may 26 covert channels
play

May 26: Covert Channels Covert channels Composition of policies - PowerPoint PPT Presentation

Oct 12, 2022 •40 likes •370 views

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

  1. May 26: Covert Channels • Covert channels • Composition of policies – Problem – Deterministic Noninterference – Nondeducibility – Generalized Noninterference – Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

  2. Measuring Capacity • Intuitively, difference between unmodulated, modulated channel – Normal uncertainty in channel is 8 bits – Attacker modulates channel to send information, reducing uncertainty to 5 bits – Covert channel capacity is 3 bits • Modulation in effect fixes those bits May 26, 2017 ECS 235B Spring Quarter 2017 Slide #2

  3. Formally • Inputs: – A input from Alice (sender) – V input from everyone else – X output of channel • Capacity measures uncertainty in X given A • In other terms: maximize I ( A ; X ) = H ( X ) – H ( X | A ) with respect to A May 26, 2017 ECS 235B Spring Quarter 2017 Slide #3

  4. Example • If A , V independent, p = p ( A =0), q = p ( V =0): – p ( A =0, V =0) = pq – p ( A =1, V =0) = (1– p ) q – p ( A =0, V =1) = p (1– q ) – p ( A =1, V =1) = (1– p )(1– q ) • So – p ( X =0) = p ( A =0, V =0) + p ( A =1, V =1) = pq + (1– p )(1– q ) – p ( X =1) = p ( A =0, V =1) + p ( A =1, V =0) = (1– p ) q + p (1– q ) May 26, 2017 ECS 235B Spring Quarter 2017 Slide #4

  5. More Example • Also: – p ( X =0| A =0) = q – p ( X =0| A =1) = 1– q – p ( X =1| A =0) = 1– q – p( X =1| A =1) = q • So you can compute: – H ( X ) = –[(1– p ) q + p (1– q )] lg [(1– p ) q + p (1– q )] – H ( X | A ) = – q lg q – (1– q ) lg (1– q ) – I ( A ; X ) = H ( X )– H ( X | A ) May 26, 2017 ECS 235B Spring Quarter 2017 Slide #5

  6. I ( A ; X ) I ( A ; X ) = – [ pq + (1 – p )(1 – q )] lg [ pq + (1 – p )(1 – q )] – [(1 – p ) q + p (1 – q )] lg [(1 – p ) q + p (1 – q )] + q lg q + (1 – q ) lg (1 – q ) • Maximum when p = 0.5; then I ( A ; X ) = 1 + q lg q + (1– q ) lg (1– q ) = 1– H ( V ) • So, if V constant, q = 0, and I ( A ; X ) = 1 • Also, if q = p = 0.5, I ( A ; X ) = 0 May 26, 2017 ECS 235B Spring Quarter 2017 Slide #6

  7. Analyzing Capacity • Assume a noisy channel • Examine covert channel in MLS database that uses replication to ensure availability – 2-phase commit protocol ensures atomicity – Coordinator process manages global execution – Participant processes do everything else May 26, 2017 ECS 235B Spring Quarter 2017 Slide #7

  8. How It Works • Coordinator sends message to each participant asking whether to abort or commit transaction – If any says “abort”, coordinator stops • Coordinator gathers replies – If all say “commit”, sends commit messages back to participants – If any says “abort”, sends abort messages back to participants – Each participant that sent commit waits for reply; on receipt, acts accordingly May 26, 2017 ECS 235B Spring Quarter 2017 Slide #8

  9. Exceptions • Protocol times out, causing party to act as if transaction aborted, when: – Coordinator doesn’t receive reply from participant – Participant who sends a commit doesn’t receive reply from coordinator May 26, 2017 ECS 235B Spring Quarter 2017 Slide #9

  10. Covert Channel Here • Two types of components – One at Low security level, other at High • Low component begins 2-phase commit – Both High , Low components must cooperate in the 2-phase commit protocol • High sends information to Low by selectively aborting transactions – Can send abort messages – Can just not do anything May 26, 2017 ECS 235B Spring Quarter 2017 Slide #10

  11. Note • If transaction always succeeded except when High component sending information, channel not noisy – Capacity would be 1 bit per trial – But channel noisy as transactions may abort for reasons other than the sending of information May 26, 2017 ECS 235B Spring Quarter 2017 Slide #11

