Covert channel

Last updated

In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Butler Lampson, is defined as channels "not intended for information transfer at all, such as the service program's effect on system load," to distinguish it from legitimate channels that are subjected to access controls by COMPUSEC. [1]

Contents

Characteristics

A covert channel is so called because it is hidden from the access control mechanisms of secure operating systems since it does not use the legitimate data transfer mechanisms of the computer system (typically, read and write), and therefore cannot be detected or controlled by the security mechanisms that underlie secure operating systems. Covert channels are exceedingly hard to install in real systems, and can often be detected by monitoring system performance. In addition, they suffer from a low signal-to-noise ratio and low data rates (typically, on the order of a few bits per second). They can also be removed manually with a high degree of assurance from secure systems by well established covert channel analysis strategies.

Covert channels are distinct from, and often confused with, legitimate channel exploitations that attack low-assurance pseudo-secure systems using schemes such as steganography or even less sophisticated schemes to disguise prohibited objects inside of legitimate information objects. The legitimate channel misuse by steganography is specifically not a form of covert channel.[ citation needed ]

Covert channels can tunnel through secure operating systems and require special measures to control. Covert channel analysis is the only proven way to control covert channels.[ citation needed ] By contrast, secure operating systems can easily prevent misuse of legitimate channels, so distinguishing both is important. Analysis of legitimate channels for hidden objects is often misrepresented as the only successful countermeasure for legitimate channel misuse. Because this amounts to analysis of large amounts of software, it was shown as early as 1972 to be impractical. [2] Without being informed of this, some are misled to believe an analysis will "manage the risk" of these legitimate channels.

TCSEC criteria

The Trusted Computer Security Evaluation Criteria (TCSEC) was a set of criteria, now deprecated, that had been established by the National Computer Security Center, an agency managed by the United States' National Security Agency.

Lampson's definition of a covert channel was paraphrased in the TCSEC [3] specifically to refer to ways of transferring information from a higher classification compartment to a lower classification. In a shared processing environment, it is difficult to completely insulate one process from the effects another process can have on the operating environment. A covert channel is created by a sender process that modulates some condition (such as free space, availability of some service, wait time to execute) that can be detected by a receiving process.

The TCSEC defines two kinds of covert channels:

The TCSEC, also known as the Orange Book, [4] requires analysis of covert storage channels to be classified as a B2 system and analysis of covert timing channels is a requirement for class B3.

Timing channels

The use of delays between packets transmitted over computer networks was first explored by Girling [5] for covert communication. This work motivated many other works to establish or detect a covert communication and analyze the fundamental limitations of such scenarios.

Identifying covert channels

Ordinary things, such as existence of a file or time used for a computation, have been the medium through which a covert channel communicates. Covert channels are not easy to find because these media are so numerous and frequently used.

Two relatively old techniques remain the standards for locating potential covert channels. One works by analyzing the resources of a system and other works at the source-code level.

Eliminating covert channels

The possibility of covert channels cannot be eliminated, [2] although it can be significantly reduced by careful design and analysis.

The detection of a covert channel can be made more difficult by using characteristics of the communications medium for the legitimate channel that are never controlled or examined by legitimate users. For example, a file can be opened and closed by a program in a specific, timed pattern that can be detected by another program, and the pattern can be interpreted as a string of bits, forming a covert channel. Since it is unlikely that legitimate users will check for patterns of file opening and closing operations, this type of covert channel can remain undetected for long periods.

A similar case is port knocking. In usual communications the timing of requests is irrelevant and unwatched. Port knocking makes it significant.

Data hiding in OSI model

Handel and Sandford presented research where they study covert channels within the general design of network communication protocols. [6] They employ the OSI model as a basis for their development in which they characterize system elements having potential to be used for data hiding. The adopted approach has advantages over these because standards opposed to specific network environments or architectures are considered.

Their study does not aim to present foolproof steganographic schemes. Rather, they establish basic principles for data hiding in each of seven OSI layers. Besides suggesting the use of the reserved fields of protocols headers (that are easily detectable) at higher network layers, they also propose the possibility of timing channels involving CSMA/CD manipulation at the physical layer.

Their work identifies covert channel merit such as:

Their covert channel analysis does not consider issues such as interoperability of these data hiding techniques with other network nodes, covert channel capacity estimation, effect of data hiding on the network in terms of complexity and compatibility. Moreover, the generality of the techniques cannot be fully justified in practice since the OSI model does not exist per se in functional systems.

