Covert channel

From Wikipedia, the free encyclopedia

In information theory, a covert channel is a parasitic communications channel that draws bandwidth from another channel in order to transmit information without the authorization or knowledge of the latter channel's designer, owner, or operator.

Contents 1 Characteristics 1.1 Stealing usable bandwidth 1.2 TCSEC criteria 2 Eliminating covert channels 3 See also 4 References 5 Additional Reading 6 External links

[edit] Characteristics

A covert channel is so called because it is hidden within the medium of a legitimate communications channel. Covert channels typically manipulate certain properties of the communications medium in an unexpected, unconventional, or unforeseen way in order to transmit information through the medium without detection by anyone other than the entities operating the covert channel.

All covert channels draw their bandwidth (information-carrying capacity) from a legitimate channel, thus reducing the capacity of the latter; however, the bandwidth drawn from the channel is often unused, anyway, and so the covert channel may still be well hidden.

For example, steganography is a form of covert channel in which very small details of images (or other multimedia files) are subtly altered in order to communicate information in a way not immediately obvious to anyone casually examining the images.

• One type of steganography uses the low-order bit of the data for each pixel in an image to carry the information of a covert channel: these bits carry the covert message, while the rest of the bits carry the legitimate image. The very slight change in the image caused by modification of the low-order bit in each pixel is imperceptible in most cases to anyone who isn't already looking for such a change.
• Background audio noise can hide signals like MT63, but other more complex audio watermarking technologies exist for the protection of mass marketed audio CDs.

[edit] Stealing usable bandwidth

Because any bandwidth used by the covert channel is “stolen” from the legitimate channel, the greater the bandwidth used by the covert channel, the more likely it is that it will be obvious to users of the legitimate channel.

• A steganography system that uses only the low-order bit of every pixel has a low bandwidth (compared to the bandwidth consumed by transmission of the image itself), but is very discreet.
• A steganography system that uses all but the highest-order bit of each pixel has very high bandwidth -- but will be instantly obvious to anyone looking at the image used to carry the covert channel.

[edit] TCSEC criteria

The Trusted Computer Security Evaluation Criteria (TCSEC) is a set of criteria established by the National Computer Security Center, an agency managed by the United States' National Security Agency.

The term covert channel is defined in the TCSEC ^[1] specifically to refer to ways of transferring information from a higher classification compartment to a lower classification. The TCSEC defines two kinds of covert channels:

• Storage channels - Communicate by modifying a stored object
• Timing channels - Transmit information by affecting the relative timing of events

The TCSEC, also known as the Orange Book, ^[2] requires analysis of covert storage channels to be classified as a B2 system and analysis of covert timing channels is a requirement for class B3.

[edit] Eliminating covert channels

The possibility of covert channels cannot be completely eliminated, although it can be significantly reduced by careful design and analysis. There will always be some unused portion of the bandwidth of a legitimate communications channel that can be diverted to provide a covert channel.

The detection of a covert channel can be made more difficult by using characteristics of the communications medium for the legitimate channel that are never controlled or examined by legitimate users. For example, a file can be opened and closed by a program in a specific, timed pattern that can be detected by another program, and the pattern can be interpreted as a string of bits, forming a covert channel. Since it is unlikely that legitimate users will check for patterns of file opening and closing operations, this type of covert channel can remain undetected for long periods.

A similar case is port knocking. In usual communications the timing of requests is irrelevant and unwatched. Port knocking makes it significant.

[edit] See also

• Computer surveillance
• Side channel attack
• Steganography

[edit] References

1. ^ NCSC-TG-030, Covert Channel Analysis of Trusted Systems (Light Pink Book) from the United States Department of Defense (DoD) Rainbow Series publications.
2. ^ 5200.28-STD, Trusted Computer System Evaluation Criteria (Orange Book) from the DoD Rainbow Series publications

[edit] Additional Reading

• Timing Channels an early exploitation of a timing channel in Multics.
• Covert channel tool hides data in IPv6, SecurityFocus, August 11, 2006.
• Covert Channels in the TCP/IP Suite, 1996 Paper by Craig Rowland on Covert Channels in the TCP/IP protocol with proof of concept code.

[edit] External links

• Gray-World - Open Source Research Team : Tools and Papers