Presentation is loading. Please wait.

Presentation is loading. Please wait.

Memory and Address Protection Covert Channels

Published byHajo Kaufman Modified over 6 years ago

Similar presentations

Presentation on theme: "Memory and Address Protection Covert Channels"— Presentation transcript:

1 Memory and Address Protection Covert Channels
CSCI283 Fall 2005 GWU Draws extensively from Memon’s notes, Brooklyn Poly And Pfleeger text, Chapters 3 and 4

2 CS283/Fall05/GWU/Vora/Various
Memory protection Protecting one program’s memory from another Use boundaries in the memory Fence: fixed and with fence register Relocation Base and Bounds Registers Tagged Architecture Segmentation Paging 11/22/2018 CS283/Fall05/GWU/Vora/Various

3 CS283/Fall05/GWU/Vora/Various
Boundaries OS OS OS OS A Program Space User A Program Space User Program Space User B User Program Space User B Program Space A Data Space User C 11/22/2018 CS283/Fall05/GWU/Vora/Various

4 Problems with boundaries
Only differentiate between two types of access. Any other differentiation requires mentioning in machine language. Only protect contiguous bytes What do you do when you want to protect some of the bytes, from some of the entities, at specific times (e.g. only the first time and not again)? 11/22/2018 CS283/Fall05/GWU/Vora/Various

5 CS283/Fall05/GWU/Vora/Various
Tagged Architecture Not very common Tag each word of machine memory specifying access rights Examples: Hasn’t taken off because requires OS to check the access rights of each byte. Intel I960 used one bit of each word to denote that word as a “capability” (or not). The other bits then represented the access rights to the following memory bytes. 11/22/2018 CS283/Fall05/GWU/Vora/Various

6 CS283/Fall05/GWU/Vora/Various
Segmentation Tag certain segments of a program: Array data Code for a single procedure Collection of local data values used by a module Segment has a name, and the OS creates a segment table with segment name and beginning address in memory Each item within a segment is addressed as <name, offset> where offset is offset from the beginning of the segment Address reference passes through OS Processes have certain types of access to certain segments at certain times 11/22/2018 CS283/Fall05/GWU/Vora/Various

7 Problems with segmentation
One similar to buffer overflow: offset too large. Every accessed address needs to be checked during execution Looking up segment names is slow; translated to numbers. Numbers might be different for different processes: problem Inefficient use of memory because memory broken up into fragments (this can be addressed using fixed-size segments, or pages of contiguous bytes; however this does not allow choosing varuious access rights for various bytes) Hence Paged Segmentation: Program divided into logical units (segments) Each segment divided into fixed-sized pages 11/22/2018 CS283/Fall05/GWU/Vora/Various

8 CS283/Fall05/GWU/Vora/Various
Covert Channels A covert channel is a path of communication that was not designed to be used for communication. Say p is a Trojan horse watching Poorvi write the T/F answers in the test. q is the student who wrote the Trojan horse and has an account on seas. To send message p creates a file named outputs in q’s directory on seas. In this file, the number of spaces between two words reveals a bit of information: 2 spaces is True, one space is False. q can deny everything if accused. Different from traditional crypto in the sense that not only is message encrypted, but an opponent cannot even determine if it is present. 11/22/2018 CS283/Fall05/GWU/Vora/Various

9 CS283/Fall05/GWU/Vora/Various
Storage channel A covert storage channel uses an attribute of the shared resource, like whether a file is locked or not. This attribute can be checked at pre-determined time intervals. The Trojan horse p can create and erase a directory in q’s account, with a pre-determined name at pre-determined intervals. If p does not have such access to the same a/c as q, p can signal 1’s by creating a large file so that q cannot if he tries to as well. Observe p and q need to share a resource and a time cycle. 11/22/2018 CS283/Fall05/GWU/Vora/Various

10 CS283/Fall05/GWU/Vora/Various
Timing channel A covert timing channel uses a temporal or ordering relationship among accesses to a shared resource. It can also be thought of as a shared resource channel where the shared resource is time. Examples: Timing attack on RSA (time of decryption helps factor n). Works on all modular exponentiation, used to break smartcard security. Not strictly covert in the sense that the leaked information is really unintentional. Leak information by using or not using allotted time slice. 11/22/2018 CS283/Fall05/GWU/Vora/Various

11 CS283/Fall05/GWU/Vora/Various
Other covert channels Electromagnetic field attack on smartcards (surrounding emf tells you something about the key used) Watermarking can be another covert channel Difficult to detect covert channels 11/22/2018 CS283/Fall05/GWU/Vora/Various

12 Detection of Covert Channel
To detect covert channels one can examine what resources are being shared – Kemmerer Shared Resource Matrix Methodology. P Q File existence R,M R File lock File label File size Shared Resource Matrix R – means attribute is read M – means attribute is modified. 11/22/2018 CS283/Fall05/GWU/Vora/Various

13 Checking for Covert Channels
The following properties must hold for a storage channel to exist: Both sending and receiving process must have access to the same attribute of a shared object. The sending process must be able to modify the attribute of the shared object. The receiving process must be able to reference that attribute of the shared object. A mechanism for initiating both processes and properly sequencing their respective accesses to the shared resource must exist. Similar properties for timing channel can be listed 11/22/2018 CS283/Fall05/GWU/Vora/Various

14 Mitigating Covert Channels
Total isolation – declare all resources prior to execution which are then solely allocated to process and released when process terminates. Difficult to achieve in practice. Obscure the amount of resources a process uses. By making usage uniform - For example, fixed time slice allotted whether process uses it or not. By injecting randomness. Both affect efficiency. 11/22/2018 CS283/Fall05/GWU/Vora/Various

