Brain Dump

Covert Channels

Tags
security

Using shared resources (channel) to communicate (leak information) in an unexpected way.

It's generally possible to identify unusual means of communicating via elements of the system so that the intent of the [mandatory policy](/brain/20210211230047-mandatory_access_control/) is broken. These means are known as [see page 25, [covert channels](com3501-w01-MAC)]. Covert channels arise because subjects share resources, which can allow one subject (the transmitter) to modulate how another subject (the receiver) observes the system.

Variants

Covert channels are [see page 26, grouped] into:

ChannelDescription
StorageAffects the storage of data/attributes on the system which is then read by the receiver
TimingModulates the times at which events are transmitted and therefore percieved by the receiver

Object Existence Channel

A covert storage channel can use the existence of an object to convey information. For example a low class subject may try to create a file but fail to do so because a file of the same name exists under a higher class (which the lower class subject couldn't read).

In this case even though we can't directly read or inspect the existing file we know:

  1. It exists.
  2. It exists at a higher class than we have access to.

Object Attribute Channel

Another covert channel can be found through object attributes, for [see page 28, example] a subject could continually query the time last read field of a file to see how many times some other (perhaps higher level) subject has read it to date.

The higher level subject reading the files changes its attributes, even though its at a lower level.

Clearance Modification Channel

Another covert channel can be found by [see page 29, changing clearance], by reading data at a higher current-clearance into a local-store and then changing your current- clearance to something lower before writing it back out to a new object.

Note: This can be avoided by clearing the local-store after every [see page 30, process-change].

This is also an issue with [see page 32, upgrading] the clearance. Mixing upgrading with existence checks we can signal some binary value to a lower class user from a higher class by upgrading.

Modulating Time Channel

You can transmit information by modulating the [see page 34, time] at which events occur. For example we can ask a receiver to read from a specific point in memory and measure how long it takes to finish to infer a 0/1 value.

Note: This approach is rather insidious and hard to detect.

This channel often requires the use of a clock (eg. system clock) but there are other [see page 36, indirect] means of doing so, for eg. holding a key and measuring how long it takes to handle the input in relation to the input-buffer to help judge the passage of time.

Countermeasures

We can discover a covert channel through a thorough search, but given we've found one how do we [see page 39, counter-act] the affects of a covert channel? We can:

  • Re-assess the bandwidth of the system (make it harder to transmit more)
  • Re-design parts of the system (control end points, or communication lines)
  • Slug the channel. Intentionally introduce latency to make it harder to signal information through timing.

Channels in Distributed Systems

Even with encrypted transmissions, we can covertly signal data to a third party observer by [see page 38, modulating]:

  • destination addresses
  • message lengths
  • timing of messages
  • access to the medium (eg. Ethernet)