A covert channel is a communication channel that sends information using a method that was not originally intended for this purpose.
Characters in detective and spy novels use hidden channels all the time the magazine "Ogonyok" in the left hand, informing that the operation is canceled, a flower on the windowsill, warning Professor Pleishner about the danger, the number of somersaults performed by a circus performer to transmit information about the number of tanks on the training ground all these are examples of hidden channels.
The hidden channel technique is based on the simple fact that any change in the state of an object carries information. And it can be very difficult to detect a pattern in changes in the state of an object that was not originally intended for transmitting information. For a high degree of secrecy, many channels of this type pay for a low information transfer rate. For example, the presence or absence of a flower on the windowsill carries 1 bit of information. The number of somersaults in a circus act is more informative, but you can't transmit a lot of data using this method either.
Now let's look at some examples from the practice of information technology. For example, let there be two processes: process A, which has a high tolerance level, and process B, which has a low tolerance level. An attacker can only get information from the network. from process B. In accordance with the mandatory management method, process B does not have the legal ability to read certain data with a high level of secrecy. But they are accessed by process A, which, however, according to the same mandatory access rule, is not allowed to transfer data to the lower level of process B. The question arises, is there any workaround for process A, which does not cause suspicion, to transfer secret data to process B?
The answer is yes. This method may include, for example, varying the buffer fill level when displaying legal data. Let process A, performing a legal output operation, change the amount of output data in accordance with some conditional code known to the destination process B. And let process B have the ability to analyze the state of the buffer. Thus, process A, performing seemingly completely legitimate actions, can transmit secret data to process B in encoded form. We emphasize that this data has nothing to do with legally displayed information. Here we can draw an analogy with the transmission of information by a modulated sinusoidal signal, when information is encoded by varying the amplitude. This is the idea behind the hidden channel.
A hidden channel is a mechanism for transmitting information that is not provided for by the information system developer. Naturally, data transmission over a hidden channel is not controlled by the usual OS security mechanisms, such as authentication and authorization, which is why the presence of hidden channels is very dangerous. It is not for nothing that all information system security standards, such as the "Orange Book" and "General Criteria", pay great attention to hidden channels and require system analysis for the presence of such channels during certification.
In addition to hidden channels, there are also hidden communications. Hidden communications use legal channels to transmit messages, but they operate in such a way that these messages are invisible to legal users, since they are hidden inside other messages used as containers. The most popular example of hidden communications is the placement of a secret message in the bits of a digital photo, the appearance of which from such an operation practically does not differ from the original one. Hidden communications are also called subliminal channel, which literally translates as subconscious channel, a channel that is located below the level of perception; there is also a suggestion to call such channels secret.
A common feature of hidden channels and hidden communications is that it hides not only the content of the message, but also the fact of communication itself. How much the very fact of communication can be valuable for intelligence says the PRIZM program, the existence of which the world learned from the leaks of Edward Snowden. This program collects metadata about electronic communications, i.e. data about who corresponded with whom, where and when. Although the actual content of messages is not included in the information collected, metadata alone can help uncover a conspiracy or identify agents. And in your personal life, just the fact that one of the spouses corresponds with a third person can lead to unexpected consequences.
Hidden communications are handled by steganography, so this method of transmitting classified information is sometimes called a stegocanal. Steganography, like cryptography, has an ancient history, and mankind has come up with quite a lot of ingenious ways to put secret data in seemingly innocent messages. In information systems, it is not always possible to draw a clear line between the technique of hidden channels and hidden communications, we will see this a little further.
Examples of hidden channels
There are two types of hidden channels: a hidden memory channel (covert storage channel) and a hidden time channel (covert timing channel). In the first case, modulating memory characteristics, such as addresses, the amount of free memory, etc., is used to secretly transmit information. A process uses a hidden time channel, if it varies the time characteristics associated with its own execution to encode information, for example, in multiprogram mode, this may be the fraction of the processor time quantum used.
