Covert channel

From Wikipedia, the free encyclopedia

This article needs additional citations for verification. Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (June 2009)

In information theory, a covert channel is a parasitic communications channel that draws bandwidth from another channel in order to transmit information without the authorization or knowledge of the latter channel's designer, owner, or operator.

Contents 1 Characteristics 1.1 Stealing usable bandwidth 1.2 TCSEC criteria 2 Eliminating covert channels 3 Data Hiding in OSI Model 4 Data Hiding in LAN Environment by Covert Channels 5 Data Hiding in TCP/IP Protocol suite by Covert channels 6 See also 7 References 8 Additional Reading 9 External links

[edit] Characteristics

A covert channel is so called because it is hidden within the medium of a legitimate communications channel. Covert channels typically manipulate certain properties of the communications medium in an unexpected, unconventional, or unforeseen way in order to transmit information through the medium without detection by anyone other than the entities operating the covert channel.

All covert channels draw their bandwidth (information-carrying capacity) from a legitimate channel, thus reducing the capacity of the latter; however, the bandwidth drawn from the channel is often unused, anyway, and so the covert channel may still be well hidden. The concern is rarely the loss of capacity, but more frequently, the creation of in unsecured communications channel that can be used for data extraction.

For example, steganography is a form of covert channel in which very small details of images (or other multimedia files) are subtly altered in order to communicate information in a way not immediately obvious to anyone casually examining the images.

• One type of steganography uses the low-order bit of the data for each pixel in an image to carry the information of a covert channel: these bits carry the covert message, while the rest of the bits carry the legitimate image. The very slight change in the image caused by modification of the low-order bit in each pixel is imperceptible in most cases to anyone who isn't already looking for such a change.
• Background audio noise can hide signals like MT63, but other more complex audio watermarking technologies exist for the protection of mass marketed audio CDs.

[edit] Stealing usable bandwidth

Because any bandwidth used by the covert channel is “stolen” from the legitimate channel, the greater the bandwidth used by the covert channel, the more likely it is that it will be obvious to users of the legitimate channel.

• A steganography system that uses only the low-order bit of every pixel has a low bandwidth (compared to the bandwidth consumed by transmission of the image itself), and is very discreet.
• A steganography system that uses all but the highest-order bit of each pixel has a very high bandwidth and will be instantly obvious to anyone looking at the image used to carry the covert channel.

[edit] TCSEC criteria

The Trusted Computer Security Evaluation Criteria (TCSEC) is a set of criteria established by the National Computer Security Center, an agency managed by the United States' National Security Agency.

The term covert channel is defined in the TCSEC ^[1] specifically to refer to ways of transferring information from a higher classification compartment to a lower classification. The TCSEC defines two kinds of covert channels:

• Storage channels - Communicate by modifying a stored object
• Timing channels - Transmit information by affecting the relative timing of events

The TCSEC, also known as the Orange Book, ^[2] requires analysis of covert storage channels to be classified as a B2 system and analysis of covert timing channels is a requirement for class B3.

[edit] Eliminating covert channels

The possibility of covert channels cannot be completely eliminated, although it can be significantly reduced by careful design and analysis. There will always be some unused portion of the bandwidth of a legitimate communications channel that can be diverted to provide a covert channel.

The detection of a covert channel can be made more difficult by using characteristics of the communications medium for the legitimate channel that are never controlled or examined by legitimate users. For example, a file can be opened and closed by a program in a specific, timed pattern that can be detected by another program, and the pattern can be interpreted as a string of bits, forming a covert channel. Since it is unlikely that legitimate users will check for patterns of file opening and closing operations, this type of covert channel can remain undetected for long periods.

A similar case is port knocking. In usual communications the timing of requests is irrelevant and unwatched. Port knocking makes it significant.

[edit] Data Hiding in OSI Model

As Handel and Sanford take a broader perspective and focus on covert channels within the general design of network communication protocols. They employ the OSI (Open System Interconnection) as a basis for their development in which they characterize system elements having potential to be used for data hiding. The adopted approach has advantages over these are because standards opposed to specific network environments or architectures are considered. Foolproof stenographic schemes are not devised.

Rather, basic principles for data hiding in each of seven OSI layers are established. Besides suggesting the use of the reserved fields of protocols headers (that are easily detectable) at higher network layers, Handel and Sanford also propose the possibility of timing channels involving CSMA/CD manipulation at the physical layer.

