MULTICS TECHNICAL BULLETIN 696 page 1 To: Distribution From: Keith Loepere Date: December 7, 1984 Subject: Covert Channel Analysis A covert channel (relative to system security) is a mecha- nism through which information may flow between two processes of different authorizations. Needless to say, such channels are to be avoided. This MTB discusses covert channels. The discussion includes a description of what are covert channels, where do they come from, and how to deal with them. It does not discuss any specific covert channels in Multics; it only describes covert channels in general. This description is being provided as a base of reference for upcoming MCRs that propose to deal with the covert channels in Multics. Comments on this MTB should be sent to the author: Keith Loepere (Loepere.Multics) or via the B2 forum. _________________________________________________________________ Multics Project internal working documentation. Not to be reproduced or distributed outside the Multics Project. OVERT DATA TRANSMISSION CHANNELS There are many ways that data (information) gets transmitted from one process to another in a computer system. The most obvious way is the direct transmission of data through files (actually their disk or memory equivalent). In this case, one process writes data into a file. Another process then reads this data from the file. This means of data transmission is normally the fastest available, since the movement of data into and out of files runs at full processor speed. Other means of transmission exist other than the file system. A process may write data to a tape which another process may read. A process may attach a communication line which feeds back into the system, into a different process. And so on. Each of these channels involves identifiable objects that form the communication medium (the files/disk, tapes, communication lines, etc.). CONTROLLING OVERT DATA TRANSMISSION CHANNELS In an operating system that wishes to control the flow of data between processes, it is necessary to establish restrictions on the use of these overt channels. It is necessary to require that the "receiver" process in all of the above cases is granted permission to see the data created by the "transmitter". Within a system that contains data of multiple security access classes, this is especially important. The system must ensure that data of one access class is not passed through a transmission channel from a process of one authorization to a process of a lower authorization. These overt channels involve the usage of some (more or less) physically identifiable storage device (memory/disk/tape/communication lines/etc.). For these physical data transmission paths, the ability to restrict the transmission of data between processes of different authorizations involves basically adding an access class "label" to the data by labeling the physical medium. Files are marked with the access class of the data contained therein. Tapes are known to the system as having a certain access class. A communication line in use by a process is marked with an access class equal to the transmitting process' authorization. Another process whose authorization is less than this access class is not allowed to access the file/tape/communication line/etc. COVERT DATA TRANSMISSION CHANNELS A covert channel is a channel that passes information between two processes in a non-obvious way. That is, it does not utilize a system mechanism that is intended for data transmis- sion. The idea is to trick the operating system into passing the desired data. Using covert channels involves finding a piece of information (defined very broadly) within the system that can be written and read by processes and is not "labeled" as to access class. Storage Covert Channels A storage covert channel operates by using a piece of storage (again defined broadly) within the system that can be affected (set) by a process and sensed (read) by a different process, independent of the authorizations of the processes involved. The classic storage covert channel involves the ability of a process to fill some system wide resource (possibly a table). A lower authorization process can determine if this resource is full. For example, a system_high process decides to either fill (use up the last record) or not fill, depending on whether a "1" or a "0" bit is to be transmitted, a sharable disk pack that contains data not likely to be referenced by other processes. A system_low process can sense whether the disk pack is full or not by trying to request a new record from that disk itself. In this way, a system_high process may transmit one bit at a time to a system_low process. Another classic example involves the interlocks on a file. Assuming that the system allows certain files to be opened for exclusive use, a process may transmit a bit of data to another process by deciding to open, or not, a file for exclusive use. Another process can sense this exclusitivity by attempting to open the file itself. Timing Covert Channels A timing covert channel involves transmitting data by utilizing the timing of system operations. The use of such a covert channel involves the ability of a process to perform an operation which causes some operation performed by a different process to take a varying amount of time, depending on whether the sending process is performing its operation or not. The classic timing covert channel involves system paging rate. A system_high process either takes a large amount of page faults or decides not to do so. A system_low process can sense this change in system paging rate by how long it takes it to take a page fault itself. This channel is very noisy, of course, since all system processes are taking page faults. However, by using this channel during a period of otherwise light system load, and by using fancy encoding methods, a usable, if low, bandwidth can be obtained. THE SIGNIFICANCE OF COVERT CHANNELS One might argue that covert channels are not of interest to system security. Overt channels must be removed from the system, since they may be used accidentally. That is, physical transmis- sion paths must be labeled with the access class so that it is