CSCI283172 Fall 2006 - PowerPoint PPT Presentation

About This Presentation
Title:

CSCI283172 Fall 2006

Description:

A covert storage channel uses an attribute of the shared resource, like whether ... This attribute can be checked at pre-determined time intervals. ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 20
Provided by: poo69
Category:

less

Transcript and Presenter's Notes

Title: CSCI283172 Fall 2006


1
Covert Channels
  • CSCI283/172 Fall 2006
  • GWU
  • Draws extensively from Memons notes, Brooklyn
    Poly
  • And book by Pfleeger, Chapters 3 and 4

2
Covert Channels
  • A covert channel is a path of communication that
    was not designed to be used for communication.
  • Say p is a Trojan horse watching Poorvi write the
    T/F answers in the test. q is the student who
    wrote the Trojan horse and has an account on
    seas. To send message p creates a file named
    outputs in qs directory on seas. In this file,
    the number of spaces between two words reveals a
    bit of information 2 spaces is True, one space
    is False. q can deny everything if accused.
  • Different from traditional crypto in the sense
    that not only is message encrypted, but an
    opponent cannot even determine if it is present.

3
Storage channel
  • A covert storage channel uses an attribute of the
    shared resource, like whether a file is locked or
    not. This attribute can be checked at
    pre-determined time intervals.
  • The Trojan horse p can create and erase a
    directory in qs account, with a pre-determined
    name at pre-determined intervals.
  • If p does not have such access to the same a/c as
    q, p can signal 1s by creating a large file so
    that q cannot if he tries to as well.
  • Observe p and q need to share a resource and a
    time cycle.

4
Timing channel
  • A covert timing channel uses a temporal or
    ordering relationship among accesses to a shared
    resource. It can also be thought of as a shared
    resource channel where the shared resource is
    time.
  • Examples
  • Timing attack on RSA (time of decryption helps
    factor n). Works on all modular exponentiation,
    used to break smartcard security. Not strictly
    covert in the sense that the leaked information
    is really unintentional.
  • Leak information by using or not using allotted
    time slice.

5
Other covert channels
  • Electromagnetic field attack on smartcards
    (surrounding emf tells you something about the
    key used)
  • Watermarking can be another covert channel
  • Difficult to detect covert channels

6
Detection of Covert Channel
  • To detect covert channels one can examine what
    resources are being shared Kemmerer Shared
    Resource Matrix Methodology.

Shared Resource Matrix R means attribute
is read M means attribute is modified.
7
Checking for Covert Channels
  • The following properties must hold for a storage
    channel to exist
  • Both sending and receiving process must have
    access to the same attribute of a shared object.
  • The sending process must be able to modify the
    attribute of the shared object.
  • The receiving process must be able to reference
    that attribute of the shared object.
  • A mechanism for initiating both processes and
    properly sequencing their respective accesses to
    the shared resource must exist.
  • Similar properties for timing channel can be
    listed

8
Mitigating Covert Channels
  • Total isolation declare all resources prior to
    execution which are then solely allocated to
    process and released when process terminates.
    Difficult to achieve in practice.
  • Obscure the amount of resources a process uses.
  • By making usage uniform - For example, fixed time
    slice allotted whether process uses it or not.
  • By injecting randomness.
  • Both affect efficiency.

9
Information Flow Policies
  • Information flow policies define the way
    information moves through the system. Deigned to
    preserve confidentiality and/or integrity.
  • For example privacy contracts expressed online
    in P3P
  • Access controls constrain rights of users but do
    not fully constrain information flow in a system.
  • Compile time and run-time mechanisms needed for
    checking information flow.

10
Information Flow Informal Definition
  • What do we mean by information flow?
  • Example y x What is the information flow
    here? What does knowledge about y tell about x
    before and after the statement?
  • y x / z What about here?
  • A command sequence c causes a flow of information
    from x to y if knowledge about x given y before
    the sequence c is executed decreases after the
    command sequence is executed.
  • Note tmp x y tmp has information
    flowing from x to y but no information is flowing
    from tmp!
  • Can be formalized with notion of entropy and
    conditional entropy.

11
Information Flow Examples
  • x y z
  • if x y lt z then
  • a b
  • else
  • d b c x
  • x f(y1, y2)
  • Write(y, F)
  • Read(y, F)

12
Confinement Flow Models
  • Each entity, a, is assigned a confinement pair
    confine(a) (aL aU) where aL is the lowest
    classification of information allowed to flow out
    of a and aU is the highest classification of
    information allowed to flow into a.
  • Example Confine(x) Confidential,
    Confidential
  • Confine(y)
    Secret, Secret
  • Confine(z) Confidential,
    Topsecret
  • Possible flows? Secure or allowed flows?
    Transitive?
  • Graph

13
Compiler-Based Mechanisms
  • Need some language construct to relate variables
    to security classes.
  • Example x integer class A B may mean
    that security classes A and B may flow into x.
  • Assignment statements
  • x y z
  • for this to be a secure flow luby, z lt x.
  • Draw representative graph

14
Compiler-Based Mechanisms
  • Conditional Statements
  • if x y lt z then
  • a b
  • else
  • d b c x
  • Requirement for secure flow is
  • 1. b lt a
  • 2. lub b, c, x lt d
  • 3. lub x, y, z lt gub a, d
  • Draw graph

15
Execution Based Mechanisms
  • Consider
  • if x 1 then y a else y b
  • Information flows from x and a or x and b to
    y. But if a lt y only if some other variable z
    is 1 then compiler has no way of checking this.
    Need run time mechanisms.

16
Total Isolation
  • Process can be observed and this may leak
    information.
  • Total isolation a process that cannot be
    observed and cannot communicate with other
    processes cannot leak information.
  • Total isolation is hard to achieve with shared
    computer systems.

17
Isolation
  • One can isolate a process by
  • Present it with an environment that appears to be
    a computer running only that process or processes
    to be isolated virtual machine.
  • An environment is provided in which the process
    actions are analyzed to determine if they leak
    information sandbox.

18
Virtual Machines
  • A virtual machine is a program that simulates the
    hardware of a (possibly abstract) computer
    system.
  • It runs on a virtual machine monitor that
    virtualizes the resources of the underlying
    system and presents to each virtual machine the
    illusion that it alone is using the hardware.
  • One advantage of virtual machines is that
    existing operating systems need not be modified.

19
Sandboxes
  • A sandbox is an environment in which the actions
    of a process are restricted according to a
    security policy.
  • Enforcements may be restricted in two ways
  • Sandbox can limit executable environment by, for
    example, adding extra security checking
    mechanisms to the libraries or kernels. Programs
    themselves do not need to be modified. Java
    sandbox for downloaded applets.
  • Modify programs to be executed. For example, add
    instructions to perform memory access checks.
Write a Comment
User Comments (0)
About PowerShow.com