An Overview of the History and Current Trends in Covert
Download
Report
Transcript An Overview of the History and Current Trends in Covert
An Overview of the History and
Current Trends in Covert Channel
Technology
Nicholas Hoare
ISG PhD Seminar
Thursday 28th February
Outline
Information Flows and Multi-level Security (MLS)
Covert Channels in Multi-Level Security Systems
Properties of Covert Channels
Prevention, Detection, Effectiveness
Modern Covert Channels
–
–
–
–
A Framework
Wardens
Network Storage Channels
Network Timing Channels
Conclusion
Information Flows and Multi-level
Security (MLS) (1)
An information flow policy is typically designed to
preserve:
•
the confidentiality and/or integrity of data within a computer
system. In terms of confidentiality the policy tries to prevent
the flow of information to those users not authorised to
receive it.
In Multi-level Security (MLS) systems the following
is important:
•
•
to allow information flows between users of the system
who have sufficient security clearances; and
to prevent flows to those that do not.
Information Flows and MLS (2)
If all possible information flows can be identified
then these flows can be restricted such that the
goals of the security policy are preserved.
If it is not possible to identify all such flows then
there is the potential for information to flow in an
unauthorised manner.
If information can flow within a system in an
unauthorised manner then the security boundaries
defined by the security policy can be violated.
Information Flows and MLS (3)
It is therefore possible, even in systems that have
security policies as well as discretionary and
mandatory access controls, that information may be
able to flow in a manner not expected by the
designers of the system.
It has been shown that a limitation of the BellLaPadula Model is that it cannot constrain
information flow in such a way to prevent the
establishment of these types of channels.
Covert Channels in MLS Systems (1)
A channel can be defined as a communication path
by which information can flow within a computer
system.
An overt channel is one which is designed for the
authorised transfer of data.
A covert channel is, by contrast, a path that can
allow information to flow in a manner that violates
the security policy of a system, allowing the transfer
of information by an unauthorised process.
Covert Channels in MLS Systems (2)
Unless all possible channels can be identified there
is the potential for covert channels to exist in all
systems where MLS is used.
The Trusted Computer Security Evaluation Criteria
(TCSEC) is a standard which allows computer
systems to gain a security rating based upon the
security that they provide.
TCSEC recognises the existence of such channels
and certain ratings require the analysis of such
channels.
Covert Channels in MLS Systems (3)
TCSEC recognises two types of covert channel that
can exist in a system. The first is the covert storage
channel:
•
A covert storage channel is a “covert channel that involves
the direct or indirect writing of a storage location by one
process and the direct or indirect reading of the storage
location by another process. Covert storage channels
typically involve a finite resource (e.g. sectors on a disk)
that is shared by two subjects at different security levels.”
Examples
•
•
Shared file system.
Network protocols.
Covert Channels in MLS Systems (4)
The second type of channel that TCSEC recognises
is the covert timing channel:
•
A covert timing channel is a “covert channel in which one
process signals information to another by modulating its
own use of system resources (e.g. CPU time) in such a
way that this manipulation affects the real response time
observed by the second process.”
Examples
•
•
Availability of a resource at certain times.
Packet inter-arrival times of Internet traffic.
Covert Channels in MLS Systems (5)
In terms of TCSEC there are several divisions of security that
systems can be awarded. D,C,B and A where A is the highest.
•
•
For a B2 rating the occurrence and bandwidth of a storage
channel must be analysed, and for a B3 rating the same for a
timing channel.
One of the goals of TCSEC in analysing these channels is to be
able to monitor and maintain the capacity of the channel below
maximum acceptable levels.
This highlights the fact that covert channels are seen as a real
practical threat to the security of computer systems.
Properties of Covert Channels
The main properties of a covert channel are
• existence.
• capacity.
• covertness.
A covert channel can either be
•
•
noiseless – this type of channel is simply shared by the
covert communicators.
noisy – has the addition of other communicating traffic.
Prevention, Detection, Effectiveness
Has been shown that prevention of channel is very
difficult.
More desirable to be able to detect channel and
reduce the effectiveness (bandwidth) of the
channel.
If bandwidth reduced below acceptable level then
monitoring not necessary.
Various methods proposed to eliminate or reduce
channels. Will be mentioned later.
Modern Covert Channels (1)
The interconnection of networks has meant covert channels
present even greater challenge.
Emergence of high speed communication channels has meant
the potential for higher capacity channels.