The work by them identifies covert channel merit such as:

• Detect ability: Covert channel must me measurable by the intended recipient only.
• Indistinguishability: Covert channel must lack identification.
• Bandwidth: number of data hiding bits per channel use.

The covert channel analysis presented here, however does not consider issue such as interoperability of these data hiding techniques with other network nodes, covert channel capacity estimation, effect of data hiding on the network in terms of complexity and compatibility. Moreover, the generality of the techniques cannot be fully justified in practice since the OSI model does not exist per se in functional systems.

[edit] Data Hiding in LAN Environment by Covert Channels

As Girling first analyzes covert channels in a network environment. His work focuses on local area networks (LANs) in which three obvious covert cannels (two storage channel and one timing channel) are identified. This demonstrates the real examples of bandwidth possibilities for simple covert channels in LANs. For a specific LAN environment, the author introduced the notion of a wiretap per who monitors the activities of a specific transmitter on LAN. The covertly communication parties are the transmitter and the wire trapper. The covert information according to Girling can be communicated through any of following obvious ways:

I. By observing the addresses as approached by the transmitter. If total number of addresses, a sender can approach is 16, then there is a possibility of secret communication having 4 bits for the secret message. The author termed this possibility as covert storage channel as it depends in what is sent (i.e.. which address is approached by the sender)
II. In the same way, the other obvious storage covert channel would depend on the size of the frame sent by the sender. For the 256 possible sizes, the amount of covert information deciphered from one size of the frame would be of 8 bits. Again this scenario was termed as the covert storage channel.
III. The third scenario presented is pertaining to the existence sends can be observed by the wire trappers to decipher for instance “0” for the odd time difference and “1” for the even time difference.

The scenario transmits covert information through “a when-is–sent” strategy therefore termed as timing covert channel. The time to transmit a block of data is calculated as function of software processing time, network speed, network block sizes and protocol overhead. Assuming block of various sizes are transmitted on the LAN, software overhead is computed on average and novel time evaluation is used to estimate the bandwidth (capacity) of covert channels are also presented. The work paves the way for future research.

[edit] Data Hiding in TCP/IP Protocol suite by Covert channels

A more specific approach is adopted by Rowland. Focusing on the IP and TCP headers of TCP/IP Protocol suite, Rowland devises proper encoding and decoding techniques by utilizing the IP identification field, the TCP initial sequence number and acknowledge sequence number fields. These techniques are implemented in a simple utility written for Linux system running version 2.0 kernels.

Rowland simply provides a proof of concept of existence as well as exploitation of covert channels in TCP/IP protocol suite. This work can, thus, be regarded as a practical breakthrough in this specific area. The adopted encoding and decoding techniques are more pragmatic as compared to previously proposed work. These techniques are analyzed considering security mechanisms like firewall network address translation.

However, the non-detectability of these covert communication techniques is questionable. For instance, a case where sequence number field of TCP header is manipulated, the encoding scheme is adopted such that every time the same alphabet is covertly communicated, it is encoded with the same sequence number.

Moreover, the usages of sequence number field as well as the acknowledgment field can no made specific to the ASCII coding of English language alphabet as proposed, since both fields take in to account the receipt of data bytes pertaining to specific network packet(s).

The Data Hiding in TCP/IP Protocol suit by Covert channels have following important aspects:

• Identify the existence of covert channels in a network environment.
• Point to devising satisfying techniques of embedding and extraction processes at the source and destination, respectively.
• Do not consider the effect of employing covert communications network as a whole.

[edit] See also

• Computer surveillance
• Side channel attack
• Steganography

[edit] References

1. ^ NCSC-TG-030, Covert Channel Analysis of Trusted Systems (Light Pink Book) from the United States Department of Defense (DoD) Rainbow Series publications.
2. ^ 5200.28-STD, Trusted Computer System Evaluation Criteria (Orange Book) from the DoD Rainbow Series publications

[edit] Additional Reading

• Timing Channels an early exploitation of a timing channel in Multics.
• Covert channel tool hides data in IPv6, SecurityFocus, August 11, 2006.
• Covert Channels in the TCP/IP Suite, 1996 Paper by Craig Rowland on Covert Channels in the TCP/IP protocol with proof of concept code.

[edit] External links

• Gray-World - Open Source Research Team : Tools and Papers