Professional Documents
Culture Documents
Covert Channel PDF
Covert Channel PDF
Contents
Characteristics
TCSEC criteria
Timing Channels
Identifying covert channels
Eliminating covert channels
Data hiding in OSI model
Data hiding in LAN environment by covert channels
Data hiding in TCP/IP Protocol suite by covert channels
See also
References
Further reading
External links
Characteristics
A covert channel is so called because it is hidden from the access control
mechanisms of secure operating systems since it does not use the legitimate data
transfer mechanisms of the computer system (typically, read and write), and
therefore cannot be detected or controlled by the security mechanisms that underlie
secure operating systems. Covert channels are exceedingly hard to install in real
systems, and can often be detected by monitoring system performance. In addition,
they suffer from a low signal-to-noise ratio and low data rates (typically, on the order
of a few bits per second). They can also be removed manually with a high degree of
assurance from secure systems by well established covert channel analysis
strategies.
Covert channels are distinct from, and often confused with, legitimate channel
exploitations that attack low-assurance pseudo-secure systems using schemes such
as steganography or even less sophisticated schemes to disguise prohibited objects
inside of legitimate information objects. The legitimate channel misuse by
steganography is specifically not a form of covert channel.
Covert channels can tunnel through secure operating systems and require special
measures to control. Covert channel analysis is the only proven way to control covert
channels. By contrast, secure operating systems can easily prevent misuse of
legitimate channels, so distinguishing both is important. Analysis of legitimate
channels for hidden objects is often misrepresented as the only successful
countermeasure for legitimate channel misuse. Because this amounts to analysis of
large amounts of software, it was shown as early as 1972 to be impractical.[2]
Without being informed of this, some are misled to believe an analysis will "manage
the risk" of these legitimate channels.
TCSEC criteria
The Trusted Computer Security Evaluation Criteria (TCSEC) was a set of criteria,
now deprecated, that had been established by the National Computer Security
Center, an agency managed by the United States' National Security Agency.
The TCSEC, also known as the Orange Book,[4] requires analysis of covert storage
channels to be classified as a B2 system and analysis of covert timing channels is a
requirement for class B3.
Timing Channels
The use of delays between packets transmitted over computer networks was first
explored by Girling[5] for covert communication. This work motivated many other
works to establish or detect a covert communication and analyze the fundamental
limitations of such scenarios.
The detection of a covert channel can be made more difficult by using characteristics
of the communications medium for the legitimate channel that are never controlled
or examined by legitimate users. For example, a file can be opened and closed by a
program in a specific, timed pattern that can be detected by another program, and
the pattern can be interpreted as a string of bits, forming a covert channel. Since it
is unlikely that legitimate users will check for patterns of file opening and closing
operations, this type of covert channel can remain undetected for long periods.
Their study does not aim to present foolproof steganographic schemes. Rather, they
establish basic principles for data hiding in each of seven OSI layers. Besides
suggesting the use of the reserved fields of protocols headers (that are easily
detectable) at higher network layers, they also propose the possibility of timing
channels involving CSMA/CD manipulation at the physical layer.
Their covert channel analysis does not consider issues such as interoperability of
these data hiding techniques with other network nodes, covert channel capacity
estimation, effect of data hiding on the network in terms of complexity and
compatibility. Moreover, the generality of the techniques cannot be fully justified in
practice since the OSI model does not exist per se in functional systems.
Moreover, the usages of sequence number field as well as the acknowledgment field
cannot be made specific to the ASCII coding of English language alphabet as
proposed, since both fields take into account the receipt of data bytes pertaining to
specific network packet(s).
After Rowland, several authors in academia published more work on covert channels
in the TCP/IP protocol suite, including a plethora of countermeasures ranging from
statistical approaches to machine learning.[8][9][10][11] The research on network
covert channels overlaps with the domain of network steganography, which emerged
later.
See also
Computer and network surveillance
Side-channel attack – Any attack based on information gained from the
implementation of a computer system
Steganography – Art and science of writing hidden messages
Subliminal channel
References
1. Lampson, B.W., A Note on the Confinement Problem. Communications of the ACM,
Oct.1973.16(10):p. 613-615. [1] (http://research.microsoft.com/en-us/um/people/bl
ampson/11-Confinement/Acrobat.pdf)
2. Computer Security Technology Planning Study (http://seclab.cs.ucdavis.edu/project
s/history/papers/ande72.pdf) (James P. Anderson, 1972)
3. NCSC-TG-030, Covert Channel Analysis of Trusted Systems (Light Pink Book), 1993
(http://www.fas.org/irp/nsa/rainbow/tg030.htm) from the United States Department
of Defense (DoD) Rainbow Series publications.
