, such as a real-time
   clock.
   ○ The sender must be capable of modulating the receiver’s response time for
   detecting a change in the shared attribute.
   ○ There must be some mechanism for initiating the processes and for sequencing
   the events.
   

   View Slide

7. TIMING CHANNEL - HOW DOES IT WORK?
   ● pass information by using the speed at which things
   happen
   ● i.e., the lock-file attribute:
   if s > n, signal 1
   otherwise, signal 0
   for some fixed time n the sender runs a
   process for s seconds; depending on the
   logic output 0 or 1
   

   View Slide

8. BANDWIDTH OF THE CHANNEL
   ● depends on many other factors!
   ● affected by noise, delay and interference
   ● affected by coding and symbol distribution
   ● affected by system components (e.g., disk, memory, CPU)
   ● affected by system configuration (e.g., using cache or not)
   ● affected by configuration component size (e.g., memory/cache size)
   ● affected by configuration initialisation
   ● etc.
   ● the higher the bandwidth, the greater the compromise
   ● currently the bandwidth can achieve 1000bits/s to megabits/s and up
   

   View Slide

9. EXAMPLE OF BANDWIDTH CALCULATION
   ●
   ○
   ○
   ● bandwidth may differ; take into account the largest
   ● Informal way to calculate bandwidth exists as well
   Based on “A guide to understanding covert channel capacity analysis of a trusted system, National computer security center, November 1993, availble online at www.fas.org/irp/nsa/rainbow/tg030.htm “
   state 0 state 1
   0/a 1/d
   0/b
   1/c
   2-state graph for a covert channel
   *not limited to just 2 states
   For more states the equation will be generalised to:
   ∑ where
   

   View Slide

10. CHALLENGES OF IMPLEMENTATION
    ● system access control policy must be taken into
    account
    ● bandwidth of the channel limited to number of
    accessible files
    ● may be difficult to completely isolate processes
    ● noise
    

    View Slide

11. DETECTION
    ● most methods are ad hoc
    ● use Shared Resource Matrix Methodology
    ○ first, enumerate all shared resources
    ○ then, determine whether it can be used to transfer
    information from one subject to another covertly
    ○ must also first identify the shared resources
    ● use Information Flow Method
    ○ automated flow analysis from a program's syntax
    

    View Slide

12. PREVENTION
    ● block or eliminate the channel
    ● add noise to the channel
    ● impossible on hardware level
    ● masking
    ○ channels are masked by the caller
    ● enforcement
    ○ ensure that a confined program’s input to covert channels
    conforms to the caller’s specifications
    

    View Slide

13. REFERENCES
    ● A guide to understanding covert channel capacity analysis of a trusted system, National computer security center, November 1993,
    availble online at www.fas.org/irp/nsa/rainbow/tg030.htm ← primary source of Covert Channels
    ● Charles P. Pfleeger and Shari Lawrence Pfleeger. 2006. Security in Computing (4th Edition). Prentice Hall PTR, Upper Saddle River,
    NJ, USA ← secondary source of Covert Channels
    ● Kemmerer, Richard A. "A practical approach to identifying storage and timing channels: Twenty years later." Computer Security
    Applications Conference, 2002. Proceedings. 18th Annual. IEEE, 2002 ← Covert Channel overview
    ● Zander, Sebastian, Grenville J. Armitage, and Philip Branch. "A survey of covert channels and countermeasures in computer network
    protocols." IEEE Communications Surveys and Tutorials 9.1-4 (2007): 44-57 ← Covert Channel prevention
    ● Butler W. Lampson. 1973. A note on the confinement problem. Commun. ACM 16, 10 (October 1973), 613-615 ← Covert Channel
    blocking
    

    View Slide

14. COVERT CHANNELS USING
    A FILE LOCK ATTRIBUTE
    Team F | 2015
    

    View Slide