Hidden channel

The hidden channel bears its name due to the fact that it is hidden from access control systems even of secure operating systems, since it does not use legitimate transmission mechanisms, such as reading and writing, and therefore cannot be detected or monitored by hardware security mechanisms, which are the basis of secure operating systems. In real systems, the covert channel is almost impossible to establish, and also it can often be detected by monitoring the system’s speed; In addition, the disadvantages of covert channels are the low signal-to-noise ratio and low data rates (of the order of several bits per second). They can also be removed manually from protected systems with a high degree of reliability, if you use recognized strategies for the analysis of covert channels.

Covert channels are often confused with the use of legitimate channels, in which an attack occurs on pseudo-protected systems with a low degree of power of attorney, using such schemes as steganography or even less complex schemes designed to hide prohibited objects inside objects with legal information. Such use of legitimate channels using data concealment schemes are not hidden channels and can be prevented by trusted systems with a high degree of security.

Covert channels can pass through secure operating systems, and special measures are needed to control them. The only proven method for monitoring covert channels is the so-called covert channel analysis. At the same time, secure operating systems can easily prevent the incorrect (or illegal) use of legal channels. Often, the analysis of legal channels for hidden objects is incorrectly presented as the only successful measure against the illegal use of legal channels. Since in practice this means the need to analyze a large number of software, as early as 1972 it was shown that such measures are ineffective [2] . Without knowing this, many believe that such an analysis can help deal with the risks associated with legal channels.

TCSEC Standard

TCSEC is a set of standards set by the US Department of Defense .

The Lampson's definition of a covert channel was rephrased in TCSEC ^[2] so that it meant how to transmit information from a more secure level to a less secure one. In a shared computing environment, it is difficult to completely separate one process from the effects that another process could have on the operating environment. A hidden channel is created by the sending process, which modulates a certain state (such as free space, availability of a certain service, start-up waiting time, etc.) that can be detected by the receiving process.

Two types of covert channels are defined in the Criteria:

• Hidden memory channel - processes interact due to the fact that one can directly or indirectly write information to a certain area of ​​memory, and the second can be read. Usually, it is understood that processes with different levels of security have access to some resource (for example, some sectors of the disk).
• Hidden time channel - one process sends information to another, modulating its own use of system resources (for example, processor time) in such a way that this operation affects the real response time observed by the third process.

Criteria, also known as the Orange Book , ^[3] require that the analysis of covert memory channels be classified as a requirement for a class B2 system, and the analysis of covert time channels as a requirement for a class B3.

The possibility of hidden channels cannot be completely eliminated, but it can be significantly reduced by careful system design and analysis.

Covert channel detection can be made more difficult by using media characteristics for legal channels that are never monitored and verified by users. For example, a program can open and close a file in a special, synchronized way that can be understood by another process as a bit sequence, thus forming a hidden channel. Since it is unlikely that legitimate users will try to find a scheme in opening and closing files, this type of hidden channel may go unnoticed for a long time.

A similar case is port knocking technology. Usually, when transmitting information, the distribution of requests in time is not important, and they are not watched, but when using port knocking, it becomes significant.

Handel and Sanford attempted to broaden their perspective and focus on covert channels in a common network protocol model. They take the OSI network model as the basis of their reasoning and then characterize the elements of the system that can be used to hide data. The adopted approach has advantages over the Handel and Sanford approach, since the latter considers standards that are contrary to some of the network environments and architectures used. Also, no reliable shorthand scheme has been developed.

However, there are general guidelines for hiding data at each of the seven levels of the OSI model. In addition to the fact that Handel and Sanford proposed the use of reserved protocol header fields (which is easily detectable), they also suggested the possibility of time channels regarding the operation of the CSMA / CD at the physical level.

Their work determines the value of the hidden channel according to the following parameters:

• Detection: Only the recipient for whom the transmission is intended should be able to measure the covert channel.
• Indistinguishability: The covert channel must be unidentifiable.
• Bandwidth: The number of bits of hidden data for each channel use.

An analysis of covert channels was also presented, but it does not address such problems, such as: interaction using the above-mentioned methods between network nodes, estimation of channel capacity, the effect that data hiding has on the network. In addition, the applicability of the methods cannot be fully justified in practice, since the OSI model does not exist as such in existing systems.

The first to analyze covert channels in a LAN environment was Girling. His work focuses on local area networks (LANs), in which three obvious hidden channels are identified - two from memory and one from time to time. This shows real-world examples of possible bandwidths for simple covert channels in LAS. For a special LAS environment, the author introduced the concept of an interceptor, which monitors the actions of a specific transmitter in a LAN. The covert parties are the transmitter and interceptor. Hidden information, according to Gierling, can be transmitted in any of the following ways:

• Monitoring the addresses accessed by the transmitter. If the number of addresses to which he can access is 16, then there is the possibility of secret transmission with a secret message size of 4 bits. The author attributed this feature to hidden memory channels, since it depends on the content being sent.
• Another obvious covert channel relies on the size of the frame sent by the transmitter. If there are 256 different frame sizes, then the amount of secret information obtained by decrypting one frame size will be 8 bits. This channel was also attributed by the author to hidden memory channels.
• The third, time-based method relies on the difference between transmission times. For example, an odd difference will mean “0”, and an even difference will mean “1”. The time required to transfer the data block is calculated as a function of the programmed computational speed, network speed, network block size, and protocol time spent. Assuming blocks of various sizes are transmitted to the LAN, the average software time is calculated and the bandwidth of the covert channels is also estimated.

A more specific approach was taken by Rowland. Focusing on the IP and TCP headers of the TCP / IP protocol suite, Rowland derives the correct encoding and decoding methods using the IP authentication field and the TCP field of the starting sequence number and confirmation sequence number. These methods are implemented in a simple application written for Linux systems running on the 2.0 kernel.

Rowland simply proves the very idea of ​​the existence of covert channels in TCP / IP, as well as their use. Accordingly, his work can be assessed as a practical breakthrough in this area. The encoding and decoding methods he adopted are more pragmatic compared to previously proposed works. These methods are analyzed with security in mind, such as network address translation by a firewall.

However, the undetectability of these covert transmission methods is in question. For example, in the case when operations are performed on the TCP header sequence number field, a scheme is adopted in which the alphabet is secretly transmitted each time, but nonetheless encoded with the same sequence number.

Moreover, the use of the sequence number field, as well as the confirmation field, cannot be carried out with reference to the ASCII- coding of the English alphabet, as suggested, since both fields take into account the receipt of bytes of data related to certain network packets.

There are the following important aspects to hiding data in the TCP / IP protocol suite:

• Covert channels are identified in a network environment.
• Satisfactory encoding and decoding methods are obtained from the sender and receiver, respectively.
• The effect of using the hidden network as a whole is not taken into account.

• Steganography
• Third-party attack

• Gray-World - Gray-World Development Team: Programs and Articles
• Steath Network Operations Center - Covert Communications Support System
• Timing Channels - Using a time channel in Multics .
• Covert channel tool hides data in IPv6 , SecurityFocus, August 11, 2006.
• Covert Channels in the TCP / IP Suite (link not available) , 1996 - Craig Rowland's article on covert channels in TCP / IP.