Transcript slides

Covert Channels
Dan Fleck
CS 469: Security Engineering
1
Coming up: Is BLP Secure?
These slides are modified with permission from Bill Young (Univ of Texas)
Is BLP Secure?
Consider the simple lattice of labels in the
diagram, where H > L. There are no needto-know categories in this system.
If this represents a BLP lattice, then
information flow is permitted from L to H,
but not vice versa. This captures the
metapolicy of this simple system.
If we can instantiate this system such that
BLP is satisfied, but information flows in
violation of the metapolicy, something is
clearly wrong.
Coming up: A Simple BLP System
H
L
2
A Simple BLP System
Consider a simple system that has READ and WRITE operations
with the following semantics:
READ (S, O): if object O exists and LS ≥ LO, then return its current
value; otherwise, return a zero.
WRITE (S, O, V): if object exists O and LS ≤ LO, change its value to
V; otherwise, do nothing.
These operations pretty clearly are acceptable instances of READ
and WRITE for a BLP system.
Coming up: A BLP System (Cont.)
3
A BLP System (Cont.)
Suppose we want to add two new operations, CREATE and
DESTROY to the system, with the following semantics:
CREATE (S, O): if no object with name O exists anywhere on the
system, create a new object O at level LS ; otherwise, do
nothing.
DESTROY (S, O): if an object with name O exists and the LS ≤ LO,
destroy it; otherwise, do nothing.
These operations seem to satisfy the BLP rules, but are they
“secure” from the standard of the metapolicy? Why or why not?
Coming up: Covert Channel Example
4
Covert Channel Example
In this system, a high level subject SH can signal one bit of
information to a low level subject SL as follows:
SH Transmits 0
SH transmits 1
Create (SH, F0)
do nothing
Create (SL, F0)
Create (SL, F0)
Write (SL, F0, 1)
Write (SL, F0, 1)
Read (SL, F0)
Read (SL, F0)
Destroy (SL, F0)
Destroy (SL, F0)
In the first case, SL sees a value of 0; in the second case, SL sees a
value of 1. Thus, SH can signal one bit of information to SL by
varying its behavior.
Coming up: So What?
5
So What?
Who cares if one bit flows from high to low?
• It’s enough to show that BLP cannot guarantee that the
metapolicy is satisfied.
• If SL and SH can coordinate their activities, SH can transfer
arbitrary amounts of information to SL, given enough time.
In an access control policy like BLP, objects are the only entities
recognized to carry information.
For the channel above, the “information” is not in the contents
of any object. It’s in the answer to the question: can SL read an
object named O?
Coming up: Covert Channels
6
Covert Channels
If SL ever sees varying results depending on varying actions by
SH, that could be used to send a bit of information from SH to SL,
in violation of the metapolicy.
Such a mechanism is called a covert channel.
7
Coming up: Lessons
Lessons
• An access control policy constrains information flowing by
subjects reading or writing objects.
• There may be other system features that could be
manipulated to convey information.
• Such channels are called “covert channels.”
8
Coming up: Covert Channel
Covert Channel
One Definition: A covert channel is a path for the illegal flow of
information between subjects within a system, utilizing system
resources that were not designed to be used for inter-subject
communication.
Note several features of this definition:
• Information flows in violation of the security metapolicy though not
necessarily in violation of the policy.
• The flow is between subjects within the system; two human users
talking over coffee is not a covert channel.
• The flow occurs via system resources (file attributes, flags, clocks,
etc.) that were not intended as communication channels.
Coming up: Covert Channel #1
9
Covert Channel #1
Attempted access by SL to a high level resource returns one of
two error messages: Resource not found or Access
denied. By modulating the status of the resource, SH can send
a bit of information on each access attempt by SL.
This is called a covert storage channel because SH is recording
information within the system state.
10
Coming up: Covert Channel #2
Covert Channel #2
The KVM/370 operating system isolated processes on separate
virtual machines. They shared the processor on a time-sliced
basis. Processes alternated using the CPU, with each allowed t
units of processing time. However, a process could relinquish
the CPU early.
Process p could send a bit to process q by either using its total
allocation or relinquishing the processor immediately. Process q
reads the bit by consulting the system clock to see how much
time has elapsed since it was last scheduled.
This is a covert timing channel because the information is
recorded in the ordering or duration of events on the system.
Coming up: Covert Channel #3
11
Covert Channel #3
Processes p and q are not allowed to communicate, but they
share access to a disk drive. The scanning algorithm services
requests in the order of which cylinder is currently closest to the
read head.
Process p either accesses cylinder 140 or 160. Process q
requests accesses on cylinders 139 and 161. Thus, q receives
values from 139 and then 161, or from 161 and then 139,
depending on p’s most recent read.
Is this a timing or storage channel? Neither? Both?
12
Coming up: Covert Channel #4
Covert Channel #4
An implicit channel is one that uses the control flow of a
program. For example, consider the following program
fragment:
h := h mod 2;
l := 0;
if h = 1 then l := 1 else skip;
The resulting value of l depends on the value of h.
There are sophisticated language-based information flow tools
that check for these kinds of dependencies in programming
languages.
Coming up: Types of Covert Channels
13
Types of Covert Channels
It is possible to distinguish many types of covert channels,
depending on the attribute manipulated:
Timing: how much time did a computation take?
Implicit: what control path does the program take?
Termination: does a computation terminate?
Probability: what is the distribution of system events?
Resource exhaustion: is some resource depleted?
Power: how much energy is consumed?
In practice, many researchers distinguish only storage and
timing channels.