A large number of works on the analysis of hidden channels in operating systems are devoted to systems that implement the mandatory access model. Perhaps this is due to the fact that the mandatory model places seemingly insurmountable barriers to the dissemination of confidential information from top to bottom, which are nevertheless overcome by secret channels. Let's look at some examples of hidden channels in an OS with mandatory access, where a process/user of a higher access level (High) tries to illegally transfer confidential information to a process / user of a lower access level (Low), bypassing the access control system.
Reading file or directory names. If the Low user on the system is not allowed to read the contents of files with a higher tolerance level, but is allowed to read the contents of the directory containing such files, then the hidden channel can be organized in a very simple way. To do this, the High user can, for example:
- give the file a name that contains information;
- simply put a file with a specific name in the directory or delete it, informing about a certain event with two states (analogous to a flower on the windowsill);
- put a certain number of files in the directory – this number is the message;
- come up with many more ways to use such liberties with reading the contents of the catalog to transfer information to the lower level.
Using the fact that the file is locked. This variant of a hidden channel was described in Butler Lampson's article" A Note on restriction problem", published in 1973 in the journal Communications of the ACM, which first introduced the concept of a hidden channel, and also considered several types of such channels and ways to prevent them.
Lampson's example uses some abstract system call to open the file open (file) with the following properties. When a process opens a file by calling open (file), this file becomes inaccessible to all other processes – blocked. All attempts by other processes to open this file are unsuccessful. The file becomes available only after the process that uses it executes the file close system call-close(file).
Both High and Low processes can use this system call. Lampson showed that using three simple procedures that use open(file) and close(file) calls, as well as three files with a low level of secrecy, which the procedure with a higher level of access High can open only for reading, and the procedure with a lower tolerance Low for reading and writing, it is possible to organize data transfer from High to Low, bypassing the prohibitions of the mandatory OS access system.
Figure 1 shows a flowchart of the settrue(file) procedure, which cyclically tries to open the file file. If the file is successfully unlocked and opened, the procedure terminates.
Figure 1. Settrue(file) procedure)
The setfalse(file) procedure (Figure 2) closes the file file. It is assumed that it is always successful.
Figure 2. Setfalse(file) procedure)
The third procedure (Figure 3) sets the bit value to true (1) if the file is locked (the attempt to open the file was unsuccessful), and false (0) otherwise.
Figure 3. Procedure for reading the read_value(file) file status)
It is not difficult to show how data can be transferred from the top level to the bottom using the three described procedures and three files: read_value for transmitting data, send_clock and receive_clock for synchronizing the processes of transmitting and reading data. This process is illustrated in Figure 4.
Figure 4. Data transfer between the Sender (high tolerance) and Receiver (low tolerance) processes.
The Sender process reads data from the bit
array that it wants to transmit to the Receiver process using the hidden channel technique, and opens the data_value file if the bit is 1 (true), or closes the data_value file if the bit is 0 (false). The Sender then tells the Receiver process that the next bit has been transmitted, setting the send_clock signaling file to open (true).
The Receiver process waits until the send_clock file enters the open state, then reads the read_value file state and assigns the corresponding value to its bit2 array. After that, it sets its signal file receiver_clock to the open state (true), notifying the Sender process that the next value of the bit array has been read.
The Sender process waits for the signal that the next bit has been read, sets the send_clock file to the initial state false, waits for the Receiver process to set its signaling file receive_clock to the initial state false, and then passes the next bit of the bit array in the same way.
A hidden time channel can be constructed based on synchronization of accesses to some system resource, such as a TCP or UDP socket. The receiving process reads the busy periods of a particular socket and receives information in this way. In other cases, a process can encode information by sending packets to a remote host at certain points in time.
Network tools and protocols provide a lot of scope for creating hidden channels. For example, a TCP SYN packet contains the ISN parameter - the Initial Sequence Number-which is assigned an arbitrary value when requesting a TCP connection. It is quite logical to use this parameter to encode hidden information, while at the same time transmitting legitimate messages over the established connection. The same can be said for port numbers the client part of the TCP or UDP protocols, which are also randomly selected. The source of information can also be the packet size, if you supplement packets with legal information with a placeholder up to the size corresponding to the code value. In the latter case, the channel can be classified as either a hidden channel or a stegocannel, since when transmitting hidden information, the usual information stream is used as a container.