  12. Analysis • X random variable: what High user wants to send – Assume abort is 1, commit is 0 – p = p ( X = 0) probability High sends 0 • A random variable: what Low receives – For noiseless channel X = A • n + 2 users – Sender, receiver, n others – q probability of transaction aborting at any of these n users May 26, 2017 ECS 235B Spring Quarter 2017 Slide #12

  13. Basic Probabilities • Probabilities of receiving given sending – p ( A =0 | X =0) = (1– q ) n – p ( A =1 | X =0) = 1 – (1– q ) n – p ( A =0 | X =1) = 0 – p ( A =1 | X =1) = 1 • So probabilities of receiving values: – p ( A =0) = p (1– q ) n – p ( A =1) = 1 – p (1– q ) n May 26, 2017 ECS 235B Spring Quarter 2017 Slide #13

  14. More Probabilities • Given sending, what is receiving? – p ( X =0 | A =0) = 1 – p ( X =1 | A =0) = 0 – p ( X =0 | A =1) = p [1–(1– q ) n ] / [1– p (1– q ) n ] – p ( X =1 | A =1) = (1– p ) / [1– p (1– q ) n ] May 26, 2017 ECS 235B Spring Quarter 2017 Slide #14

  15. Entropies • H ( X ) = – p lg p – (1– p ) lg (1– p ) • H ( X | A ) = – p [1–(1– q ) n ] lg p – p [1–(1– q ) n ] lg [1–(1– q ) n ] + [1– p (1– q ) n ] lg [1– p (1– q ) n ] – (1– p ) lg (1– p ) • I(A;X) = – p (1– q ) n lg p + p [1–(1– q ) n ] lg [1–(1– q ) n ] – [1– p (1– q ) n ] lg [1– p (1– q ) n ] May 26, 2017 ECS 235B Spring Quarter 2017 Slide #15

  16. Capacity • Maximize this with respect to p (probability that High sends 0) – Notation: m = (1– q ) n , M = (1– m ) (1– m ) – Maximum when p = M / ( Mm +1) • Capacity is: I ( A ; X ) = Mm lg p + M (1– m ) lg (1– m ) + lg ( Mm +1) ( Mm +1) May 26, 2017 ECS 235B Spring Quarter 2017 Slide #16

  17. Mitigation of Covert Channels • Problem: these work by varying use of shared resources • One solution – Require processes to say what resources they need before running – Provide access to them in a way that no other process can access them • Cumbersome – Includes running (CPU covert channel) – Resources stay allocated for lifetime of process May 26, 2017 ECS 235B Spring Quarter 2017 Slide #17

  18. Alternate Approach • Obscure amount of resources being used – Receiver cannot distinguish between what the sender is using and what is added • How? Two ways: – Devote uniform resources to each process – Inject randomness into allocation, use of resources May 26, 2017 ECS 235B Spring Quarter 2017 Slide #18

  19. Uniformity • Variation of isolation – Process can’t tell if second process using resource • Example: KVM/370 covert channel via CPU usage – Give each VM a time slice of fixed duration – Do not allow VM to surrender its CPU time • Can no longer send 0 or 1 by modulating CPU usage May 26, 2017 ECS 235B Spring Quarter 2017 Slide #19

  20. Randomness • Make noise dominate channel – Does not close it, but makes it useless • Example: MLS database – Probability of transaction being aborted by user other than sender, receiver approaches 1 • q → 1 – I ( A ; X ) → 0 – How to do this: resolve conflicts by aborting increases q , or have participants abort transactions randomly May 26, 2017 ECS 235B Spring Quarter 2017 Slide #20

  21. Problem: Loss of Efficiency • Fixed allocation, constraining use – Wastes resources • Increasing probability of aborts – Some transactions that will normally commit now fail, requiring more retries • Policy: is the inefficiency preferable to the covert channel? May 26, 2017 ECS 235B Spring Quarter 2017 Slide #21

  22. Example • Goal: limit covert timing channels on VAX/VMM • “ Fuzzy time ” reduces accuracy of system clocks by generating random clock ticks – Random interrupts take any desired distribution – System clock updates only after each timer interrupt – Kernel rounds time to nearest 0.1 sec before giving it to VM • Means it cannot be more accurate than timing of interrupts May 26, 2017 ECS 235B Spring Quarter 2017 Slide #22

