Dan Fleck CS 469: Security Engineering Covert Channels Dan Fleck CS 469: Security Engineering 1 1 Coming up: Is BLP Secure? These slides are modified with permission from Bill Young (Univ of Texas)
Is BLP Secure? H Consider the simple lattice of labels in the diagram, where H > L. There are no need-to-know categories in this system. If this represents a BLP lattice, then information flow is permitted from L to H, but not vice versa. This captures the metapolicy of this simple system. If we can instantiate this system such that BLP is satisfied, but information flows in violation of the metapolicy, something is clearly wrong. L 2 2 Coming up: A Simple BLP System
A Simple BLP System Consider a simple system that has READ and WRITE operations with the following semantics: READ (S, O): if object O exists and LS ≥ LO, then return its current value; otherwise, return a zero. WRITE (S, O, V): if object exists O and LS ≤ LO, change its value to V; otherwise, do nothing. These operations pretty clearly are acceptable instances of READ and WRITE for a BLP system. 3 3 Coming up: A BLP System (Cont.)
A BLP System (Cont.) Suppose we want to add two new operations, CREATE and DESTROY to the system, with the following semantics: CREATE (S, O): if no object with name O exists anywhere on the system, create a new object O at level LS ; otherwise, do nothing. DESTROY (S, O): if an object with name O exists and the LS ≤ LO, destroy it; otherwise, do nothing. These operations seem to satisfy the BLP rules, but are they “secure” from the standard of the metapolicy? Why or why not? 4 4 Coming up: Covert Channel Example
Covert Channel Example In this system, a high level subject SH can signal one bit of information to a low level subject SL as follows: In the first case, SL sees a value of 0; in the second case, SL sees a value of 1. Thus, SH can signal one bit of information to SL by varying its behavior. SH Transmits 0 SH transmits 1 Create (SH, F0) do nothing Create (SL, F0) Write (SL, F0, 1) Read (SL, F0) Destroy (SL, F0) 5 5 Coming up: So What?
So What? Who cares if one bit flows from high to low? It’s enough to show that BLP cannot guarantee that the metapolicy is satisfied. If SL and SH can coordinate their activities, SH can transfer arbitrary amounts of information to SL, given enough time. In an access control policy like BLP, objects are the only entities recognized to carry information. For the channel above, the “information” is not in the contents of any object. It’s in the answer to the question: can SL read an object named O? 6 6 Coming up: Covert Channels
Covert Channels If SL ever sees varying results depending on varying actions by SH, that could be used to send a bit of information from SH to SL, in violation of the metapolicy. Such a mechanism is called a covert channel. 7 7 Coming up: Lessons
Lessons An access control policy constrains information flowing by subjects reading or writing objects. There may be other system features that could be manipulated to convey information. Such channels are called “covert channels.” 8 8 Coming up: Covert Channel
Covert Channel One Definition: A covert channel is a path for the illegal flow of information between subjects within a system, utilizing system resources that were not designed to be used for inter-subject communication. Note several features of this definition: Information flows in violation of the security metapolicy though not necessarily in violation of the policy. The flow is between subjects within the system; two human users talking over coffee is not a covert channel. The flow occurs via system resources (file attributes, flags, clocks, etc.) that were not intended as communication channels. 9 9 Coming up: Covert Channel #1
Covert Channel #1 Attempted access by SL to a high level resource returns one of two error messages: Resource not found or Access denied. By modulating the status of the resource, SH can send a bit of information on each access attempt by SL. This is called a covert storage channel because SH is recording information within the system state. 10 10 Coming up: Covert Channel #2
Covert Channel #2 The KVM/370 operating system isolated processes on separate virtual machines. They shared the processor on a time-sliced basis. Processes alternated using the CPU, with each allowed t units of processing time. However, a process could relinquish the CPU early. Process p could send a bit to process q by either using its total allocation or relinquishing the processor immediately. Process q reads the bit by consulting the system clock to see how much time has elapsed since it was last scheduled. This is a covert timing channel because the information is recorded in the ordering or duration of events on the system. 11 11 Coming up: Covert Channel #3
Covert Channel #3 Processes p and q are not allowed to communicate, but they share access to a disk drive. The scanning algorithm services requests in the order of which cylinder is currently closest to the read head. Process p either accesses cylinder 140 or 160. Process q requests accesses on cylinders 139 and 161. Thus, q receives values from 139 and then 161, or from 161 and then 139, depending on p’s most recent read. Is this a timing or storage channel? Neither? Both? 12 12 Coming up: Covert Channel #4
Covert Channel #4 An implicit channel is one that uses the control flow of a program. For example, consider the following program fragment: h := h mod 2; l := 0; if h = 1 then l := 1 else skip; The resulting value of l depends on the value of h. There are sophisticated language-based information flow tools that check for these kinds of dependencies in programming languages. 13 13 Coming up: Types of Covert Channels
Types of Covert Channels It is possible to distinguish many types of covert channels, depending on the attribute manipulated: Timing: how much time did a computation take? Implicit: what control path does the program take? Termination: does a computation terminate? Probability: what is the distribution of system events? Resource exhaustion: is some resource depleted? Power: how much energy is consumed? In practice, many researchers distinguish only storage and timing channels. 15 14 Coming up: Lessons
