Covert Channels: The Hidden Threat

R. Trimble, W. Oblitey, S. Ezekiel, J. Wolfe

Covert Channels Research Grou
!"# Comuter Science $eartment
%&' Stri(ht )all
!"#, !n*iana #+ &,-.,
l/kl, oblitey, sezekiel, 0l1olfe2iu.e*u
ABSTRACT
!nformation inte(rity, since information 1as first 1ritten
*o1n, has been a (ro1in( concern. 3o1 that information
is available to 1ho ever kno1s 1here to (et it. The rise
of technolo(y has allo1e* users 1ithout roer clearance
access to information that 1as reviously unreachable.
+s technolo(y a*vances, the number of metho*s to steal
*ata a*vances. 4any of these metho*s can be e5ecute*
1ithout the system a*ministrator kno1in( it. These kin*s
of *ata comromises, kno1n as covert channels, are a
roblem system a*ministrators have been tryin( to sto
for years. !n this aer 1e resent an overvie1 of covert
channels to rovi*e a better un*erstan*in( that coul* hel
security rofessionals fin* an* revent these channels
from comromisin( their systems.
KEY WORDS
Covert Channels, $ata !nte(rity, Security, 3et1orks,
Systems
1. Introdution
!n recent years, there have been many threats to the
security of net1orks an* systems, inclu*in( viruses,
Tro0an horses, an* other various e5loits. These threats
have ket security rofessionals busy. 6or these reasons,
covert channels 1ere overlooke* or *eeme* not as
imortant, a lo1 riority. Covert channels, not ne1 or
insi(nificant, have comromise* the inte(rity an*
confi*entiality of many systems. +ccor*in( to a "S
$eartment of $efense ublication7&8 a covert channel is
*efine* as any communication channel that can be
e5loite* by a rocess to transfer information in a manner
that violates the system9s security olicy. The 1or*
covert literally means that it is hi**en7:8. This imlies
that the system a*ministrator is not a1are the channel
even e5ists. The best e5amle of this is the famous
;risoners9 roblem<7%8. +lice an* =ob 1ere risoners
1ho nee*e* to communicate 1ith each other. )o1ever,
the 1ar*en rea*s all messa(es. So they *evise* a lan
usin( the len(th of 1or*s as their covert channel. !f the
1or* has even amount of letters then it means &. +n o**
number of letters means .. The 1ar*en 1oul* see a
messa(e that looke* harmless, but in fact, there is a
hi**en meanin( in it. This leaves the 1ar*en 1ith t1o
otions> One let the messa(e be sent to the reciient. T1o,
*o not *eliver the messa(e. 6ollo1in( this intro*uction,
1e briefly (ive the overvie1 of covert channels, 1hy they
are use*, the tyes of channels, an* covert channel
analysis. Section % is our conclusion.
!. Overvie" o# Covert Channels
!n this section 1e *escribe covert channels, 1hy they are
use*, the *ifferent tyes, an* covert channel analysis.
!.1 What are Covert Channels
+ covert channel e5ists 1hen a channel is use* to transmit
*ata a(ainst the *esi(n or the systems security olicy.
This *efinition is e5tremely broa* for a reason. When
*ealin( 1ith covert channels there is not only a
technolo(ical factor but a human factor as 1ell. !n or*er
for a covert channel to be use*, someone or somethin(
must be resent to transmit the *ata. This resence is
most often a tro0an horse or some other malicious
soft1are or scrit that e5ists on the system inten*e* to be
comromise* 1ithout the system a*ministrator9s
kno1le*(e7?8. This is 1here the human factor lays a
role. The malicious co*e, if resent, ha* to be ut there
by someone. That erson coul* have access to the system
but 0ust 1ants hi(her access or they are an outsi*er 1ith
no access at all. +lso if no malicious co*e is resent, then
someone insi*e is *oin( the transmittin(. !n this case, the
receivin( en* nee*s to kno1 ho1 to *eciher 1hat *ata is
transmitte*. + (oo* e5amle is the risoners9 roblem7%8.
The risoner, +lice, nee*e* to sen* =ob a messa(e. =ob
ha* to be able to *eciher the co*e, the len(th of the
1or*s.
!.! Wh$ are Covert Channels %sed
Covert channels are use* because they are not easily
*etecte*7:8. +ny system can be attacke* an* have *ata
stolen. This brute force metho* leaves evi*ence that an
attack occurre*7?8. !t also i*entifies 1hat 1as taken.
3e5t time that attack is use* the system a*ministrators
1oul* kno1 it an* take measures to revent the attacker
from achievin( its (oal. Covert channels allo1 the takin(
of *ata 1ithout a forceful one@time attack. !nformation is
transmitte* over a erio* of time makin( it useless for
/uick *ata retrieval. )o1ever, this metho* allo1s for the
attacker to continue to receive u to *ate information an*
retrieve more *ata.
!.! T$&es o# Covert Channels
There are many tyes of covert channels, such as
embe**e* channels, stora(e channels, timin( channels,
ste(ano(rahy, an* encrytion. The most basic tye of
covert channel is encrytion7:8. Encrytion is not
consi*ere* a (oo* covert channel because it can still be
*etecte*. !f someone kno1s 1here to look this channel
can be *etecte* 0ust not rea*. Only someone 1ho has the
aroriate key can *eco*e the metho*. Without the key
it is very har* to crack the encrytion al(orithm. This is
kno1n as the ;baby hacker metho*<. !t is obvious to hi*e
*ata in a *ata channel. + less obvious metho* is to hi*e
*ata in a cre*ible *ata stream. This 1ay the traffic looks
non@covert. These tyes of channels are calle* subliminal
channels. + stora(e channel7,8 occurs 1hen one rocess
*irectly or in*irectly 1rites an ob0ect in a stora(e location
1hile another rocess *irectly or in*irectly observes the
effect. This ob0ect can e5ist or create* an* any attribute
or *ata from the ob0ect can be maniulate*. + timin(
channel7,8, similar to a stora(e channel, re/uires the use
of time. The time or fre/uency of the 1rites an* rea*s are
1hat (ives this channel its name. Timin( channels *o not
al1ays re/uire rea*in( an* 1ritin(. The systems
rocesses can also be monitore*. Embe**e* channels7:8
are a relatively easy 1ay to conceal *ata. This rocess
involves usin( laces fire1alls an* other security *evices
*o not look. +n e5amle 1oul* be in the TC# hea*er
fiel* 1here some bits are not use*. Ste(ano(rahy7,8 is
rocess of hi*in( an ob0ect in si*e another ob0ect. This is
*one by bit maniulation. When *one correctly, this
rocess is virtually un*etectable by anyone 1ho sees the
host file. =ecause of this, ste(ano(rahy is otentially the
best an* most *an(erous covert channel available.
!.' Covert Channel Anal$sis
Covert channel analysis is *ifficult to erform. + channel
is only consi*ere* malicious if it is rohibite* by the
security olicy. The best 1ay to erform this analysis is
by *eterminin( if a covert channel can occur. !n or*er to
occur, several con*itions must be met7A8. The sen*er an*
receiver of the covert channel must be able to
communicate across the system or net1ork an* that
communication is not allo1e* un*er the security olicy.
Somethin( accessible to both sen*er an* receiver is
alterable. The sen*er an* receiver are able to synchronize
their oerations so that information flo1 can take lace.
!f these are met, the ne5t ste is to *etermine the best
metho* of transmission, rotocol or alication. The
maniulate* version of transmission must not seriously
affect or be affecte* by normal system oerations or the
traffic. !f that haens the traffic 1oul* e5hibit overt
anomalous characteristics that 1oul* be *etectable or
ackets coul* be *roe*. The si(nal@to@noise ratio must
be accetable or the *ata coul* arrive unrea*able. The
covert channel must have sufficient ermissions to
oerate on the tar(et system. 6or e5amle a Binu5
machine, the covert channel mi(ht nee* root rivile(es to
sen* *ata. Once a otential covert channel is i*entifie*,
stes can be taken to eliminate or hin*er its functionality.
#erformin( a (oo* analysis means accetin( the fact that
not only that a covert channel mi(ht e5ist, but that it *oes
e5ist. The 1ar*en7%8, in the ;risoners9 roblem,< must
no1 consi*er the ossibility that a covert channel *oes
e5ist an* *evise a 1ay to revent it. This leaves a thir*
otionC Chan(e the 1or*s in the messa(e so as not to
chan(e the meanin( of the host messa(e. This 1ill make
it very *ifficult for the risoners9 to communicate usin(
their current covert channel.

