Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identification of Covert Channels inside Linux Kernel Based on Source Code.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Identification of Covert Channels inside Linux Kernel Based on Source Code."— Presentation transcript:

1 Identification of Covert Channels inside Linux Kernel Based on Source Code

2 Covert channel definition. Possible sources of CCA (Covert Channel Analysis). Methods of CCA in Source Code. Proposed tool to automate CCA on source code of Linux kernel. Conclusion. Agenda

3 Definition 1 - A communication channel is covert if it is neither designed nor intended to transfer information at all. Definition 2 - A communication channel is covert if it is based on transmission by storage into variables that describe resource states. Definition 3 - Covert channels are those that use entities not normally viewed as data objects to transfer information from one subject to another. Several Definitions of Covert Channels

4 Does not make it obvious that a covert channel is irrelevant in case of a discretionary security policy (Trojan Horses can anyway leak information via valid system calls). The previous definitions don’t acknowledge the fact that a covert channel is a result of a specific mandatory security policy being enforced and its implementation. Problem with previous definitions

5 a communication channel that allows a process to transfer information in a manner that violates the system's security policy. Given a nondiscretionary (e.g., mandatory) security policy model M and its interpretation I(M) in an operating system, any potential communication between two subjects I(S h ) and I(S i ) of I(M) is covert if and only if any communication between the corresponding subjects S h and S i of the model M is illegal in M. TCSEC Definition

6 The TCSEC is divided into four divisions: D, C, B, and A An important set of TCSEC requirements, which appears in classes B2 to A1,is that of covert channel analysis (CCA) TCSEC Definition Cont.

7 Identification of covert channels. Determination of covert channels' maximum attainable bandwidth. Handling covert channels using a well-defined policy consistent with the TCSEC objectives. Generation of assurance evidence to show that all channels are handled according to the policy in force. Objectives of CCA

8 System reference manuals. Top-level TCB specification. Source code. Means of Identifying Covert Channels

9 Syntactic Information Flow Analysis. Semantic Information Flow Analysis. Shared Resource Matrix Method. Covert Flow Tree Method. Methods of Identification in source code

10 Information Flow is associated with each statement. ex: a:=b  Information flows from b to a if b is not a constant. Define Flow Policies. Generate Flow Formulas for the entire TCB. Use theorem prover. Check if a flow is real or a false illegal flow. Syntactic Information Flow

11 Examine all flows visible through a TCB interface and separate the legal from the illegal ones. Separation of real channels from potential ones must still be done manually. Separation of potential channels from all the possible flows is labor intensive compared to the above. Semantic Information Flow

12 A matrix containing user visible TCB primitives as rows and read/altered variables which represent attribute of a shared resource as columns is created. Each entry is marked R or M based on whether the variable is read or modified. Calculate the transitive closure and update the matrix. Shared Resource Matrix

13 Prototype Design

14 Traverse and scan all source code files. Extract function names and global variables. Global variables of simple types and complex types should be accounted for appropriately. Generate a list of segmented token of the format. Module of syntax analysis

15 Further code analysis based on Information flow rules. Readability and Modifiability of shared variables is analyzed. If a variable y modifies a variable x then y  x. If a variable x is read inside a function Fx then x  Fx. Module of constructing Info Flow Tree

16 If a variable x is modified from inside of a function Fx then Fx  x. Compound statements(CSx), Statements(Sx) and Expressions(Ex) are considered separately. Null statements, type declaration statements, goto satements, labelled statements and cont/break are ignored. Info Flow Tree Contd.