not possible to accidentally (or purposefully) leave data where a lower authorization process could read it. Covert channels are not as interesting, since a process must be actively transmitting data, and another process must be running to actively sense the information. It would seem that such an occurrence could not be an accident. This is precisely the point. It is conceivable that an "untrusted" individual has created a "trojan horse" program. (A "trojan horse" program is an application program that performs some useful function, but, within which is concealed, by its author, some code that is designed to steal information from anyone who uses the program and pass it to the program's author.) A user at some high authorization would then run this program. The program's author (at some lower authorization, since most programs, even on secure systems, are probably written by people with comparatively low clearances) would then run a program to sense the transmitted data. A "trojan horse" program could perform its intended function and spend its spare time reading classified files (files to which the higher authorization user has access, since it is the higher authorization user who is running the program) and transmitting the files' contents through covert channels to the program's author. Thus, it is desirable to limit the number and bandwidth of covert channels within the system. Indeed, limiting these chan- nels is a B2 requirement. GENERIC CLASSIFICATION OF COVERT CHANNELS Aside from classifying covert channels as to a storage or a timing channel (which can sometimes be difficult), covert chan- nels may be broken down into other classifications. First of all, these channels can be broken down by ease of use. If, to use a channel, a very difficult set-up must be used, requiring the establishment of very carefully created objects, especially objects that the process can not be sure of the required contents, this channel becomes unlikely to be used. First of all, this set-up becomes easier to spot (and stop). Also, elaborate set-up tends to imply lower bandwidth channels. Covert channels are broken down into groups by ease of use, from unlikely to be usable to certain to be usable. A second classification for covert channels is by bandwidth. For these purposes, covert channels are broken down into four main groups. The groups are: < 1 bps, 1-10 bps, 10-100 bps, and > 100 bps (old teletype speed). These groups imply an ordering of the covert channels into groups of channels that pass more information (are more of a security violation) and therefore require a greater response on our part to resolve. GENERAL RESOLUTION OF COVERT CHANNELS Each of the four groups of channels (sorted bandwidth-wise) has a different requirement for being dealt with, relative to the B2 requirements. A covert channel that has a bandwidth of > 100 bps must be removed, or made to have a bandwidth that is in a lower classification. A covert channel that has a bandwidth of 10-100 bps must be removed, made to have a bandwidth that is in a lower classifica- tion, or detected by the system, with the system auditing attempted uses of this channel. A covert channel that has a bandwidth of 1-10 bps must be removed, made to have a bandwidth that is in a lower classifica- tion, detected by the system, with the system auditing attempted uses of this channel, or documented as a covert channel in the system security administrator's manual. A covert channel that has a bandwidth of < 1 bps may be ignored. Thus, the possible choices for resolving a covert channel, depending on its bandwidth are: - remove the channel - lower the bandwidth of the channel - audit attempted uses of the channel - document the existence of the channel - ignore the channel Removing Covert Channels When we say that we have removed a covert channel, we mean that the system mechanism used to transmit information in this way is made to be no longer utilizable in this way. Consider the example of detecting the fullness of a disk pack. If each process using the disk pack is given its own disk space limit, and the sum of all of the assigned disk space limits is not greater than the space limit for the entire pack, then the filling of the assigned area of a pack by one process is not detectable by another process. Thus, this channel can be removed by administrative controls on disk space allocation. Lowering the Bandwidth of Covert Channels Some covert channels may be resolved by lowering the bandwidth of the channel. Sometimes this involves making sure that a user cannot utilize the particular system mechanism too often. Often, lowering the bandwidth means making the results of certain system operations less predictable, that is, noisier. If a given covert channel is made to be noisy, transmitting a good signal requires more bits, effectively reducing the bandwidth. Auditing Attempted Uses of Covert Channels Auditing attempted uses of a covert channel means exactly that. However, this method of resolution is sometimes not usable. First of all, if the event that signals transmission or reception of data through the channel occurs often, the volume of audit messages may become excessive (to the point of making the system uselessly slow). Also, it is necessary to sense from the audit log real attempted uses of a covert channel. If the event that signals transmission or reception of data through a covert channel occurs in the normal course of system events, it will not be possible to tell a valid occurrence of the event from an occurrence that is part of the utilization of the covert channel. Consider the example involving filling the disk pack. Attempts to ask for space on a completely full disk pack are rare. Once one finds a pack full, one does not tend to ask for space on it again (at least not right away). Thus, seeing many messages to the effect of "user X couldn't allocate some disk space" in a row within the log would be suspicious. This channel would be a good candidate for resolution by auditing, if its bandwidth were in the right range. Now consider the page fault based covert channel. Auditing all page faults, or even all cases of a process' taking a lot of page faults, would