Loading AI tools
Computer security attack From Wikipedia, the free encyclopedia
In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Butler Lampson, is defined as channels "not intended for information transfer at all, such as the service program's effect on system load," to distinguish it from legitimate channels that are subjected to access controls by COMPUSEC.[1]
A covert channel is so called because it is hidden from the access control mechanisms of secure operating systems since it does not use the legitimate data transfer mechanisms of the computer system (typically, read and write), and therefore cannot be detected or controlled by the security mechanisms that underlie secure operating systems. Covert channels are exceedingly hard to install in real systems, and can often be detected by monitoring system performance. In addition, they suffer from a low signal-to-noise ratio and low data rates (typically, on the order of a few bits per second). They can also be removed manually with a high degree of assurance from secure systems by well established covert channel analysis strategies.
Covert channels are distinct from, and often confused with, legitimate channel exploitations that attack low-assurance pseudo-secure systems using schemes such as steganography or even less sophisticated schemes to disguise prohibited objects inside of legitimate information objects. The legitimate channel misuse by steganography is specifically not a form of covert channel.[citation needed]
Covert channels can tunnel through secure operating systems and require special measures to control. Covert channel analysis is the only proven way to control covert channels.[citation needed] By contrast, secure operating systems can easily prevent misuse of legitimate channels, so distinguishing both is important. Analysis of legitimate channels for hidden objects is often misrepresented as the only successful countermeasure for legitimate channel misuse. Because this amounts to analysis of large amounts of software, it was shown as early as 1972 to be impractical.[2] Without being informed of this, some are misled to believe an analysis will "manage the risk" of these legitimate channels.
The Trusted Computer Security Evaluation Criteria (TCSEC) was a set of criteria, now deprecated, that had been established by the National Computer Security Center, an agency managed by the United States' National Security Agency.
Lampson's definition of a covert channel was paraphrased in the TCSEC[3] specifically to refer to ways of transferring information from a higher classification compartment to a lower classification. In a shared processing environment, it is difficult to completely insulate one process from the effects another process can have on the operating environment. A covert channel is created by a sender process that modulates some condition (such as free space, availability of some service, wait time to execute) that can be detected by a receiving process.
The TCSEC defines two kinds of covert channels:
The TCSEC, also known as the Orange Book,[4] requires analysis of covert storage channels to be classified as a B2 system and analysis of covert timing channels is a requirement for class B3.
The use of delays between packets transmitted over computer networks was first explored by Girling[5] for covert communication. This work motivated many other works to establish or detect a covert communication and analyze the fundamental limitations of such scenarios.
Ordinary things, such as existence of a file or time used for a computation, have been the medium through which a covert channel communicates. Covert channels are not easy to find because these media are so numerous and frequently used.
Two relatively old techniques remain the standards for locating potential covert channels. One works by analyzing the resources of a system and other works at the source-code level.
The possibility of covert channels cannot be eliminated,[2] although it can be significantly reduced by careful design and analysis.
The detection of a covert channel can be made more difficult by using characteristics of the communications medium for the legitimate channel that are never controlled or examined by legitimate users. For example, a file can be opened and closed by a program in a specific, timed pattern that can be detected by another program, and the pattern can be interpreted as a string of bits, forming a covert channel. Since it is unlikely that legitimate users will check for patterns of file opening and closing operations, this type of covert channel can remain undetected for long periods.
A similar case is port knocking. In usual communications the timing of requests is irrelevant and unwatched. Port knocking makes it significant.
Handel and Sandford presented research where they study covert channels within the general design of network communication protocols.[6] They employ the OSI model as a basis for their development in which they characterize system elements having potential to be used for data hiding. The adopted approach has advantages over these because standards opposed to specific network environments or architectures are considered.
Their study does not aim to present foolproof steganographic schemes. Rather, they establish basic principles for data hiding in each of seven OSI layers. Besides suggesting the use of the reserved fields of protocols headers (that are easily detectable) at higher network layers, they also propose the possibility of timing channels involving CSMA/CD manipulation at the physical layer.
Their work identifies covert channel merit such as:
Their covert channel analysis does not consider issues such as interoperability of these data hiding techniques with other network nodes, covert channel capacity estimation, effect of data hiding on the network in terms of complexity and compatibility. Moreover, the generality of the techniques cannot be fully justified in practice since the OSI model does not exist per se in functional systems.
As Girling first analyzes covert channels in a network environment. His work focuses on local area networks (LANs) in which three obvious covert channels (two storage channel and one timing channel) are identified. This demonstrates the real examples of bandwidth possibilities for simple covert channels in LANs. For a specific LAN environment, the author introduced the notion of a wiretapper who monitors the activities of a specific transmitter on LAN. The covertly communicating parties are the transmitter and the wiretapper. The covert information according to Girling can be communicated through any of following obvious ways:
The scenario transmits covert information through a "when-is-sent" strategy therefore termed as timing covert channel. The time to transmit a block of data is calculated as function of software processing time, network speed, network block sizes and protocol overhead. Assuming block of various sizes are transmitted on the LAN, software overhead is computed on average and novel time evaluation is used to estimate the bandwidth (capacity) of covert channels are also presented. The work paves the way for future research.
Focusing on the IP and TCP headers of TCP/IP Protocol suite, an article published by Craig Rowland devises proper encoding and decoding techniques by utilizing the IP identification field, the TCP initial sequence number and acknowledge sequence number fields.[7] These techniques are implemented in a simple utility written for Linux systems running version 2.0 kernels.
Rowland provides a proof of concept as well as practical encoding and decoding techniques for exploitation of covert channels using the TCP/IP protocol suite. These techniques are analyzed considering security mechanisms like firewall network address translation.
However, the non-detectability of these covert communication techniques is questionable. For instance, a case where sequence number field of TCP header is manipulated, the encoding scheme is adopted such that every time the same alphabet is covertly communicated, it is encoded with the same sequence number.
Moreover, the usages of sequence number field as well as the acknowledgment field cannot be made specific to the ASCII coding of English language alphabet as proposed, since both fields take into account the receipt of data bytes pertaining to specific network packet(s).
After Rowland, several authors in academia published more work on covert channels in the TCP/IP protocol suite, including a plethora of countermeasures ranging from statistical approaches to machine learning.[8][9][10][11] The research on network covert channels overlaps with the domain of network steganography, which emerged later.
Seamless Wikipedia browsing. On steroids.
Every time you click a link to Wikipedia, Wiktionary or Wikiquote in your browser's search results, it will show the modern Wikiwand interface.
Wikiwand extension is a five stars, simple, with minimum permission required to keep your browsing private, safe and transparent.