15 Information Flow Policies
Information flow policies define the way information moves through the system. Deigned to preserve confidentiality and/or integrity. For example: privacy contracts expressed online in P3P Access controls constrain rights of users but do not fully constrain information flow in a system. Compile time and run-time mechanisms needed for checking information flow. 11/22/2018 CS283/Fall05/GWU/Vora/Various

16 Information Flow – Informal Definition
What do we mean by information flow? Example y := x; What is the information flow here? What does knowledge about y tell about x before and after the statement? y := x / z; What about here? A command sequence c causes a flow of information from x to y if knowledge about x given y before the sequence c is executed decreases after the command sequence is executed. Note: { tmp := x; y := tmp; } has information flowing from x to y but no information is flowing from tmp! Can be formalized with notion of entropy and conditional entropy. 11/22/2018 CS283/Fall05/GWU/Vora/Various

17 Information Flow Examples
x := y + z; if x + y < z then a := b else d := b * c – x; x = f(y1, y2) Write(y, F) Read(y, F) 11/22/2018 CS283/Fall05/GWU/Vora/Various

18 Execution Based Mechanisms
Consider if x == 1 then y := a else y := b; Information flows from x and a or x and b to y. But if a <= y only if some other variable z is 1 then compiler has no way of checking this. Need run time mechanisms. 11/22/2018 CS283/Fall05/GWU/Vora/Various

19 CS283/Fall05/GWU/Vora/Various
Total Isolation Process can be observed and this may leak information. Total isolation – a process that cannot be observed and cannot communicate with other processes cannot leak information. Total isolation is hard to achieve with shared computer systems. 11/22/2018 CS283/Fall05/GWU/Vora/Various

20 CS283/Fall05/GWU/Vora/Various
Isolation One can isolate a process by Present it with an environment that appears to be a computer running only that process or processes to be isolated – virtual machine. An environment is provided in which the process actions are analyzed to determine if they leak information – sandbox. 11/22/2018 CS283/Fall05/GWU/Vora/Various

21 CS283/Fall05/GWU/Vora/Various
Virtual Machines A virtual machine is a program that simulates the hardware of a (possibly abstract) computer system. It runs on a virtual machine monitor that virtualizes the resources of the underlying system and presents to each virtual machine the illusion that it alone is using the hardware. One advantage of virtual machines is that existing operating systems need not be modified. 11/22/2018 CS283/Fall05/GWU/Vora/Various

22 CS283/Fall05/GWU/Vora/Various
Sandboxes A sandbox is an environment in which the actions of a process are restricted according to a security policy. Enforcements may be restricted in two ways: Sandbox can limit executable environment by, for example, adding extra security checking mechanisms to the libraries or kernels. Programs themselves do not need to be modified. Java sandbox for downloaded applets. Modify programs to be executed. For example, add instructions to perform memory access checks. 11/22/2018 CS283/Fall05/GWU/Vora/Various

Download ppt "Memory and Address Protection Covert Channels"

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Memory Management Chapter 7.

Memory Management Chapter 7.
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
CSIE30300 Computer Architecture Unit 10: Virtual Memory Hsin-Chou Chi [Adapted from material by and

CSIE30300 Computer Architecture Unit 10: Virtual Memory Hsin-Chou Chi [Adapted from material by and
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?

Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
CSC 4250 Computer Architectures December 8, 2006 Chapter 5. Memory Hierarchy.

CSC 4250 Computer Architectures December 8, 2006 Chapter 5. Memory Hierarchy.
Memory Management Design & Implementation Segmentation Chapter 4.

Memory Management Design & Implementation Segmentation Chapter 4.
Chapter 101 Virtual Memory Chapter 10 Sections 10.1 - 10.3.1 and 10.4 - 10.6 plus10.8.1 (Skip:10.3.2, 10.7, rest of 10.8)

Chapter 101 Virtual Memory Chapter 10 Sections and plus (Skip:10.3.2, 10.7, rest of 10.8)
Chapter 8.3: Memory Management

Chapter 8.3: Memory Management
Memory Management 2010.

Memory Management 2010.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
MEMORY MANAGEMENT By KUNAL KADAKIA RISHIT SHAH. Memory Memory is a large array of words or bytes, each with its own address. It is a repository of quickly.

MEMORY MANAGEMENT By KUNAL KADAKIA RISHIT SHAH. Memory Memory is a large array of words or bytes, each with its own address. It is a repository of quickly.
Chapter 5: Memory Management Dhamdhere: Operating Systems— A Concept-Based Approach Slide No: 1 Copyright ©2005 Memory Management Chapter 5.

Chapter 5: Memory Management Dhamdhere: Operating Systems— A Concept-Based Approach Slide No: 1 Copyright ©2005 Memory Management Chapter 5.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
SE571 Security in Computing

SE571 Security in Computing
Computer Organization

Computer Organization
Systems Security & Audit Operating Systems security.

Systems Security & Audit Operating Systems security.
G53SEC 1 Reference Monitors Enforcement of Access Control.

G53SEC 1 Reference Monitors Enforcement of Access Control.
CSE431 L22 TLBs.1Irwin, PSU, 2005 CSE 431 Computer Architecture Fall 2005 Lecture 22. Virtual Memory Hardware Support Mary Jane Irwin ( www.cse.psu.edu/~mji.

CSE431 L22 TLBs.1Irwin, PSU, 2005 CSE 431 Computer Architecture Fall 2005 Lecture 22. Virtual Memory Hardware Support Mary Jane Irwin (

Similar presentations

Ads by Google