COVERT CHANNELS USING FILE LOCKING Team F | 2015 

COVERT CHANNELS & FILE LOCKING ● Covert Channels ○ programs that “leak” information ○ use entities to transfer data from Sender S to Receiver R ● File-Locking ○ limiting access to shared resources ○ affects both files and processes ○ operations and states ■ write-file, read-file, lock-file, unlock-file, open-file, close-file ■ file-locked, file-opened 

COVERT CHANNEL TYPES TIMING CHANNEL STORAGE CHANNEL 

STORAGE CHANNEL - HOW DOES IT WORK? ● minimum criteria: ○ The sending and receiving processes must have access to the same attribute of a shared resource. ○ There must be some means by which the sending process can force the shared attribute to change. ○ There must be some means by which the receiving process can detect the attribute change. ○ There must be some mechanism for initiating the communication between the sending and receiving processes 

STORAGE CHANNEL - HOW DOES IT WORK? ● receiver monitors some global file attribute, sender modifies the attribute ● pass information by using the presence or absence of objects in storage ● i.e., the lock-file attribute: signals 1 on successful lock signals 0 on unsuccessful lock 

TIMING CHANNEL - HOW DOES IT WORK? ● minimum criteria: ○ The sending and receiving processes must have access to the same attribute of a shared resource ○ The receiving process must have access to a time reference, such as a real-time clock. ○ The sender must be capable of modulating the receiver’s response time for detecting a change in the shared attribute. ○ There must be some mechanism for initiating the processes and for sequencing the events. 

TIMING CHANNEL - HOW DOES IT WORK? ● pass information by using the speed at which things happen ● i.e., the lock-file attribute: if s > n, signal 1 otherwise, signal 0 for some fixed time n the sender runs a process for s seconds; depending on the logic output 0 or 1 

BANDWIDTH OF THE CHANNEL ● depends on many other factors! ● affected by noise, delay and interference ● affected by coding and symbol distribution ● affected by system components (e.g., disk, memory, CPU) ● affected by system configuration (e.g., using cache or not) ● affected by configuration component size (e.g., memory/cache size) ● affected by configuration initialisation ● etc. ● the higher the bandwidth, the greater the compromise ● currently the bandwidth can achieve 1000bits/s to megabits/s and up 

EXAMPLE OF BANDWIDTH CALCULATION ● ○ ○ ● bandwidth may differ; take into account the largest ● Informal way to calculate bandwidth exists as well Based on “A guide to understanding covert channel capacity analysis of a trusted system, National computer security center, November 1993, availble online at www.fas.org/irp/nsa/rainbow/tg030.htm “ state 0 state 1 0/a 1/d 0/b 1/c 2-state graph for a covert channel *not limited to just 2 states For more states the equation will be generalised to: ∑ where 

CHALLENGES OF IMPLEMENTATION ● system access control policy must be taken into account ● bandwidth of the channel limited to number of accessible files ● may be difficult to completely isolate processes ● noise 

DETECTION ● most methods are ad hoc ● use Shared Resource Matrix Methodology ○ first, enumerate all shared resources ○ then, determine whether it can be used to transfer information from one subject to another covertly ○ must also first identify the shared resources ● use Information Flow Method ○ automated flow analysis from a program's syntax 

PREVENTION ● block or eliminate the channel ● add noise to the channel ● impossible on hardware level ● masking ○ channels are masked by the caller ● enforcement ○ ensure that a confined program’s input to covert channels conforms to the caller’s specifications 

REFERENCES ● A guide to understanding covert channel capacity analysis of a trusted system, National computer security center, November 1993, availble online at www.fas.org/irp/nsa/rainbow/tg030.htm ← primary source of Covert Channels ● Charles P. Pfleeger and Shari Lawrence Pfleeger. 2006. Security in Computing (4th Edition). Prentice Hall PTR, Upper Saddle River, NJ, USA ← secondary source of Covert Channels ● Kemmerer, Richard A. "A practical approach to identifying storage and timing channels: Twenty years later." Computer Security Applications Conference, 2002. Proceedings. 18th Annual. IEEE, 2002 ← Covert Channel overview ● Zander, Sebastian, Grenville J. Armitage, and Philip Branch. "A survey of covert channels and countermeasures in computer network protocols." IEEE Communications Surveys and Tutorials 9.1-4 (2007): 44-57 ← Covert Channel prevention ● Butler W. Lampson. 1973. A note on the confinement problem. Commun. ACM 16, 10 (October 1973), 613-615 ← Covert Channel blocking 

COVERT CHANNELS USING A FILE LOCK ATTRIBUTE Team F | 2015