Covert Channels Research Grou !"# Comuter Science $eartment %&' Stri(ht )all !"#, !n*iana #+ &,-., l/kl, oblitey, sezekiel, 0l1olfe2iu.e*u ABSTRACT !nformation inte(rity, since information 1as first 1ritten *o1n, has been a (ro1in( concern. 3o1 that information is available to 1ho ever kno1s 1here to (et it. The rise of technolo(y has allo1e* users 1ithout roer clearance access to information that 1as reviously unreachable. +s technolo(y a*vances, the number of metho*s to steal *ata a*vances. 4any of these metho*s can be e5ecute* 1ithout the system a*ministrator kno1in( it. These kin*s of *ata comromises, kno1n as covert channels, are a roblem system a*ministrators have been tryin( to sto for years. !n this aer 1e resent an overvie1 of covert channels to rovi*e a better un*erstan*in( that coul* hel security rofessionals fin* an* revent these channels from comromisin( their systems. KEY WORDS Covert Channels, $ata !nte(rity, Security, 3et1orks, Systems 1. Introdution !n recent years, there have been many threats to the security of net1orks an* systems, inclu*in( viruses, Tro0an horses, an* other various e5loits. These threats have ket security rofessionals busy. 6or these reasons, covert channels 1ere overlooke* or *eeme* not as imortant, a lo1 riority. Covert channels, not ne1 or insi(nificant, have comromise* the inte(rity an* confi*entiality of many systems. +ccor*in( to a "S $eartment of $efense ublication7&8 a covert channel is *efine* as any communication channel that can be e5loite* by a rocess to transfer information in a manner that violates the system9s security olicy. The 1or* covert literally means that it is hi**en7:8. This imlies that the system a*ministrator is not a1are the channel even e5ists. The best e5amle of this is the famous ;risoners9 roblem<7%8. +lice an* =ob 1ere risoners 1ho nee*e* to communicate 1ith each other. )o1ever, the 1ar*en rea*s all messa(es. So they *evise* a lan usin( the len(th of 1or*s as their covert channel. !f the 1or* has even amount of letters then it means &. +n o** number of letters means .. The 1ar*en 1oul* see a messa(e that looke* harmless, but in fact, there is a hi**en meanin( in it. This leaves the 1ar*en 1ith t1o otions> One let the messa(e be sent to the reciient. T1o, *o not *eliver the messa(e. 6ollo1in( this intro*uction, 1e briefly (ive the overvie1 of covert channels, 1hy they are use*, the tyes of channels, an* covert channel analysis. Section % is our conclusion. !. Overvie" o# Covert Channels !n this section 1e *escribe covert channels, 1hy they are use*, the *ifferent tyes, an* covert channel analysis. !.1 What are Covert Channels + covert channel e5ists 1hen a channel is use* to transmit *ata a(ainst the *esi(n or the systems security olicy. This *efinition is e5tremely broa* for a reason. When *ealin( 1ith covert channels there is not only a technolo(ical factor but a human factor as 1ell. !n or*er for a covert channel to be use*, someone or somethin( must be resent to transmit the *ata. This resence is most often a tro0an horse or some other malicious soft1are or scrit that e5ists on the system inten*e* to be comromise* 1ithout the system a*ministrator9s kno1le*(e7?8. This is 1here the human factor lays a role. The malicious co*e, if resent, ha* to be ut there by someone. That erson coul* have access to the system but 0ust 1ants hi(her access or they are an outsi*er 1ith no access at all. +lso if no malicious co*e is resent, then someone insi*e is *oin( the transmittin(. !n this case, the receivin( en* nee*s to kno1 ho1 to *eciher 1hat *ata is transmitte*. + (oo* e5amle is the risoners9 roblem7%8. The risoner, +lice, nee*e* to sen* =ob a messa(e. =ob ha* to be able to *eciher the co*e, the len(th of the 1or*s. !.! Wh$ are Covert Channels %sed Covert channels are use* because they are not easily *etecte*7:8. +ny system can be attacke* an* have *ata stolen. This brute force metho* leaves evi*ence that an attack occurre*7?8. !t also i*entifies 1hat 1as taken. 3e5t time that attack is use* the system a*ministrators 1oul* kno1 it an* take measures to revent the attacker from achievin( its (oal. Covert channels allo1 the takin( of *ata 1ithout a forceful one@time attack. !nformation is transmitte* over a erio* of time makin( it useless for /uick *ata retrieval. )o1ever, this metho* allo1s for the attacker to continue to receive u to *ate information an* retrieve more *ata. !.! T$&es o# Covert Channels There are many tyes of covert channels, such as embe**e* channels, stora(e channels, timin( channels, ste(ano(rahy, an* encrytion. The most basic tye of covert channel is encrytion7:8. Encrytion is not consi*ere* a (oo* covert channel because it can still be *etecte*. !f someone kno1s 1here to look this channel can be *etecte* 0ust not rea*. Only someone 1ho has the aroriate key can *eco*e the metho*. Without the key it is very har* to crack the encrytion al(orithm. This is kno1n as the ;baby hacker metho*<. !t is obvious to hi*e *ata in a *ata channel. + less obvious metho* is