The New Covert Channels

Posted by Keith McMillan

April 16, 2008 | Leave a Comment

Back in the days of yore, security professionals used to be interested in things called covert channels. These are ways of communicating information into or out of a secured environment. Admittedly, most people interested in this also dealt with information that had access restrictions on them called things like “Top Secret” and “Special Access Required”. They also had prison sentences attached to disclosing them. Today, there are new covert channels that are far more of a concern.

Covert channels mostly revolved around systems that supported multiple levels of security simultaneously. The classic Bell-LaPadula security model talks about how information could move between various security levels in a multi-level security system. The idea was that you cannot read information from a more secure level, nor write to a lower level one. In such a system, you should not be able to communicate information to those without the rights to read the information. Or that’s the theory, now we get to talk about covert channels.

Covert channels are those that the designers of systems never intended to be used to communicate information, but that are used to circumvent the security model. There are all sorts of traditional covert channels, some more interesting than others. Let’s pick an easy example.

Assume for the moment that I have a Top Secret clearance, and you don’t. I am going to find out whether a ship of supplies is going to leave port today or not, and I want to communicate that information to you. Let’s further assume that there’s a file that we both have agreed to use as a covert channel. At an agreed to time of day, I open the file for read, and you try to open it to write. Because the operating system won’t allow you to get your write lock, you know I’ve opened the file. The fact that I have the lock means that the ship is leaving today. You’ve gained information that I wanted you to have.

Now, admittedly this example of transmission only sends a single bit, but computer systems are built out of dealing with bits. In theory, we could build a transmission channel to send whatever we wanted to in this way.

There are all kinds of weird ways in which we can set up a covert channel. We can try to use shared memory regions, for instance. There’s even been an example of using the speed at which a file can be retrieved as a covert channel. If I cause the disk to seek to a position that’s far away from a reference position (again, typically part of a known file), and you can figure out that it took longer to get to that reference position, you’ve gained information.

Today, though, that sort of covert channel signaling is small potatoes, compared to the new covert channels. The advent of removable and portable storage devices, with huge capacities, makes the job of the security professional even more difficult. Why should I mess around with sending you information by locking a file, when for less than $50, I can carry a USB memory device that is packaged in a pen into the secure facility, and walk out with 1 GB of data. Or, how about one that’s packaged in a wristwatch? Need more capacity? How about DVD-/+R drives and iPods.

When I worked for the defense industry in the late 1980’s, they had guards at the doors who were there to prevent you from walking out the door with this type of information. I can’t imagine how they must be freaking out over trying to deal with this sort of potential information leak. At that time, the NSA would only search your briefcase/bag, and not your person, when you entered a facility. I’ve got to imagine that they’re doing body cavity searches by this point. In one way I hope they are, in another, it’s a discomforting thought.


RSS feed | Trackback URI

Comments »

No comments yet.

Name (required)
E-mail (required - never shown publicly)
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> in your comment.