  23. Example • I/O operations have random delays • Kernel distinguishes 2 kinds of time: – Event time (when I/O event occurs) – Notification time (when VM told I/O event occurred) • Random delay between these prevents VM from figuring out when event actually occurred) • Delay can be randomly distributed as desired (in security kernel, it ’ s 1–19ms) – Added enough noise to make covert timing channels hard to exploit May 26, 2017 ECS 235B Spring Quarter 2017 Slide #23

  24. Improvement • Modify scheduler to run processes in increasing order of security level – Now we ’ re worried about “ reads up ” , so … • Countermeasures needed only when transition from dominating VM to dominated VM – Add random intervals between quanta for these transitions May 26, 2017 ECS 235B Spring Quarter 2017 Slide #24

  25. The Pump • Tool for controlling communications path between High and Low communications buffer Low High buffer buffer Low process High process May 26, 2017 ECS 235B Spring Quarter 2017 Slide #17-25

  26. Details • Communications buffer of length n – Means it can hold up to n messages • Messages numbered • Pump ACKs each message as it is moved from High ( Low ) buffer to communications buffer • If pump crashes, communications buffer preserves messages – Processes using pump can recover from crash May 26, 2017 ECS 235B Spring Quarter 2017 Slide #26

Recommend

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Chupja Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1

627 views • 38 slides
COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to be problematic for Delft Lab on May 31st seems to be problematic for Twente Systems Security Covert Channels 2 14.05.2018 Prepare to vote 1

1.05k views • 50 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau Christian Dietrich Outline 1. Covert Channels 2. Steganography a. Lurk b. Gozi c. Stegoloader 3. Inconspicuous Carrier Protocols a.

674 views • 49 slides
Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels Kang-Hee Cho and Si-Hyeon Lee School of Electrical Engineering KAIST 2020 ISIT 1 / 14 Covert Communication ^ Y n W Decoder X n W P n Encoder

386 views • 15 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

Mitigation of Covert Channels About Voting and Computers March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B Winter Quarter 2014 Slide 1 Mitigation of Covert Channels About Voting and Computers

416 views • 26 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard Laboratoire dInformatique de Grenoble / INRIA Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 1 / 18 Introduction

784 views • 18 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet Austin, TX Lawrence Berkeley National Laboratory Sept, 13, 2016 Table of Contents Introduction Something Important Part 1: Multi-Notice

862 views • 52 slides
Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo Barradas PhD Stage: Planner Advisors: Prof. Lus Rodrigues & Prof. Nuno Santos Research Area: Privacy-Enhancing Technologies Diogo Barradas - EuroSys

395 views • 15 slides
Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard

Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard

Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard Kramer Technical University of Munich Institute for Communications Engineering ISIT 2020 Covert Communication Covert Communication vs. Secrecy:

269 views • 16 slides
Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The Humble Keylogger Malware Malicious Hardware In-Cable Devices Malicious Keyboards Supply Chain Attacks Malicious BIOS

591 views • 14 slides
PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN KENTON.BORN@GMAIL.COM Black Hat USA 2010 GREATEST CAPTCHA EVER Las Vegas, casino floor Wi-Fi (4/6/10) ROADMAP DNS Refresher Covert Channels DNS Tunnels My

435 views • 42 slides
Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer

Outline Side and covert channels Transient execution CSci 5271 Introduction to Computer Security Transient execution and kernel isolation: Meltdown Day 11: Side Channels and Transient Execution Stephen McCamant Transient execution and kernel

496 views • 4 slides
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff EVT / WOTE August 11th, 2009 Montreal, Canada Andy uses a voting machine to prepare a ballot. Andy wants to verify that the machine properly

637 views • 32 slides
Outline Transient execution covert channels (contd) OS trust and assurance CSci 5271

Outline Transient execution covert channels (contd) OS trust and assurance CSci 5271

Outline Transient execution covert channels (contd) OS trust and assurance CSci 5271 Introduction to Computer Security Announcements intermission Transient Execution, OS Assurance, and Networks Brief introduction to networking Stephen

554 views • 7 slides

More recommend