to hi*e *ata in a cre*ible *ata stream. This 1ay the traffic looks non@covert. These tyes of channels are calle* subliminal channels. + stora(e channel7,8 occurs 1hen one rocess *irectly or in*irectly 1rites an ob0ect in a stora(e location 1hile another rocess *irectly or in*irectly observes the effect. This ob0ect can e5ist or create* an* any attribute or *ata from the ob0ect can be maniulate*. + timin( channel7,8, similar to a stora(e channel, re/uires the use of time. The time or fre/uency of the 1rites an* rea*s are 1hat (ives this channel its name. Timin( channels *o not al1ays re/uire rea*in( an* 1ritin(. The systems rocesses can also be monitore*. Embe**e* channels7:8 are a relatively easy 1ay to conceal *ata. This rocess involves usin( laces fire1alls an* other security *evices *o not look. +n e5amle 1oul* be in the TC# hea*er fiel* 1here some bits are not use*. Ste(ano(rahy7,8 is rocess of hi*in( an ob0ect in si*e another ob0ect. This is *one by bit maniulation. When *one correctly, this rocess is virtually un*etectable by anyone 1ho sees the host file. =ecause of this, ste(ano(rahy is otentially the best an* most *an(erous covert channel available. !.' Covert Channel Anal$sis Covert channel analysis is *ifficult to erform. + channel is only consi*ere* malicious if it is rohibite* by the security olicy. The best 1ay to erform this analysis is by *eterminin( if a covert channel can occur. !n or*er to occur, several con*itions must be met7A8. The sen*er an* receiver of the covert channel must be able to communicate across the system or net1ork an* that communication is not allo1e* un*er the security olicy. Somethin( accessible to both sen*er an* receiver is alterable. The sen*er an* receiver are able to synchronize their oerations so that information flo1 can take lace. !f these are met, the ne5t ste is to *etermine the best metho* of transmission, rotocol or alication. The maniulate* version of transmission must not seriously affect or be affecte* by normal system oerations or the traffic. !f that haens the traffic 1oul* e5hibit overt anomalous characteristics that 1oul* be *etectable or ackets coul* be *roe*. The si(nal@to@noise ratio must be accetable or the *ata coul* arrive unrea*able. The covert channel must have sufficient ermissions to oerate on the tar(et system. 6or e5amle a Binu5 machine, the covert channel mi(ht nee* root rivile(es to sen* *ata. Once a otential covert channel is i*entifie*, stes can be taken to eliminate or hin*er its functionality. #erformin( a (oo* analysis means accetin( the fact that not only that a covert channel mi(ht e5ist, but that it *oes e5ist. The 1ar*en7%8, in the ;risoners9 roblem,< must no1 consi*er the ossibility that a covert channel *oes e5ist an* *evise a 1ay to revent it. This leaves a thir* otionC Chan(e the 1or*s in the messa(e so as not to chan(e the meanin( of the host messa(e. This 1ill make it very *ifficult for the risoners9 to communicate usin( their current covert channel.
'. Conlusion This aer resente* an overvie1 of covert channels an* the risk they resent to the inte(rity of the system. Covert channels, from encrytion to ste(ano(rahy, are a threat to any system. Covert channels can be use* on comuters in the same net1ork, *ifferent net1orks, or 1ithin a sin(le multilevel comuter system. Dno1le*(e of covert channels can hel system a*ministrators erform a (oo* analysis of their systems to fin* an* revent such comromises of *ata. (. A)no"led*e+ents The authors 1oul* like to thank the !"# Comuter Science $eartment for allo1in( the creation of the Covert Channels Research Grou. Thanks are also *ue to $eartment Chairman 4r. James Wolfe, $r. William Oblitey, an* $r. Soun*arara0an Ezekiel for their kno1le*(e an* (reat lea*ershi in the research (rou. Thanks are also (iven to 4ichael 4c6ail, Dathleen Reilan*, an* Eric #ennin(ton for bein( ro*uctive research (rou members. Re#erenes: 7&8 ".S. $eartment of $efense. Trusted Computer System Evaluation The Orange Book. #ublication $o$ ,:...:E@ST$. Washin(ton> G#O &'E, 7:8 C. J. Smith. Covert shells, :.... 7%8 Simmons, Gustavus J. #risoners9 #roblem an* the Subliminal Channel, CRF#TOE% @ +*vances in Crytolo(y, +u(ust ::@:?. &'E?. . ,&@A-. 7?8 3. #roctor G #. 3eumann, +rchitectural imlementations of covert channels. Proceedings of the ifteenth !ational Computer Security Conference =altimore, 4arylan*" &''E, :'. 7,8 4. O1ens. + *iscussion of covert channels an* ste(ano(rahy, :..:. 7A8Shiuh@#yn( Shieh H&'''I ;Estimatin( an* 4easurin( Covert Channel =an*1i*th in 4ultilevel Secure Oeratin( Systems< Journal of !nformation Science an* En(ineerin( January &''', .'&@&.A
CCNA: 3 in 1- Beginner's Guide+ Tips on Taking the Exam+ Simple and Effective Strategies to Learn About CCNA (Cisco Certified Network Associate) Routing And Switching Certification
Computer Networking: The Complete Beginner's Guide to Learning the Basics of Network Security, Computer Architecture, Wireless Technology and Communications Systems (Including Cisco, CCENT, and CCNA)