Well, it is impossible not to say a little more about the classic steganographic channel, which uses modification of digital image bits. There are a large number of programs, including free ones (for example, EZStego, Xiao Steganography, Steganography Studio) that can do this for various digital image formats – JPEG, TIFF, BMP, PNG, and others. Changing one low-order bit of the RGB color of a pixel with a 24-bit palette does not change the perception of the image, and the information stored inside the photo is quite large. In order for such a channel to become truly secret, the transfer of photos itself should not arouse suspicion, so sending photos of cats is so popular on social networks that they can be used as a very good container – just do it periodically, creating a stable legend for yourself as a member of the mi-mi-mi club.
You can also embed hidden information in text files. For example, the popular MS Word editor uses the "Start of Text" and "End of Text" service labels, and service information that does not fall into the text area between the start and end labels is not displayed on the screen or in print. Therefore, hidden message bytes can be embedded in service information in a way that is not visible to the user. In general, advanced text editors use a large number of service labels, such as the beginning of a new style, index mark, etc., which can encode a hidden message.
Fight against hidden channels
The most effective way to deal with a hidden channel is to destroy it. This idea is most easily illustrated by the example of a stegocanal that uses digital images. When converting the format, hidden bits are most likely lost and the message is automatically destroyed. Therefore, any conversion of digital images is an effective way to deal with this type of hidden channels. The same applies to archiving, and it also applies to text files.
You can destroy the hidden time channel by smoothing the traffic by introducing packet delays. This technique, known as shaping, has long been used to reduce packet queues in the buffers of routers and switches.
A hidden channel that uses TCP/UDP port numbers can be destroyed by purposefully changing these numbers.
There is a theoretical approach that allows identifying potential hidden channels based on model analysis. The Hidden Channels review mentions two such models: the dependency model and the resource matrix model.
Some security experts are skeptical about the practical importance of combating hidden channels, considering that the great interest in hidden channels is explained only by the need for certification of systems and the natural curiosity of scientists, and in practice attackers do not use such exotic tools.
Characters in detective and spy novels use hidden channels all the time the magazine "Ogonyok" in the left hand, informing that the operation is canceled, a flower on the windowsill, warning Professor Pleishner about the danger, the number of somersaults performed by a circus performer to transmit information about the number of tanks on the training ground all these are examples of hidden channels.
The hidden channel technique is based on the simple fact that any change in the state of an object carries information. And it can be very difficult to detect a pattern in changes in the state of an object that was not originally intended for transmitting information. For a high degree of secrecy, many channels of this type pay for a low information transfer rate. For example, the presence or absence of a flower on the windowsill carries 1 bit of information. The number of somersaults in a circus act is more informative, but you can't transmit a lot of data using this method either.
Now let's look at some examples from the practice of information technology. For example, let there be two processes: process A, which has a high tolerance level, and process B, which has a low tolerance level. An attacker can only get information from the network. from process B. In accordance with the mandatory management method, process B does not have the legal ability to read certain data with a high level of secrecy. But they are accessed by process A, which, however, according to the same mandatory access rule, is not allowed to transfer data to the lower level of process B. The question arises, is there any workaround for process A, which does not cause suspicion, to transfer secret data to process B?
The answer is yes. This method may include, for example, varying the buffer fill level when displaying legal data. Let process A, performing a legal output operation, change the amount of output data in accordance with some conditional code known to the destination process B. And let process B have the ability to analyze the state of the buffer. Thus, process A, performing seemingly completely legitimate actions, can transmit secret data to process B in encoded form. We emphasize that this data has nothing to do with legally displayed information. Here we can draw an analogy with the transmission of information by a modulated sinusoidal signal, when information is encoded by varying the amplitude. This is the idea behind the hidden channel.
A hidden channel is a mechanism for transmitting information that is not provided for by the information system developer. Naturally, data transmission over a hidden channel is not controlled by the usual OS security mechanisms, such as authentication and authorization, which is why the presence of hidden channels is very dangerous. It is not for nothing that all information system security standards, such as the "Orange Book" and "General Criteria", pay great attention to hidden channels and require system analysis for the presence of such channels during certification.