Coming up: Lessons
14
15
Using covert channels
• Another type of covert channel is used to send data out of a system:
•
•
•
•
•
Exfiltrate data from an otherwise secure system
Avoid detection of unauthorized access
Perform legitimate network management
Install, spread or control malware on compromised systems
Circumvent filters which may be in place limiting their freedom of
speech
• Bypass firewalls for unrestricted access to the web
• Malware authors use timing to detect analysis sandboxes (and evade
detection) - http://www.syssec-project.eu/m/page-media/3/disarm-raid11.pdf
• Example: Covert channel using the TCP/IP timing low order bits.
Goal to hide that data is even being sent! http://web.mit.edu/~greenie/Public/asrg.pdf
Ref: http://www.sans.org/reading-room/whitepapers/detection/covert-channels-33413
14
Lessons
• A covert channel is any path for information between subjects,
utilizing system resources that were not designed to be used
for inter-subject communication.
• A useful distinction is between storage and timing channels,
though the breakdown is not always clear for specific
channels.
15
16
Coming up: Covert Channels: Who Cares
Covert Channels: Who Cares
Definition: A covert channel is a path for the illegal flow of
information between subjects within a system, utilizing system
resources that were not designed to be used for inter-subject
communication.
It might seem that such channels would be so slow that you
wouldn’t really care.
That’s not true. Covert channels on real processors operate at
thousands of bits per second, with no appreciable impact on
system processing.
16
17
Coming up: Covert Channels
Covert Channels
The important characteristics of a covert channel are:
Existence: is a channel present or not?
Bandwidth: how much information can be transmitted per
second?
Noiseless/noisy: can the information be transmitted without
loss or distortion?
It is usually infeasible for realistic systems to eliminate every
potential covert channel.
17
18
Coming up: Dealing with Covert Channels
Dealing with Covert Channels
Once a potential covert channel is identified, several responses
are possible.
• We can eliminate it by modifying the system implementation.
• We can reduce the bandwidth by introducing noise into the
channel.
• We can monitor it for patterns of usage that indicate someone
is trying to exploit it. This is intrusion detection.
18
19
Coming up: Using a Covert Storage Channel
Using a Covert Storage Channel
For a sender and receiver to use a covert
storage channel, what must be true?
1. Both sender and receiver must have access
to some attribute of a shared object.
2. The sender must be able to modify the
attribute.
3. The receiver must be able to reference
(view) that attribute.
4. A mechanism for initiating both processes,
and sequencing their accesses to the
shared resource, must exist.
Coming up: Using a Covert Timing Channel
19
20
Using a Covert Timing Channel
For a sender and receiver to use a covert timing channel, the
following must be true:
1. Both sender and receiver must have access to some
attribute of a shared object.
2. Both sender and receiver have access to a time reference
(real-time clock, timer, ordering of events).
3. The sender must be able to control the timing of the
detection of a change in the attribute of the receiver.
4. A mechanism for initiating both processes, and sequencing
their accesses to the shared resource, must exist.
Coming up: Lessons
20
21
Lessons
• Important characteristics of any covert channel are: existence,
bandwidth, and noisy/noiseless.
• Dealing with a covert channel may include: eliminating it,
restricting the bandwidth, or monitoring it.
• Certain conditions must hold for a covert channel to exist.
21
22
Coming up: Detecting Covert Channels
Detecting Covert
Channels
Dan Fleck
CS 469: Security Engineering
22
23
Coming up: Finding Covert Storage Channels
These slides are modified with permission from Bill Young (Univ of Texas)
Finding Covert Storage Channels
Recall that several conditions must hold for
there to be a covert storage channel:
1.
Both sender and receiver must have
access to some attribute of a shared
object.
2.
The sender must be able to modify the
attribute.
3.
The receiver must be able to reference
(view) that attribute.
4.
A mechanism for initiating both
processes, and sequencing their accesses
to the shared resource, must exist.
Coming up: Detecting Covert Channels
23
24
Detecting Covert Channels
Richard Kemmerer (UC Santa Barbara) introduced the Shared Resource
Matrix Methodology (SRMM). The idea is to build a table describing
system commands and their potential effects on shared attributes of
objects.
Attributes
READ
File existence
R
File size
R
File level
R
WRITE
M
DESTROY
CREATE
M
M
M
M
M
M
An R means the operation References (provides information about)
the attribute under some circumstances. An M means the operation
Modifies the attribute under some circumstances.
Note that this works for storage channels, not for timing channels.
Coming up: A Subtlety of SRMM
24
25
A Subtlety of SRMM
Suppose you have the following operation:
CREATE (S, O): if no object with name O exists anywhere on the
system, create a new object O at level LS ;
otherwise, do nothing.
For the attribute file existence, should you have an R or not for
this operation or not? Consider this: after this operation, you
know that the file exists. Why?
That’s not enough. It’s not important that you know something
about the attribute; what’s important is that the operation tells
you something about the attribute.
Coming up: Working with the SRMM
25
26
Working with the SRMM
If you see an R and M in the
same row, that indicates a
potential channel. Why?
SRMM doesn’t identify covert
channels, but suggests where
to look for them.
Any shared resource matrix is
for a specific system. Other
systems may have different
semantics for the operations.
Coming up: Covert Channels and System Analysis
26
27
Covert Channels and System Analysis
How might you use this methodology?
1. Use an access control policy like Bell and LaPadula to control
standard information flows.
2. Use a separate technique like Kemmerer’s SRMM to identify
covert channels.
3. Deal with covert channels by closing them, restricting them,
or monitoring them.
27
28
Coming up: Lessons
Lessons
• Kemmerer’s Shared Resource Matrix Methodology provides a
systematic way to investigate potential covert channels.
• However, using it effectively requires a lot of knowledge about
the semantics and implementation of system operations.
• Covert channel analysis can be used to close some of the
security holes of an access control policy like BLP.
28
29
End of presentation