not work. Page faults occur too often in normal use to be suspicious within an audit log. It would not be possible to sense an attempted use of the covert channel from the log. Documenting the Existence of Covert Channels Some covert channels may be simply documented. They are such that we are need not do anything explicitly to them. However, a security administrator would like to know of their existence, so that programs could be examined for potential uses of them. THE COVERT CHANNEL STUDY For any given system, several of those knowledgeable with the system's internals are sealed in a room and made to examine the various system mechanisms. Each person proposes ideas on how each mechanism may be used for covert channel purposes. The other people present then tell that person how stupid the ideas are. (This process is known as brainstorming.) After the violence subsides, the ideas are added to the potential covert channel list. This continues until a large list of ideas (hypotheses) is generated. Each hypothesis is further tested (researched), to determine the ease of use of the channel (including whether the channel really exists). An estimated bandwidth is calculated. Further research suggests potential methods to resolve the covert chan- nel. This analysis was done for Multics. Future MCRs will deal with those covert channels that were discovered to exist and whose resolution requires a change to the system. METHODS FOR RESOLVING CHANNELS There are as many methods for resolving, preferably removing, covert channels as there are methods for exploiting covert channels. However, they may be grouped into types of fixes, just as the channels themselves may be grouped according to the generic type of system mechanism that is exploited. Controlling Resource Exhaustion By far, the most common type of covert channel involves the ability to exhaust a system-wide resource. One method of removing these channels is to make the resource effectively inexhaustible. The more common method is to not allow a process to exhaust the resource (or its share of that resource) in a way visible to anyone else at a different authorization. That is, the process must be limited so that what that process uses does not affect what is left for other users. This normally requires giving the process its own, preassigned, exclusive share of the resource. Resolving the exhaustion of disk space through quota restrictions is a common example of this method of resolution. Slowing Down a System Function If a covert channel involves using a system mechanism in a way that can not be removed or audited, it may sometimes be slowed down. This is an acceptable solution only if several conditions are met. 1) The cases in which the system mechanism are being slowed must cover the cases in which the mechanism could be used for a covert channel. 2) The cases in which the system mechanism are being slowed must be rare. 3) The mechanism must be slowed in a way so as to not slow down the rest of the system. (That is, it is not acceptable to simply loop to wait for time to go by.) Reducing the Accuracy of System Responses Many covert channels involve detecting the occurrence of an operation performed by the higher authorization process by requesting from the system the status of some object or opera- tion. If the status being requested is not used for critical uses, it may be possible to simple make the status less accurate. For example, if the mechanism involves asking for the color of a certain leaf falling from a tree, it may be better to return "orange" as opposed to differentiating between "burnt amber" and "rust". In this way, fewer bits of information are transmitted through each use of the mechanism. Restricting the Use of a Mechanism If the mechanism used for the covert channel is not really needed by normal users, it can simply be restricted for use only by privileged users. This might involve disallowing requesting the system to perform certain operations or disallowing requests to determine the status of certain system-wide operations. Another method of restricting a mechanism is to restrict the objects that a user may use it upon. Consider the case of filling the disk pack. If the system allowed any given disk pack to be used only for data of the same access class, this covert channel could not be used to transmit data to a process of a different authorization. Restructuring the Mechanism Some perfectly reasonable system mechanisms can be used to transmit data. If it is the method of operation of the system mechanism that allows another process to sense that it is operating, a change of the method of operation may remove the covert channel. For example, if, when the system performs a certain operation it causes many lockings of some system table or resource to occur (that can be sensed), redo the mechanism to restructure the lockings. Making System Operations More Random Some covert channels involve the fact that the system always does certain things in the same way or order. In some cases, predictable is undesirable. For example, if the method of disk space allocation is known and predictable, and it is possible to sense the placement of objects on disk, a covert channel can exist. The covert channel would consist of having a lower authorization process request a unit of disk space and ask which unit was received. A higher authorization process would then request, or not, a unit of disk space. The lower authorization process then requests another unit of disk space. If disk space allocation is predictable, then the lower authorization process can sense the possible request of disk space by the higher authorization process depending on whether the second unit of disk space given to the lower authorization process is the "next" unit after the first one given. By making disk space allocation more (literally) random, it becomes harder to use the channel (makes the channel noisier) and reduces the bandwidth. SUMMARY Covert channels are a means by which tricky users can violate system security. In our continued quest for B2, any such channels must be dealt with. The changes we will make to Multics to deal with our channels will appear soon in future MCRs.