Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Covert Channels Using File Locking

Covert Channels Using File Locking

A presentation about Covert Channels using a File Lock attribute.

The goal of the presentation was to answer 4 questions:
1) How does the covert channel work?
2) What is the likely bandwidth of the channel?
3) What are the major challenges that would arise in implementation of the channel?
4) What security control mechanisms could be used to prevent/detect this type of covert channel?

Presentation was made for a module "Topics in Privacy and Security" at the University of York in January 2015.

Aleksandrs Cudars

January 29, 2015
Tweet

More Decks by Aleksandrs Cudars

Other Decks in Technology

Transcript

  1. COVERT CHANNELS USING
    FILE LOCKING
    Team F | 2015

    View Slide

  2. COVERT CHANNELS & FILE LOCKING
    ● Covert Channels
    ○ programs that “leak” information
    ○ use entities to transfer data from Sender S to Receiver R
    ● File-Locking
    ○ limiting access to shared resources
    ○ affects both files and processes
    ○ operations and states
    ■ write-file, read-file, lock-file, unlock-file, open-file, close-file
    ■ file-locked, file-opened

    View Slide

  3. COVERT CHANNEL TYPES
    TIMING CHANNEL
    STORAGE CHANNEL

    View Slide

  4. STORAGE CHANNEL - HOW DOES IT WORK?
    ● minimum criteria:
    ○ The sending and receiving processes must have access to the same attribute of
    a shared resource.
    ○ There must be some means by which the sending process can force the shared
    attribute to change.
    ○ There must be some means by which the receiving process can detect the
    attribute change.
    ○ There must be some mechanism for initiating the communication between the
    sending and receiving processes

    View Slide

  5. STORAGE CHANNEL - HOW DOES IT WORK?
    ● receiver monitors some global file attribute, sender modifies the
    attribute
    ● pass information by using the presence or absence of objects in
    storage
    ● i.e., the lock-file attribute:
    signals 1 on successful lock
    signals 0 on unsuccessful lock

    View Slide

  6. TIMING CHANNEL - HOW DOES IT WORK?
    ● minimum criteria:
    ○ The sending and receiving processes must have access to the same attribute of a
    shared resource
    ○ The receiving process must have access to a time reference, such as a real-time
    clock.
    ○ The sender must be capable of modulating the receiver’s response time for
    detecting a change in the shared attribute.
    ○ There must be some mechanism for initiating the processes and for sequencing
    the events.

    View Slide

  7. TIMING CHANNEL - HOW DOES IT WORK?
    ● pass information by using the speed at which things
    happen
    ● i.e., the lock-file attribute:
    if s > n, signal 1
    otherwise, signal 0
    for some fixed time n the sender runs a
    process for s seconds; depending on the
    logic output 0 or 1

    View Slide

  8. BANDWIDTH OF THE CHANNEL
    ● depends on many other factors!
    ● affected by noise, delay and interference
    ● affected by coding and symbol distribution
    ● affected by system components (e.g., disk, memory, CPU)
    ● affected by system configuration (e.g., using cache or not)
    ● affected by configuration component size (e.g., memory/cache size)
    ● affected by configuration initialisation
    ● etc.
    ● the higher the bandwidth, the greater the compromise
    ● currently the bandwidth can achieve 1000bits/s to megabits/s and up

    View Slide

  9. EXAMPLE OF BANDWIDTH CALCULATION



    ● bandwidth may differ; take into account the largest
    ● Informal way to calculate bandwidth exists as well
    Based on “A guide to understanding covert channel capacity analysis of a trusted system, National computer security center, November 1993, availble online at www.fas.org/irp/nsa/rainbow/tg030.htm “
    state 0 state 1
    0/a 1/d
    0/b
    1/c
    2-state graph for a covert channel
    *not limited to just 2 states
    For more states the equation will be generalised to:
    ∑ where

    View Slide

  10. CHALLENGES OF IMPLEMENTATION
    ● system access control policy must be taken into
    account
    ● bandwidth of the channel limited to number of
    accessible files
    ● may be difficult to completely isolate processes
    ● noise

    View Slide

  11. DETECTION
    ● most methods are ad hoc
    ● use Shared Resource Matrix Methodology
    ○ first, enumerate all shared resources
    ○ then, determine whether it can be used to transfer
    information from one subject to another covertly
    ○ must also first identify the shared resources
    ● use Information Flow Method
    ○ automated flow analysis from a program's syntax

    View Slide

  12. PREVENTION
    ● block or eliminate the channel
    ● add noise to the channel
    ● impossible on hardware level
    ● masking
    ○ channels are masked by the caller
    ● enforcement
    ○ ensure that a confined program’s input to covert channels
    conforms to the caller’s specifications

    View Slide

  13. REFERENCES
    ● A guide to understanding covert channel capacity analysis of a trusted system, National computer security center, November 1993,
    availble online at www.fas.org/irp/nsa/rainbow/tg030.htm ← primary source of Covert Channels
    ● Charles P. Pfleeger and Shari Lawrence Pfleeger. 2006. Security in Computing (4th Edition). Prentice Hall PTR, Upper Saddle River,
    NJ, USA ← secondary source of Covert Channels
    ● Kemmerer, Richard A. "A practical approach to identifying storage and timing channels: Twenty years later." Computer Security
    Applications Conference, 2002. Proceedings. 18th Annual. IEEE, 2002 ← Covert Channel overview
    ● Zander, Sebastian, Grenville J. Armitage, and Philip Branch. "A survey of covert channels and countermeasures in computer network
    protocols." IEEE Communications Surveys and Tutorials 9.1-4 (2007): 44-57 ← Covert Channel prevention
    ● Butler W. Lampson. 1973. A note on the confinement problem. Commun. ACM 16, 10 (October 1973), 613-615 ← Covert Channel
    blocking

    View Slide

  14. COVERT CHANNELS USING
    A FILE LOCK ATTRIBUTE
    Team F | 2015

    View Slide