Covert channels detection in protocols using scenarios Loïc HélouëtINRIA Rennes SAM2004

Motivations 2 Confinement Zone Sender Receiver Security (Monitoring, firewall,…) Motivations

3 Example : a file system toto ls toto Authorisation refused File not found 0 1 Present Or absent threat : performance, billing, security, … all channels can not be eliminated Recommandations: Identify covert channels Illustrate their use through scenarios Compute their bandwidth

4 Sender Receiver message Encoding Decoding message Protocol Model (HMSC) decisions of sender at choice nodes Deduction of choices performed from observations on receiver Compute bandwidth Test on real implementation

5 PLAN n n Message Sequence Charts n n Covert channels n Bandwidth evaluation n n RMTP2 n n Conclusions & perspectives

6 Message Sequence Charts AB m(v) C p M = n n E : events n n   E x E: causal order n n A : action names P : Instances   E x P : locality   E x A : labeling n n m  E x E: messages n n V : variables n n   m x V: message parameters bMSC M

Message Sequence Charts 7 AB m(v) C p bMSC M1 ABC q bMSC M2 n AB m(v) C p bMSC M1 o M2 q n = Sequential composition

Message Sequence Charts 8 AB m(v) C p bMSC M q n Projection on an instance B m(v) p bMSC  B (M) q n  B (M) = { ?m(v). !p. !n. !q }

Message Sequence Charts 9 HMSC M1 M2 M3 M4M5 n H= ( N, , M, n 0 ) N : nodes   N  M  N : transitions M : bMSCs n 0 : initial node

10 AB m(v) C p bMSC M1 bMSC M2 AB n C q M1 M2 Events observed on instance C events executed on instance A ?p=>!m(v) ?q=>!n 01 Covert Channel detection

Covert channels detection 11 Definition : A choice node n in a HMSC is controlled by an instance p iff for all path P i, i  1..K starting in n  ! e i = min(O Pi ) and  (e i )=p (idem local choice) M2 M1 n AB m(v) C p bMSC M1 bMSC M2 AB n C q

Covert channels detection 12 M1 M2 M3 M4 M5 Hypotheses To transmit a message of arbitrary length, one need to iterate some behaviors : CC appear in presence of cycles. to encode information, the sender can perform several choices For each choice, the observable consequences are  for the receiver n

Covert channels detection 13 M1 M2 M3 M4 M5 Covert channel from Sender to Receiver decision node controlled by Sender Several Cycles  Observations by the Receiver n M1 M2 C1 M3 M4 C2 Controlled by Sender  Receiver        Receiver     

14 Bandwidth A B m C n bMSC M o A0B0C0 A1B1 C temporal annotations for events for messages Definition of scenario duration d x,y (M) D(M) = max { d x,y }

Bandwidth 15 A0B0C0 A1B1 C D(M n ) = max { d x,y (M n ) } Mean durations: md(M  ) = lim1. D(M n ) md x,y (M  ) = lim1. d x,y (M n ) b If M can be used to transfert b bits from x to y : n n  n n  n n md x,y (M  ) Bw = Bandwidth :

16 Example : RMTP2 Source DR R R R R R R RR R R R R Rennes Paris Boston Ottawa

Example 17 RMTP2 : Data retransmission DR R R R Ottawa Data DR CR Hack(P) Loop n  P Retransmission(n) P : bitmap representation of lost/received packets

Example 18 RMTP2 Parameters DR R R R B : Branching Factor Maximal number of children for a node A child can ask for retransmission every B data packet B R R

Example 19 RMTP2 Parameters DR R R R S : Bitmap size L: maximal loss rate allowed Data DR CR Hack(P) Eject P>0  |P| 1  L Ex: S=16, L=25% Hack( )

Example 20 OthersData Retrans MyData Eject P=0 P>0  |P| 1  4 P>0  |P| 1 > 4 Data transmission seen from a receiver CR

Example 21 bMSC MyData Data DR bMSC Eject CR Eject DRCR Other Receivers Hack(P) bMSC Retransmission CRDR Other Receivers Retransmission(n) Loop n  P

Example 22 bMSC OthersData Data DRCR Other Receivers Hack(P) Loop P=0P=0 P>0  |P| 1  4 P>0  |P| 1 > 4 alt Retransmission Eject

Example 23 bMSC Shortest Scenario Data DRCR Other Receivers Hack(0) Loop Data Hack(P) Retransmission(1) Covert channel from CR to any receiver in Other Receivers Creation of fake bitmaps to force observable retransmissions

Example 24 Let L=25%, S = 16 Number of possible fake bitmaps : Number of bits transmitted at each covert channel use b = log 2 (2516)= Bandwidth upper bound: = 2516B =  i= ! i!. (16 - i)! md cr,Other Receivers (Shortest  ) Bw = b

Example 25 bMSC Shortest Scenario Data DRCR Other Receivers Hack(0) Loop Data Hack(P) Retransmission(1) D : event duration T : transmissions duration T T T T T T T T

26 Bw evolution for D= 2ms B=20, T=20ms Bw=11.74 b/s (4B +1).D +2B. T Bw = b

Example 27 bMSC Shortest Scenario DR Data Hack(P) Retransmission(1) Data Hack(0) Data Hack(0) CR B times Other Receivers

28 Bw evolution for D= 2ms B=100, T=200ms Bw=22.40 b/s B=20, T=20ms Bw=102.7 b/s (B+5).D +3. T Bw = b

29 Conclusion Covert channel in RMTP2 : undetectable receiver usable bandwidth Future work : More elaborated strategies under study Covert channels with noise Need to « desynchronize » sequential composition CMSCs ?

30

31 Covert Channels Storage channels : implies writing a value somewhere Def : communication channel that violates a system’s security policy Example : a file system toto ls toto Authorisation refused File not found 0 1 Present Or absent

Covert Channels 32 Some facts about covert channels threat : performance, billing, security, … all channels can not be eliminated Recommandations : depend on the security level required for the system under study : NSCS30 (light pink book) Analysis: Identify covert channels Illustrate their use through scenarios Compute their bandwidth

Covert Channels 33 Solutions : Elimination (for systems with high security level) Add noise to most important channels monitor other channels Idea : start from informal descriptions of protocol behavious given as scenarios, try to detect potential information flows and compute their bandwidth in order to provide solutions as early as possible during design stages.

34 Covert Channel detection M1 M2 M3 M4 M5 Hypothesis 1 : To transmit a message of arbitrary length, one need to iterate some behaviors : CC can appear in presence of cycles. n

Covert channel detection 35 M1 M2 M3 M4 M5 Hypothesis 2 : To transmit a message of arbitrary length, the set of instances participating to a covert channel must cooperate to stay in a chosen set of cyclic behaviors Q where information passing is possible, and make sure that the rest of the protocol can not force them to leave Q.

36 Asymptotic Durations A0B0C0 A1B1 C D(M n ) = max { d x,y (M n ) } Mean durations: md(M  ) = lim1. D(M n ) md x,y (M  ) = lim1. d x,y (M n ) D(M n )  n. D(M) and md x,y (M  )  d x,y (M) Warning : asynchronous communications n  n n