4. 5200.28-STD (http://csrc.ncsl.nist.gov/publications/secpubs/rainbow/std001.txt),
Trusted Computer System Evaluation Criteria (Orange Book), 1985 Archived (http
s://web.archive.org/web/20061002160143/http://csrc.ncsl.nist.gov/publications/sec
pubs/rainbow/std001.txt) 2006-10-02 at the Wayback Machine from the DoD
Rainbow Series publications.
5. GIRLING, GRAY (February 1987). "Covert Channels in LAN's". IEEE Transactions on
Software Engineering (2): 292–296. doi:10.1109/tse.1987.233153 (https://doi.org/1
0.1109%2Ftse.1987.233153). ProQuest 195596753 (https://search.proquest.com/d
ocview/195596753).
6. Hiding data in the OSI network model (http://faculty.kfupm.edu.sa/COE/mimam/Pap
ers/96%20Hiding%20Data%20in%20the%20OSI%20Network%20Model.pdf)
Archived (https://web.archive.org/web/20141018041347/http://faculty.kfupm.edu.s
a/COE/mimam/Papers/96%20Hiding%20Data%20in%20the%20OSI%20Network%2
0Model.pdf) 2014-10-18 at the Wayback Machine, Theodore G. Handel and Maxwell
T. Sandford II (2005)
7. Covert Channels in the TCP/IP Protocol Suite (http://firstmonday.org/htbin/cgiwrap/b
in/ojs/index.php/fm/article/view/528/449) Archived (https://web.archive.org/web/20
121023122054/http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/vie
w/528/449) 2012-10-23 at the Wayback Machine, 1996 Paper by Craig Rowland on
covert channels in the TCP/IP protocol with proof of concept code.
8. Zander, S.; Armitage, G.; Branch, P. (2007). "A survey of covert channels and
countermeasures in computer network protocols". IEEE Communications Surveys
and Tutorials. IEEE. 9 (3): 44–57. doi:10.1109/comst.2007.4317620 (https://doi.org/
10.1109%2Fcomst.2007.4317620). hdl:1959.3/40808 (https://hdl.handle.net/1959.
3%2F40808). ISSN 1553-877X (https://www.worldcat.org/issn/1553-877X).
9. Information hiding in communication networks : fundamentals, mechanisms,
applications, and countermeasures. Mazurczyk, Wojciech., Wendzel, Steffen.,
Zander, Sebastian., Houmansadr, Amir., Szczypiorski, Krzysztof. Hoboken, N.J.:
Wiley. 2016. ISBN 9781118861691. OCLC 940438314 (https://www.worldcat.org/ocl
c/940438314).
10. Wendzel, Steffen; Zander, Sebastian; Fechner, Bernhard; Herdin, Christian (April
2015). "Pattern-Based Survey and Categorization of Network Covert Channel
Techniques". ACM Computing Surveys. 47 (3): 50:1–50:26. arXiv:1406.2901 (http
s://arxiv.org/abs/1406.2901). doi:10.1145/2684195 (https://doi.org/10.1145%2F268
4195). ISSN 0360-0300 (https://www.worldcat.org/issn/0360-0300).
11. Cabuk, Serdar; Brodley, Carla E.; Shields, Clay (April 2009). "IP Covert Channel
Detection". ACM Transactions on Information and System Security. 12 (4): 22:1–
22:29. CiteSeerX 10.1.1.320.8776 (https://citeseerx.ist.psu.edu/viewdoc/summary?
doi=10.1.1.320.8776). doi:10.1145/1513601.1513604 (https://doi.org/10.1145%2F
1513601.1513604). ISSN 1094-9224 (https://www.worldcat.org/issn/1094-9224).
Further reading
Timing Channels (http://www.multicians.org/timing-chn.html) an early exploitation
of a timing channel in Multics.
Covert channel tool hides data in IPv6 (http://www.securityfocus.com/news/11406),
SecurityFocus, August 11, 2006.
Raggo, Michael; Hosmer, Chet (2012). Data Hiding: Exposing Concealed Data in
Multimedia, Operating Systems, Mobile Devices and Network Protocols (http://www.
spy-hunter.com). Syngress Publishing. ISBN 978-1597497435.
Lakshmanan, Ravie (2020-05-04). "New Malware Jumps Air-Gapped Devices by
Turning Power-Supplies into Speakers" (https://thehackernews.com/2020/05/air-gap
-malware-power-speaker.html).
External links
Gray-World (http://gray-world.net/index.shtml) - Open Source Research Team :
Tools and Papers
Steath Network Operations Centre (https://archive.is/20110724191036/http://snoc.
shacknet.nu/) - Covert Communication Support System
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may
apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered
trademark of the Wikimedia Foundation, Inc., a non-profit organization.