Data hiding in LAN environment by covert channels

As Girling first analyzes covert channels in a network environment. His work focuses on local area networks (LANs) in which three obvious covert channels (two storage channel and one timing channel) are identified. This demonstrates the real examples of bandwidth possibilities for simple covert channels in LANs. For a specific LAN environment, the author introduced the notion of a wiretapper who monitors the activities of a specific transmitter on LAN. The covertly communicating parties are the transmitter and the wiretapper. The covert information according to Girling can be communicated through any of following obvious ways:

  1. By observing the addresses as approached by the transmitter. If total number of addresses a sender can approach is 16, then there is a possibility of secret communication having 4 bits for the secret message. The author termed this possibility as covert storage channel as it depends in what is sent (i.e., which address is approached by the sender).
  2. In the same way, the other obvious storage covert channel would depend on the size of the frame sent by the sender. For the 256 possible sizes, the amount of covert information deciphered from one size of the frame would be of 8 bits. Again this scenario was termed as the covert storage channel.
  3. The third scenario presented uses the presence or absence of messages. For instance, "0" for an odd message time interval, "1" for even.

The scenario transmits covert information through a "when-is-sent" strategy therefore termed as timing covert channel. The time to transmit a block of data is calculated as function of software processing time, network speed, network block sizes and protocol overhead. Assuming block of various sizes are transmitted on the LAN, software overhead is computed on average and novel time evaluation is used to estimate the bandwidth (capacity) of covert channels are also presented. The work paves the way for future research.

Data hiding in TCP/IP Protocol suite by covert channels

Focusing on the IP and TCP headers of TCP/IP Protocol suite, an article published by Craig Rowland devises proper encoding and decoding techniques by utilizing the IP identification field, the TCP initial sequence number and acknowledge sequence number fields. [7] These techniques are implemented in a simple utility written for Linux systems running version 2.0 kernels.

Rowland provides a proof of concept as well as practical encoding and decoding techniques for exploitation of covert channels using the TCP/IP protocol suite. These techniques are analyzed considering security mechanisms like firewall network address translation.

However, the non-detectability of these covert communication techniques is questionable. For instance, a case where sequence number field of TCP header is manipulated, the encoding scheme is adopted such that every time the same alphabet is covertly communicated, it is encoded with the same sequence number.

Moreover, the usages of sequence number field as well as the acknowledgment field cannot be made specific to the ASCII coding of English language alphabet as proposed, since both fields take into account the receipt of data bytes pertaining to specific network packet(s).

After Rowland, several authors in academia published more work on covert channels in the TCP/IP protocol suite, including a plethora of countermeasures ranging from statistical approaches to machine learning. [8] [9] [10] [11] The research on network covert channels overlaps with the domain of network steganography, which emerged later.

See also

Related Research Articles

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suite are the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Protocol (IP). Early versions of this networking model were known as the Department of Defense (DoD) model because the research and development were funded by the United States Department of Defense through DARPA.

<span class="mw-page-title-main">OSI model</span> Model of communication of seven abstraction layers

The Open Systems Interconnection model is a conceptual model from the International Organization for Standardization (ISO) that "provides a common basis for the coordination of standards development for the purpose of systems interconnection." In the OSI reference model, the communications between systems are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.

Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. The word steganography comes from Greek steganographia, which combines the words steganós, meaning "covered or concealed", and -graphia meaning "writing".

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport Layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

In telecommunications and computer networking, a network packet is a formatted unit of data carried by a packet-switched network. A packet consists of control information and user data; the latter is also known as the payload. Control information provides data for delivering the payload. Typically, control information is found in packet headers and trailers.

<span class="mw-page-title-main">Network address translation</span> Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

<span class="mw-page-title-main">Transport layer</span> Layer in the OSI and TCP/IP models providing host-to-host communication services for applications

In computer networking, the transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet protocol suite and the OSI model. The protocols of this layer provide end-to-end communication services for applications. It provides services such as connection-oriented communication, reliability, flow control, and multiplexing.

The data link layer, or layer 2, is the second layer of the seven-layer OSI model of computer networking. This layer is the protocol layer that transfers data between nodes on a network segment across the physical layer. The data link layer provides the functional and procedural means to transfer data between network entities and may also provide the means to detect and possibly correct errors that can occur in the physical layer.

An application layer is an abstraction layer that specifies the shared communication protocols and interface methods used by hosts in a communications network. An application layer abstraction is specified in both the Internet Protocol Suite (TCP/IP) and the OSI model. Although both models use the same term for their respective highest-level layer, the detailed definitions and purposes are different.

NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. Operating systems of the 1980s ran NetBIOS over IEEE 802.2 and IPX/SPX using the NetBIOS Frames (NBF) and NetBIOS over IPX/SPX (NBX) protocols, respectively. In modern networks, NetBIOS normally runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol. This results in each computer in the network having both an IP address and a NetBIOS name corresponding to a host name. NetBIOS is also used for identifying system names in TCP/IP (Windows). Simply stated, it is a protocol that allows communication of data for files and printers through the Session Layer of the OSI Model in a LAN.

