Covert Channels: The Hidden Threat

Covert Channels: The Hidden ThreatR. Trimble, W. Oblitey, S. Ezekiel, J. WolfeCovert Channels Research Group

IUP Computer Science Department

319 Stright Hall

IUP, Indiana PA 15705

lqkl, oblitey, sezekiel, jlwolfe@iup.eduABSTRACT

Information integrity, since information was first written down, has been a growing concern. Now that information is available to who ever knows where to get it. The rise of technology has allowed users without proper clearance access to information that was previously unreachable. As technology advances, the number of methods to steal data advances. Many of these methods can be executed without the system administrator knowing it. These kinds of data compromises, known as covert channels, are a problem system administrators have been trying to stop for years. In this paper we present an overview of covert channels to provide a better understanding that could help security professionals find and prevent these channels from compromising their systems. KEY WORDS

Covert Channels, Data Integrity, Security, Networks, Systems1. Introduction

In recent years, there have been many threats to the security of networks and systems, including viruses, Trojan horses, and other various exploits. These threats have kept security professionals busy. For these reasons, covert channels were overlooked or deemed not as important, a low priority. Covert channels, not new or insignificant, have compromised the integrity and confidentiality of many systems. According to a US Department of Defense publication[1] a covert channel is defined as any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy. The word covert literally means that it is hidden[2]. This implies that the system administrator is not aware the channel even exists. The best example of this is the famous prisoners problem[3]. Alice and Bob were prisoners who needed to communicate with each other. However, the warden reads all messages. So they devised a plan using the length of words as their covert channel. If the word has even amount of letters then it means 1. An odd number of letters means 0. The warden would see a message that looked harmless, but in fact, there is a hidden meaning in it. This leaves the warden with two options: One let the message be sent to the recipient. Two, do not deliver the message. Following this introduction, we briefly give the overview of covert channels, why they are used, the types of channels, and covert channel analysis. Section 3 is our conclusion.2. Overview of Covert ChannelsIn this section we describe covert channels, why they are used, the different types, and covert channel analysis.

2.1 What are Covert Channels

A covert channel exists when a channel is used to transmit data against the design or the systems security policy. This definition is extremely broad for a reason. When dealing with covert channels there is not only a technological factor but a human factor as well. In order for a covert channel to be used, someone or something must be present to transmit the data. This presence is most often a trojan horse or some other malicious software or script that exists on the system intended to be compromised without the system administrators knowledge[4]. This is where the human factor plays a role. The malicious code, if present, had to be put there by someone. That person could have access to the system but just wants higher access or they are an outsider with no access at all. Also if no malicious code is present, then someone inside is doing the transmitting. In this case, the receiving end needs to know how to decipher what data is transmitted. A good example is the prisoners problem[3]. The prisoner, Alice, needed to send Bob a message. Bob had to be able to decipher the code, the length of the words.2.2 Why are Covert Channels Used

Covert channels are used because they are not easily detected[2]. Any system can be attacked and have data stolen. This brute force method leaves evidence that an attack occurred[4]. It also identifies what was taken. Next time that attack is used the system administrators would know it and take measures to prevent the attacker from achieving its goal. Covert channels allow the taking of data without a forceful one-time attack. Information is transmitted over a period of time making it useless for quick data retrieval. However, this method allows for the attacker to continue to receive up to date information and retrieve more data. 2.2 Types of Covert ChannelsThere are many types of covert channels, such as embedded channels, storage channels, timing channels, steganography, and encryption. The most basic type of covert channel is encryption[2]. Encryption is not considered a good covert channel because it can still be detected. If someone knows where to look this channel can be detected just not read. Only someone who has the appropriate key can decode the method. Without the key it is very hard to crack the encryption algorithm. This is known as the baby hacker method. It is obvious to hide data in a data channel. A less obvious method is to hide data in a credible data stream. This way the traffic looks non-covert. These types of channels are called subliminal channels. A storage channel[5] occurs when one process directly or indirectly writes an object in a storage location while another process directly or indirectly observes the effect. This object can exist or created and any attribute or data from the object can be manipulated. A timing channel[5], similar to a storage channel, requires the use of time. The time or frequency of the writes and reads are what gives this channel its name. Timing channels do not always require reading and writing. The systems processes can also be monitored. Embedded channels[2] are a relatively easy way to conceal data. This process involves using places firewalls and other security devices do not look. An example would be in the TCP header field where some bits are not used. Steganography[5] is process of hiding an object in side another object. This is done by bit manipulation. When done correctly, this process is virtually undetectable by anyone who sees the host file. Because of this, steganography is potentially the best and most dangerous covert channel available. 2.3 Covert Channel Analysis

Covert channel analysis is difficult to perform. A channel is only considered malicious if it is prohibited by the security policy. The best way to perform this analysis is by determining if a covert channel can occur. In order to occur, several conditions must be met[6]. The sender and receiver of the covert channel must be able to communicate across the system or network and that communication is not allowed under the security policy. Something accessible to both sender and receiver is alterable. The sender and receiver are able to synchronize their operations so that information flow can take place. If these are met, the next step is to determine the best method of transmission, protocol or application. The manipulated version of transmission must not seriously affect or be affected by normal system operations or the traffic. If that happens the traffic would exhibit overt anomalous characteristics that would be detectable or packets could be dropped. The signal-to-noise ratio must be acceptable or the data could arrive unreadable. The covert channel must have sufficient permissions to operate on the target system. For example a Linux machine, the covert channel might need root privileges to send data. Once a potential covert channel is identified, steps can be taken to eliminate or hinder its functionality. Performing a good analysis means accepting the fact that not only that a covert channel might exist, but that it does exist. The warden[3], in the prisoners problem, must now consider the possibility that a covert channel does exist and devise a way to prevent it. This leaves a third option; Change the words in the message so as not to change the meaning of the host message. This will make it very difficult for the prisoners to communicate using their current covert channel. 3. Conclusion

This paper presented an overview of covert channels and the risk they present to the integrity of the system. Covert channels, from encryption to steganography, are a threat to any system. Covert channels can be used on computers in the same network, different networks, or within a single multilevel computer system. Knowledge of covert channels can help system administrators perform a good analysis of their systems to find and prevent such compromises of data. 4. Acknowledgements

The authors would like to thank the IUP Computer Science Department for allowing the creation of the Covert Channels Research Group. Thanks are also due to Department Chairman Mr. James Wolfe, Dr. William Oblitey, and Dr. Soundararajan Ezekiel for their knowledge and great leadership in the research group. Thanks are also given to Michael McFail, Kathleen Reiland, and Eric Pennington for being productive research group members.References:

[1] U.S. Department of Defense. Trusted Computer System Evaluation The Orange Book. Publication DoD 5200.28-STD. Washington: GPO 1985

[2] C. J. Smith. Covert shells, 2000.

[3] Simmons, Gustavus J. Prisoners Problem and the Subliminal Channel, CRYPTO83 - Advances in Cryptology, August 22-24. 1984. pp. 51-67.[4] N. Proctor & P. Neumann, Architectural implementations of covert channels. Proceedings of the Fifteenth National Computer Security Conference Baltimore, Maryland, 1998, 29.

[5] M. Owens. A discussion of covert channels and steganography, 2002.

[6]Shiuh-Pyng Shieh (1999) Estimating and Measuring Covert Channel Bandwidth in Multilevel Secure Operating Systems Journal of Information Science and Engineering January 1999, pp.91-106