In addition to hidden channels, there are also hidden communications. Hidden communications use legal channels to transmit messages, but they operate in such a way that these messages are invisible to legal users, since they are hidden inside other messages used as containers. The most popular example of hidden communications is the placement of a secret message in the bits of a digital photo, the appearance of which from such an operation practically does not differ from the original one. Hidden communications are also called subliminal channel, which literally translates as subconscious channel, a channel that is located below the level of perception; there is also a suggestion to call such channels secret.
A common feature of hidden channels and hidden communications is that it hides not only the content of the message, but also the fact of communication itself. How much the very fact of communication can be valuable for intelligence says the PRIZM program, the existence of which the world learned from the leaks of Edward Snowden. This program collects metadata about electronic communications, i.e. data about who corresponded with whom, where and when. Although the actual content of messages is not included in the information collected, metadata alone can help uncover a conspiracy or identify agents. And in your personal life, just the fact that one of the spouses corresponds with a third person can lead to unexpected consequences.
Hidden communications are handled by steganography, so this method of transmitting classified information is sometimes called a stegocanal. Steganography, like cryptography, has an ancient history, and mankind has come up with quite a lot of ingenious ways to put secret data in seemingly innocent messages. In information systems, it is not always possible to draw a clear line between the technique of hidden channels and hidden communications, we will see this a little further.
Examples of hidden channels
There are two types of hidden channels: a hidden memory channel (covert storage channel) and a hidden time channel (covert timing channel). In the first case, modulating memory characteristics, such as addresses, the amount of free memory, etc., is used to secretly transmit information. A process uses a hidden time channel, if it varies the time characteristics associated with its own execution to encode information, for example, in multiprogram mode, this may be the fraction of the processor time quantum used.
A large number of works on the analysis of hidden channels in operating systems are devoted to systems that implement the mandatory access model. Perhaps this is due to the fact that the mandatory model places seemingly insurmountable barriers to the dissemination of confidential information from top to bottom, which are nevertheless overcome by secret channels. Let's look at some examples of hidden channels in an OS with mandatory access, where a process/user of a higher access level (High) tries to illegally transfer confidential information to a process / user of a lower access level (Low), bypassing the access control system.
Reading file or directory names. If the Low user on the system is not allowed to read the contents of files with a higher tolerance level, but is allowed to read the contents of the directory containing such files, then the hidden channel can be organized in a very simple way. To do this, the High user can, for example:
- give the file a name that contains information;
- simply put a file with a specific name in the directory or delete it, informing about a certain event with two states (analogous to a flower on the windowsill);
- put a certain number of files in the directory – this number is the message;
- come up with many more ways to use such liberties with reading the contents of the catalog to transfer information to the lower level.
Using the fact that the file is locked. This variant of a hidden channel was described in Butler Lampson's article" A Note on restriction problem", published in 1973 in the journal Communications of the ACM, which first introduced the concept of a hidden channel, and also considered several types of such channels and ways to prevent them.
Lampson's example uses some abstract system call to open the file open (file) with the following properties. When a process opens a file by calling open (file), this file becomes inaccessible to all other processes – blocked. All attempts by other processes to open this file are unsuccessful. The file becomes available only after the process that uses it executes the file close system call-close(file).
Both High and Low processes can use this system call. Lampson showed that using three simple procedures that use open(file) and close(file) calls, as well as three files with a low level of secrecy, which the procedure with a higher level of access High can open only for reading, and the procedure with a lower tolerance Low for reading and writing, it is possible to organize data transfer from High to Low, bypassing the prohibitions of the mandatory OS access system.
Figure 1 shows a flowchart of the settrue(file) procedure, which cyclically tries to open the file file. If the file is successfully unlocked and opened, the procedure terminates.
Figure 1. Settrue(file) procedure)
The setfalse(file) procedure (Figure 2) closes the file file. It is assumed that it is always successful.
Figure 2. Setfalse(file) procedure)
The third procedure (Figure 3) sets the bit value to true (1) if the file is locked (the attempt to open the file was unsuccessful), and false (0) otherwise.