'. Conlusion
This aer resente* an overvie1 of covert channels an*
the risk they resent to the inte(rity of the system. Covert
channels, from encrytion to ste(ano(rahy, are a threat
to any system. Covert channels can be use* on comuters
in the same net1ork, *ifferent net1orks, or 1ithin a sin(le
multilevel comuter system. Dno1le*(e of covert
channels can hel system a*ministrators erform a (oo*
analysis of their systems to fin* an* revent such
comromises of *ata.
(. A)no"led*e+ents
The authors 1oul* like to thank the !"# Comuter
Science $eartment for allo1in( the creation of the
Covert Channels Research Grou. Thanks are also *ue to
$eartment Chairman 4r. James Wolfe, $r. William
Oblitey, an* $r. Soun*arara0an Ezekiel for their
kno1le*(e an* (reat lea*ershi in the research (rou.
Thanks are also (iven to 4ichael 4c6ail, Dathleen
Reilan*, an* Eric #ennin(ton for bein( ro*uctive
research (rou members.
Re#erenes:
7&8 ".S. $eartment of $efense. Trusted Computer
System Evaluation The Orange Book. #ublication $o$
,:...:E@ST$. Washin(ton> G#O &'E,
7:8 C. J. Smith. Covert shells, :....
7%8 Simmons, Gustavus J. #risoners9 #roblem an* the
Subliminal Channel, CRF#TOE% @ +*vances in
Crytolo(y, +u(ust ::@:?. &'E?. . ,&@A-.
7?8 3. #roctor G #. 3eumann, +rchitectural
imlementations of covert channels. Proceedings of the
ifteenth !ational Computer Security Conference
=altimore, 4arylan*" &''E, :'.
7,8 4. O1ens. + *iscussion of covert channels an*
ste(ano(rahy, :..:.
7A8Shiuh@#yn( Shieh H&'''I ;Estimatin( an* 4easurin(
Covert Channel =an*1i*th in 4ultilevel Secure
Oeratin( Systems< Journal of !nformation Science an*
En(ineerin( January &''', .'&@&.A