Using covert channels Another type of covert channel is used to send data out of a system: Exfiltrate data from an otherwise secure system Avoid detection of unauthorized access Perform legitimate network management Install, spread or control malware on compromised systems Circumvent filters which may be in place limiting their freedom of speech Bypass firewalls for unrestricted access to the web Malware authors use timing to detect analysis sandboxes (and evade detection) - http://www.syssec-project.eu/m/page-media/3/disarm-raid11.pdf Example: Covert channel using the TCP/IP timing low order bits. Goal to hide that data is even being sent! - http://web.mit.edu/~greenie/Public/asrg.pdf 14 Ref: http://www.sans.org/reading-room/whitepapers/detection/covert-channels-33413
Lessons A covert channel is any path for information between subjects, utilizing system resources that were not designed to be used for inter-subject communication. A useful distinction is between storage and timing channels, though the breakdown is not always clear for specific channels. 16 15 Coming up: Covert Channels: Who Cares
Covert Channels: Who Cares Definition: A covert channel is a path for the illegal flow of information between subjects within a system, utilizing system resources that were not designed to be used for inter-subject communication. It might seem that such channels would be so slow that you wouldn’t really care. That’s not true. Covert channels on real processors operate at thousands of bits per second, with no appreciable impact on system processing. 17 16 Coming up: Covert Channels
Covert Channels The important characteristics of a covert channel are: Existence: is a channel present or not? Bandwidth: how much information can be transmitted per second? Noiseless/noisy: can the information be transmitted without loss or distortion? It is usually infeasible for realistic systems to eliminate every potential covert channel. 18 17 Coming up: Dealing with Covert Channels
Dealing with Covert Channels Once a potential covert channel is identified, several responses are possible. We can eliminate it by modifying the system implementation. We can reduce the bandwidth by introducing noise into the channel. We can monitor it for patterns of usage that indicate someone is trying to exploit it. This is intrusion detection. 19 18 Coming up: Using a Covert Storage Channel
Using a Covert Storage Channel For a sender and receiver to use a covert storage channel, what must be true? Both sender and receiver must have access to some attribute of a shared object. The sender must be able to modify the attribute. The receiver must be able to reference (view) that attribute. A mechanism for initiating both processes, and sequencing their accesses to the shared resource, must exist. 20 19 Coming up: Using a Covert Timing Channel
Using a Covert Timing Channel For a sender and receiver to use a covert timing channel, the following must be true: Both sender and receiver must have access to some attribute of a shared object. Both sender and receiver have access to a time reference (real-time clock, timer, ordering of events). The sender must be able to control the timing of the detection of a change in the attribute of the receiver. A mechanism for initiating both processes, and sequencing their accesses to the shared resource, must exist. 21 20 Coming up: Lessons
Lessons Important characteristics of any covert channel are: existence, bandwidth, and noisy/noiseless. Dealing with a covert channel may include: eliminating it, restricting the bandwidth, or monitoring it. Certain conditions must hold for a covert channel to exist. 22 21 Coming up: Detecting Covert Channels
Detecting Covert Channels Dan Fleck CS 469: Security Engineering 22 23 Coming up: Finding Covert Storage Channels These slides are modified with permission from Bill Young (Univ of Texas)
Finding Covert Storage Channels Recall that several conditions must hold for there to be a covert storage channel: Both sender and receiver must have access to some attribute of a shared object. The sender must be able to modify the attribute. The receiver must be able to reference (view) that attribute. A mechanism for initiating both processes, and sequencing their accesses to the shared resource, must exist. 24 23 Coming up: Detecting Covert Channels
Detecting Covert Channels Richard Kemmerer (UC Santa Barbara) introduced the Shared Resource Matrix Methodology (SRMM). The idea is to build a table describing system commands and their potential effects on shared attributes of objects. An R means the operation References (provides information about) the attribute under some circumstances. An M means the operation Modifies the attribute under some circumstances. Note that this works for storage channels, not for timing channels. READ WRITE DESTROY CREATE File existence R M File size File level Attributes A READ references File Size, a WRITE modifies it. 24 25 Coming up: A Subtlety of SRMM
A Subtlety of SRMM Suppose you have the following operation: CREATE (S, O): if no object with name O exists anywhere on the system, create a new object O at level LS ; otherwise, do nothing. For the attribute file existence, should you have an R or not for this operation or not? Consider this: after this operation, you know that the file exists. Why? That’s not enough. It’s not important that you know something about the attribute; what’s important is that the operation tells you something about the attribute. 26 25 Coming up: Working with the SRMM
Working with the SRMM If you see an R and M in the same row, that indicates a potential channel. Why? SRMM doesn’t identify covert channels, but suggests where to look for them. Any shared resource matrix is for a specific system. Other systems may have different semantics for the operations. 27 26 Coming up: Covert Channels and System Analysis
Covert Channels and System Analysis How might you use this methodology? Use an access control policy like Bell and LaPadula to control standard information flows. Use a separate technique like Kemmerer’s SRMM to identify covert channels. Deal with covert channels by closing them, restricting them, or monitoring them. 28 27 Coming up: Lessons
Lessons Kemmerer’s Shared Resource Matrix Methodology provides a systematic way to investigate potential covert channels. However, using it effectively requires a lot of knowledge about the semantics and implementation of system operations. Covert channel analysis can be used to close some of the security holes of an access control policy like BLP. 29 28 End of presentation