17 RIFA for Variable Declaration Statements

18 RIFA for if statements

19 RIFA for Function Definitions

20 struct mm_struct * mm_alloc(void) { struct mm_struct * mm; mm = allocate_mm(); if (mm) { memset(mm, 0, sizeof(*mm)); return mm_init(mm); } return NULL; } Sample Code From Linux kernel 2.4.37.9

21 Information Flow Trees are created using the above defined RIFA. Four types of nodes namely functions, statements, expressions and variables. Info Flow tree created as a binary tree. Info Flow Tree Creation

22 Information Flow tree is transformed into a graph such that information flows exist across each edge. Shared resource matrix and its transitive closure is calculated from the preprocessed information. The values in the matrix cells are taken as 1,2,3,0. Generate Info Flow Graph and Shared Resource Matrix

23 This tool was used to discover some real covert channels that existed in Linux kernel 2.4.18. Only entry functions to system calls need be examined. All the.h files should be analyzed before the.c files. An automated tool need to be developed to create application scenarios to identify real covert channel from the potential ones. Conclusion

24 Virgil D. Gligor (1993). A Guide to understanding Covert Channel Analysis of Trusted Systems. Technical Report NCSC-TG-030, National Computer Security Centre. Gaoshou Zhai, Yufeng Zhang, Chengyu Liu, Na Yang, MinLi Tian, Hengsheng Yang. Automatic Identification of Covert Channels inside Linux Kernel Based on Source Codes. Dorothy E. Denning. 1976. A Lattice Model of Secure Information Flow. Communications of the ACM 19, 5 (May 1976), 236-246. C.R. Tsai, V.D. Gligor, C. S Chandersekaran. 1990. A Formal Method for the Identification of Covert Storage Channels in Source Code. lEEE Transactions on Software Engineering 16, 6 (June 1990), 569-580. Richard A. Kemmerer. 1983. Shared Resource Matrix Methodology: An Approach to Identifying Storage and Timing Channels. ACM Transactions on Computer Systems 1, 3 (August 1983), 256-277. Bibliography

Download ppt "Identification of Covert Channels inside Linux Kernel Based on Source Code."

Similar presentations

Symbol Table.

Symbol Table.
Intermediate Code Generation

Intermediate Code Generation
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Describing Process Specifications and Structured Decisions Systems Analysis and Design, 7e Kendall & Kendall 9 © 2008 Pearson Prentice Hall.

Describing Process Specifications and Structured Decisions Systems Analysis and Design, 7e Kendall & Kendall 9 © 2008 Pearson Prentice Hall.
CSE 425: Semantic Analysis Semantic Analysis Allows rigorous specification of a program’s meaning –Lets (parts of) programming languages be proven correct.

CSE 425: Semantic Analysis Semantic Analysis Allows rigorous specification of a program’s meaning –Lets (parts of) programming languages be proven correct.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Database Management System

Database Management System
1 Static Testing: defect prevention SIM3302. 2 objectives Able to list various type of structured group examinations (manual checking) Able to statically.

1 Static Testing: defect prevention SIM objectives Able to list various type of structured group examinations (manual checking) Able to statically.
Honors Compilers Semantic Analysis and Attribute Grammars Mar 5th 2002.

Honors Compilers Semantic Analysis and Attribute Grammars Mar 5th 2002.
Chapter 6: User-Defined Functions I

Chapter 6: User-Defined Functions I
Tutorial 6 & 7 Symbol Table

Tutorial 6 & 7 Symbol Table
Semantic analysis Enforce context-dependent language rules that are not reflected in the BNF, e.g.a function must have a return statement. Decorate AST.

Semantic analysis Enforce context-dependent language rules that are not reflected in the BNF, e.g.a function must have a return statement. Decorate AST.
Verifiable Security Goals

Verifiable Security Goals
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
C++ Programming: From Problem Analysis to Program Design, Second Edition Chapter 6: User-Defined Functions I.

C++ Programming: From Problem Analysis to Program Design, Second Edition Chapter 6: User-Defined Functions I.
Semantic analysis Enforce context-dependent language rules that are not reflected in the BNF, e.g.a function must have a return statement. Decorate AST.

Semantic analysis Enforce context-dependent language rules that are not reflected in the BNF, e.g.a function must have a return statement. Decorate AST.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Chapter 6: User-Defined Functions I

Chapter 6: User-Defined Functions I

Similar presentations

Ads by Google