Identification of Covert Channels inside Linux Kernel Based on Source Code

Covert channel definition. Possible sources of CCA (Covert Channel Analysis). Methods of CCA in Source Code. Proposed tool to automate CCA on source code of Linux kernel. Conclusion. Agenda

Definition 1 - A communication channel is covert if it is neither designed nor intended to transfer information at all. Definition 2 - A communication channel is covert if it is based on transmission by storage into variables that describe resource states. Definition 3 - Covert channels are those that use entities not normally viewed as data objects to transfer information from one subject to another. Several Definitions of Covert Channels

Does not make it obvious that a covert channel is irrelevant in case of a discretionary security policy (Trojan Horses can anyway leak information via valid system calls). The previous definitions don’t acknowledge the fact that a covert channel is a result of a specific mandatory security policy being enforced and its implementation. Problem with previous definitions

a communication channel that allows a process to transfer information in a manner that violates the system's security policy. Given a nondiscretionary (e.g., mandatory) security policy model M and its interpretation I(M) in an operating system, any potential communication between two subjects I(S h ) and I(S i ) of I(M) is covert if and only if any communication between the corresponding subjects S h and S i of the model M is illegal in M. TCSEC Definition

The TCSEC is divided into four divisions: D, C, B, and A An important set of TCSEC requirements, which appears in classes B2 to A1,is that of covert channel analysis (CCA) TCSEC Definition Cont.

Identification of covert channels. Determination of covert channels' maximum attainable bandwidth. Handling covert channels using a well-defined policy consistent with the TCSEC objectives. Generation of assurance evidence to show that all channels are handled according to the policy in force. Objectives of CCA

System reference manuals. Top-level TCB specification. Source code. Means of Identifying Covert Channels

Syntactic Information Flow Analysis. Semantic Information Flow Analysis. Shared Resource Matrix Method. Covert Flow Tree Method. Methods of Identification in source code

Information Flow is associated with each statement. ex: a:=b  Information flows from b to a if b is not a constant. Define Flow Policies. Generate Flow Formulas for the entire TCB. Use theorem prover. Check if a flow is real or a false illegal flow. Syntactic Information Flow

Examine all flows visible through a TCB interface and separate the legal from the illegal ones. Separation of real channels from potential ones must still be done manually. Separation of potential channels from all the possible flows is labor intensive compared to the above. Semantic Information Flow

A matrix containing user visible TCB primitives as rows and read/altered variables which represent attribute of a shared resource as columns is created. Each entry is marked R or M based on whether the variable is read or modified. Calculate the transitive closure and update the matrix. Shared Resource Matrix

Prototype Design

Traverse and scan all source code files. Extract function names and global variables. Global variables of simple types and complex types should be accounted for appropriately. Generate a list of segmented token of the format. Module of syntax analysis

Further code analysis based on Information flow rules. Readability and Modifiability of shared variables is analyzed. If a variable y modifies a variable x then y  x. If a variable x is read inside a function Fx then x  Fx. Module of constructing Info Flow Tree

If a variable x is modified from inside of a function Fx then Fx  x. Compound statements(CSx), Statements(Sx) and Expressions(Ex) are considered separately. Null statements, type declaration statements, goto satements, labelled statements and cont/break are ignored. Info Flow Tree Contd.

RIFA for Variable Declaration Statements

RIFA for if statements

RIFA for Function Definitions

struct mm_struct * mm_alloc(void) { struct mm_struct * mm; mm = allocate_mm(); if (mm) { memset(mm, 0, sizeof(*mm)); return mm_init(mm); } return NULL; } Sample Code From Linux kernel

Information Flow Trees are created using the above defined RIFA. Four types of nodes namely functions, statements, expressions and variables. Info Flow tree created as a binary tree. Info Flow Tree Creation

Information Flow tree is transformed into a graph such that information flows exist across each edge. Shared resource matrix and its transitive closure is calculated from the preprocessed information. The values in the matrix cells are taken as 1,2,3,0. Generate Info Flow Graph and Shared Resource Matrix

This tool was used to discover some real covert channels that existed in Linux kernel Only entry functions to system calls need be examined. All the.h files should be analyzed before the.c files. An automated tool need to be developed to create application scenarios to identify real covert channel from the potential ones. Conclusion

Virgil D. Gligor (1993). A Guide to understanding Covert Channel Analysis of Trusted Systems. Technical Report NCSC-TG-030, National Computer Security Centre. Gaoshou Zhai, Yufeng Zhang, Chengyu Liu, Na Yang, MinLi Tian, Hengsheng Yang. Automatic Identification of Covert Channels inside Linux Kernel Based on Source Codes. Dorothy E. Denning A Lattice Model of Secure Information Flow. Communications of the ACM 19, 5 (May 1976), C.R. Tsai, V.D. Gligor, C. S Chandersekaran A Formal Method for the Identification of Covert Storage Channels in Source Code. lEEE Transactions on Software Engineering 16, 6 (June 1990), Richard A. Kemmerer Shared Resource Matrix Methodology: An Approach to Identifying Storage and Timing Channels. ACM Transactions on Computer Systems 1, 3 (August 1983), Bibliography