IPX/SPX stands for Internetwork Packet Exchange/Sequenced Packet Exchange. IPX and SPX are networking protocols used initially on networks using the Novell NetWare operating systems. They also became widely used on networks deploying Microsoft Windows LANS, as they replaced NetWare LANS, but are no longer widely used. IPX/SPX was also widely used prior to and up to Windows XP, which supported the protocols, while later Windows versions do not, and TCP/IP took over for networking.

<span class="mw-page-title-main">Internet security</span> Branch of computer security

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

Secure communication is when two entities are communicating and do not want a third party to listen in. For this to be the case, the entities need to communicate in a way that is unsusceptible to eavesdropping or interception. Secure communication includes means by which people can share information with varying degrees of certainty that third parties cannot intercept what is said. Other than spoken face-to-face communication with no possible eavesdropper, it is probable that no communication is guaranteed to be secure in this sense, although practical obstacles such as legislation, resources, technical issues, and the sheer volume of communication serve to limit surveillance.

<i>Hacking: The Art of Exploitation</i> 2003 book by Jon "Smibbs" Erickson

Hacking: The Art of Exploitation (ISBN 1-59327-007-0) is a book by Jon "Smibbs" Erickson about computer security and network security. It was published by No Starch Press in 2003, with a second edition in 2008. All of the examples in the book were developed, compiled, and tested on Gentoo Linux. The book also comes with a CD that contains a Linux environment with all the tools and examples used in the book.

<span class="mw-page-title-main">Computer network</span> Network that allows computers to share resources and communicate with each other

A computer network is a set of computers sharing resources located on or provided by network nodes. Computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are made up of telecommunication network technologies based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.

A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any variation of a physical quantity. The protocol defines the rules, syntax, semantics, and synchronization of communication and possible error recovery methods. Protocols may be implemented by hardware, software, or a combination of both.

The link layer is the lowest layer in the TCP/IP model. It is also referred to as the network interface layer and mostly equivalent to the data link layer plus physical layer in OSI. This particular layer has several unique security vulnerabilities that can be exploited by a determined adversary.

References

  1. Butler Lampson (1 October 1973). "A note on the confinement problem". Communications of the ACM . 16 (10): 613–615. doi:10.1145/362375.362389. ISSN   0001-0782. Wikidata   Q56446421.
  2. 1 2 Computer Security Technology Planning Study (James P. Anderson, 1972)
  3. NCSC-TG-030, Covert Channel Analysis of Trusted Systems (Light Pink Book), 1993 from the United States Department of Defense (DoD) Rainbow Series publications.
  4. 5200.28-STD, Trusted Computer System Evaluation Criteria (Orange Book), 1985 Archived 2006-10-02 at the Wayback Machine from the DoD Rainbow Series publications.
  5. GIRLING, GRAY (February 1987). "Covert Channels in LAN's". IEEE Transactions on Software Engineering. SE-13 (2): 292–296. doi:10.1109/tse.1987.233153. S2CID   3042941. ProQuest   195596753.
  6. Hiding data in the OSI network model Archived 2014-10-18 at the Wayback Machine , Theodore G. Handel and Maxwell T. Sandford II (2005)
  7. Covert Channels in the TCP/IP Protocol Suite Archived 2012-10-23 at the Wayback Machine , 1996 Paper by Craig Rowland on covert channels in the TCP/IP protocol with proof of concept code.
  8. Zander, S.; Armitage, G.; Branch, P. (2007). "A survey of covert channels and countermeasures in computer network protocols". IEEE Communications Surveys and Tutorials. IEEE. 9 (3): 44–57. doi:10.1109/comst.2007.4317620. hdl: 1959.3/40808 . ISSN   1553-877X. S2CID   15247126.
  9. Information hiding in communication networks : fundamentals, mechanisms, applications, and countermeasures. Mazurczyk, Wojciech., Wendzel, Steffen., Zander, Sebastian., Houmansadr, Amir., Szczypiorski, Krzysztof. Hoboken, N.J.: Wiley. 2016. ISBN   9781118861691. OCLC   940438314.{{cite book}}: CS1 maint: others (link)
  10. Wendzel, Steffen; Zander, Sebastian; Fechner, Bernhard; Herdin, Christian (April 2015). "Pattern-Based Survey and Categorization of Network Covert Channel Techniques". ACM Computing Surveys. 47 (3): 50:1–50:26. arXiv: 1406.2901 . doi:10.1145/2684195. ISSN   0360-0300. S2CID   14654993.
  11. Cabuk, Serdar; Brodley, Carla E.; Shields, Clay (April 2009). "IP Covert Channel Detection". ACM Transactions on Information and System Security. 12 (4): 22:1–22:29. CiteSeerX   10.1.1.320.8776 . doi:10.1145/1513601.1513604. ISSN   1094-9224. S2CID   2462010.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.