Reports indicate possibility of covert channels to
•
•
•
leak information out of protected networks across Internet.
allow groups to communicate and pass information without
outside knowledge.
coordinate attacks such as Distributed Denial-of-Service (DDoS)
attacks.
Modern Covert Channels (2)
The increased use of internetworking for communication has
meant that covert channels can now be used to transfer
information using arbitrary Internet traffic. Network storage
channels have received much more attention than the timing
channels. Several reasons for this have been highlighted, with
the main ones being:
•
•
due to the nature of timing channels in networks, information is
usually transferred by the monitoring of packet inter-arrival times,
which means that it is not trivial to be able to achieve good
synchronisation between sender and receiver; and
the bandwidth of timing channels tends to be less than that of a
storage channel.
A Framework (1)
Proposed by Lucena, Pease, Yadollahpour and Chapin (2004).
Alice and Bob wish to communicate secretly through the use
of arbitrary Internet traffic in a hostile environment.
Alice can be known as the sender and Bob as the receiver.
Alice is sitting behind a network which could be protected by
IDS and Firewall.
Walter is the adversary of Alice and Bob and wishes to detect
and remove their communication.
Alice and Bob can use a communications path which is
already in place between themselves or two arbitrary
processes, sender and receiver.
A Framework (2)
Alice can make modifications to packets
originating from within the network.
Bob is situated outside the network and in
the path of the packets leaving the network.
Walter can be positioned anywhere in the
network and the location will determine how
much of the traffic he can monitor.
A Framework (3)
The adversary Walter is positioned at some
point between the sending and receiving
processes within the network.
•
•
Walter can be either passive, that is he can try
and detect the existence of a covert channel and
report to a 3rd party,
or he can be active. In this situation he can
actually try and remove any covert information
whilst not breaking the semantics of the overt
communication.
Wardens (1)
Walter has been formalised in the academic world as
a warden. Work done by
•
•
Fisk, Fisk, Papadopoulos and Neil (2002)
Lucena, Lewandowski and Chapin (2003 - present)
These wardens are most useful in being able to
detect and eliminate covert information that is being
transferred by the use of a storage channel.
Lots of theoretical work.
Have been implemented.
Wardens (2)
The capabilities of active wardens has been
extended to
•
•
•
Stateless Active Warden
Stateful Active Warden
Network-Aware Active Warden
These limit or extend the capabilities of
removing covert information.
Storage Channels (1)
Have received a lot of attention.
Focus has been on using common networking
protocols.
Hide or embed information into unused or
predictable fields in the header.
Most researched is the TCP/IP suite of protocols.
Storage Channels (2)
Murdoch, Lewis (2005)
The idea is to embed information in certain header fields that are either
unused, immutable or mutable with certain predictability.
The embedded information is carried out of the network with the
intention of avoiding detection by the warden.
Information may be placed in the payload section of the packets but this
is not considered to be a valid covert method of transfer.
Storage Channels (3)
A number of header fields have been proposed for concealing the
information. Several IPv4 header fields will now be considered:
Type of Service: This field holds 8 bits of information that can indicate
quality of service parameters to routers on a packet’s path. This is now
rarely ever used and as a default is set to zero, so a non-zero value
would be detected by a passive warden.
IP Identification: This is used in the reassembling of datagram when
fragmentation has been used. This field contains 16 bits and could yield a
high capacity for transferring information. The only constraints on the
value of this field is uniqueness over the length of time that fragments of
a packet might reasonably remain in a network. Several schemes have
been devised that make use of a pseudorandom sequence to embed
data, but the field is not random. This could allow detection by monitoring.
Storage Channels (4)
IP Header Fields cont’d
IP Fragment Offset: When IP packets are fragmented, each fragment
contains an offset field to allow for the reassembly of the packet.
Information can be transmitted by modulating the size of the fragments
originated by the host, and thus the offsets. These can be quite easily
detected, particularly as in environments where MTU discovery is used, it
is unusual to see fragmented packets.
IP Flags: This flags are either Do Not Fragment (DF) or More
Fragments (MF) which is 0 if the fragment is the last, or if no
fragmentation has taken place. It is possible to be able to use these flags
but if the context of the packets is analysed it may be obvious that the
value should be zero. This channel is obviously very limited in the
capacity that it can generate.
Storage Channels – Detection and
Mitigation (1)
If no warden present then possible to leak information using headers.
One of the main defences proposed against these channels is the use
of a traffic normaliser (Handley and Paxson).