Figure 3. Procedure for reading the read_value(file) file status)
It is not difficult to show how data can be transferred from the top level to the bottom using the three described procedures and three files: read_value for transmitting data, send_clock and receive_clock for synchronizing the processes of transmitting and reading data. This process is illustrated in Figure 4.
Figure 4. Data transfer between the Sender (high tolerance) and Receiver (low tolerance) processes.
The Sender process reads data from the bit
array that it wants to transmit to the Receiver process using the hidden channel technique, and opens the data_value file if the bit is 1 (true), or closes the data_value file if the bit is 0 (false). The Sender then tells the Receiver process that the next bit has been transmitted, setting the send_clock signaling file to open (true).The Receiver process waits until the send_clock file enters the open state, then reads the read_value file state and assigns the corresponding value to its bit2
array. After that, it sets its signal file receiver_clock to the open state (true), notifying the Sender process that the next value of the bit array has been read.The Sender process waits for the signal that the next bit has been read, sets the send_clock file to the initial state false, waits for the Receiver process to set its signaling file receive_clock to the initial state false, and then passes the next bit of the bit
array in the same way.A hidden time channel can be constructed based on synchronization of accesses to some system resource, such as a TCP or UDP socket. The receiving process reads the busy periods of a particular socket and receives information in this way. In other cases, a process can encode information by sending packets to a remote host at certain points in time.
Network tools and protocols provide a lot of scope for creating hidden channels. For example, a TCP SYN packet contains the ISN parameter - the Initial Sequence Number-which is assigned an arbitrary value when requesting a TCP connection. It is quite logical to use this parameter to encode hidden information, while at the same time transmitting legitimate messages over the established connection. The same can be said for port numbers the client part of the TCP or UDP protocols, which are also randomly selected. The source of information can also be the packet size, if you supplement packets with legal information with a placeholder up to the size corresponding to the code value. In the latter case, the channel can be classified as either a hidden channel or a stegocannel, since when transmitting hidden information, the usual information stream is used as a container.
Well, it is impossible not to say a little more about the classic steganographic channel, which uses modification of digital image bits. There are a large number of programs, including free ones (for example, EZStego, Xiao Steganography, Steganography Studio) that can do this for various digital image formats – JPEG, TIFF, BMP, PNG, and others. Changing one low-order bit of the RGB color of a pixel with a 24-bit palette does not change the perception of the image, and the information stored inside the photo is quite large. In order for such a channel to become truly secret, the transfer of photos itself should not arouse suspicion, so sending photos of cats is so popular on social networks that they can be used as a very good container – just do it periodically, creating a stable legend for yourself as a member of the mi-mi-mi club.
You can also embed hidden information in text files. For example, the popular MS Word editor uses the "Start of Text" and "End of Text" service labels, and service information that does not fall into the text area between the start and end labels is not displayed on the screen or in print. Therefore, hidden message bytes can be embedded in service information in a way that is not visible to the user. In general, advanced text editors use a large number of service labels, such as the beginning of a new style, index mark, etc., which can encode a hidden message.
Fight against hidden channels
The most effective way to deal with a hidden channel is to destroy it. This idea is most easily illustrated by the example of a stegocanal that uses digital images. When converting the format, hidden bits are most likely lost and the message is automatically destroyed. Therefore, any conversion of digital images is an effective way to deal with this type of hidden channels. The same applies to archiving, and it also applies to text files.
You can destroy the hidden time channel by smoothing the traffic by introducing packet delays. This technique, known as shaping, has long been used to reduce packet queues in the buffers of routers and switches.
A hidden channel that uses TCP/UDP port numbers can be destroyed by purposefully changing these numbers.
There is a theoretical approach that allows identifying potential hidden channels based on model analysis. The Hidden Channels review mentions two such models: the dependency model and the resource matrix model.
Some security experts are skeptical about the practical importance of combating hidden channels, considering that the great interest in hidden channels is explained only by the need for certification of systems and the natural curiosity of scientists, and in practice attackers do not use such exotic tools.