A normaliser tries to remove possible covert information from the
header of protocols by observing the implementation and semantics of
the protocol.
Has to be careful of not destroying integrity of protocol but can be
achieved with good results.
Storage Channels – Detection and
Mitigation (2)
The Type of Service field within the IP header.
• Bits used for differentiated services.
• These bits can prioritise traffic according to nature of traffic being
carried.
If the site is not using DiffServ then the bits should be set to zero and
this would clear the channel and maintain the integrity of the header.
If DiffServ is being used then zeroing will destroy Diffserv and break
protocol. Thus there is a potential problem of normalising this field but if
DiffServ is being used normaliser may be able to detect this if for
example it is Network-Aware.
Timing Channels (1)
Timing channels have received much less attention than storage
channels because of synchronisation issues and the potentially lower
bandwidth available to the channel.
One of the main methods of creating these types of channel is to
monitor the inter-arrival time of packets leaving a network.
• Other methods include packet-sorting channels which could be
used with protocols such as IPSec.
Alice does not necessarily have to generate her own packets but can
attempt to modulate the wait times between packets to encode the
information.
This assumes that Alice is able to capture and re-transmit packets in the
network.
Timing Channels (2)
This channel will be noisy due to general Internet noise and also delays
and jitter present in the network. Forwarding devices (e.g. Routers) also
may incur a small processing overhead.
Bob simply needs to be in the path of the packets leaving the network.
The nearer to the egress point of the network the higher accuracy due
to the minimised number of hops that the packets traverse.
The channel itself is established by the use of a timing interval during
which the reception or absence of packets is significant.
Constructing a timing channel (1)
The sender/receiver agree beforehand on a timing interval and a
starting protocol to signal the start of transmission
The starting protocol may be a time or a network event, or a special
packet could be used to signal transmission.
Once established if a packet is received within the time interval then this
signifies a binary “1” and silence during the period signifies a “0”.
Rather than creating a continuous stream of bits one method could be
to create a frame. This would consist of a pre-determined number of bits
within each frame.
Constructing a timing channel (2)
Cabuk, Brodley, Shields(2004)
Each frame could consist of:
• data bits – the bits that are being transmitted.
• parity bits – for error-correcting due to transmission errors.
• synchronisation bits – used for synching between sender/receiver.
Some issues with the timing channel
There are some issues that can determine the effectiveness of the
timing channel:
Performance Factors:
•
Network conditions – These can include delay, out of order
packets, loss of packets and jitter in the network.
•
Sender-receiver processing capability – Could become congested
under heavy load thus reducing performance.
•
Algorithm of the channel – needs to be efficient.
These factors will have an effect on
•
packet synchronisation.
•
Maximum capacity achievable.
•
noise in the channel.
Timing interval of the timing channel
The capacity of the channel is determined by the timing interval chosen.
The smaller the interval the higher the transmission rate.
There will be a trade-off in this situation as jitter, system scheduling and
clock skew will increase the probability of errors as the interval is made
smaller.
There is the problem of being able to optimise the timing interval so that
a good transmission rate can be achieved and also so that errors can be
controlled.
It is possible that if the timing interval is not correctly chosen then timing
intervals could overlap between sender and receiver and the receiver
would incorrectly decode the message.
Synchronisation of the timing channel
A big challenge in implementing a covert channel is to be able to
achieve good synchronisation between the sender and receiver. Some
methods have been proposed to try and achieve synchronisation:
•
Silent Intervals – These could be introduced between frames or
after a set number of frames have been sent.
•
Interval adjusting – Makes use of a ideal timing interval on the
network. The observed timings can then be compared to the ideal
and adjusted accordingly to allow for changing network conditions.
Timing channels – Detection and
Mitigation
Due to nature of channel, detection is typically offered by the use of
statistical analysis.
Methods of reducing the capacity involve trying to alter the timings of
the packets leaving the network.
There are several methods that try to reduce the transmission rates of
these channel
•
Pump
•
traffic jammers
Both these devices add noise to the channel by delaying the delivery of
packets.
These devices alter the timings of packets so as to try and randomise
the inter-arrival times, thus corrupting the timing interval.
Conclusion
It has been shown that Covert Channels are a serious threat to the
security of computer systems, e.g. TCSEC.
Network storage channels have received much research attention and
this has resulted in limiting the effectiveness of these channels in
practice.
Network timing channels have received less attention due to several
limitations but it may be possible, if more work is done, to develop some
plausible timing channels that could be used in practice.
Thank you!
Questions?