-
May 20th, 2005, 06:05 AM
#1
Junior Member
Pls explain Covert data channel
Can someone pls explain the concept behind covert storage channel in layman's terms for me?
-
May 20th, 2005, 06:15 AM
#2
Covert Channels
A covert channel is a way for an entity to receive information in an unauthorized man-
ner. It is an information flow that is not controlled by a security mechanism or the
mechanism has been successfully compromised. This type of information path is usu-
ally not used for communication; thus, the system does not properly protect this path
because the developers never envisioned information being passed this way. For an en-
tity to receive information in this manner violates the security policy of the system.
There are two types of covert channels: timing and storage. In a covert timing channel,
one process relays information to another by modulating its use of system resources.
The modulation of system resources can be accessing the hard drive, using excessive
CPU cycles, or head placement on a hard drive track. For example, if one process wrote
to the hard drive 30 times within 30 seconds this could mean something to another pro-
cess that is programmed to look for this type of activity. The second process watches out
for this “signal” and once it receives it, the second process carries out whatever evil activ-
ity it is programmed to do. You can think of it as a type of Morse code, but with the use
of some type of system resource.
A covert storage channel is when a process writes data to a storage location and an-
other process directly, or indirectly, reads it. The problem occurs when the processes are
at different security levels, and therefore not supposed to be sharing sensitive data.
Maybe an attacker figures out that two processes with different trust levels can view
the pagefile.sys file. Process 1 writes some type of confidential information to the
pagefile.sys file, and process 2 reads it. This would go against the information flow of
the system and directly negate the security policy.
The most common covert channel in use today is the Loki attack. This attack uses the
ICMP protocol for communication purposes. This protocol was not developed to be
used in this manner, it is only supposed to send status and error messages. But someone
developed a tool (Loki) that will allow an attacker to write data right behind the ICMP
header. This allows the attacker to communicate to another system through a covert
channel. It is usually very successful because most firewalls are configured to allow
ICMP traffic in and out of their environments. This is a covert channel because it is using
something for communication purposes that was not developed for this type of com-
munication functionality.
NOTE An overt channel is a channel of communication that was developed
specifically for communication purposes. Processes should be communicating
through overt channels, not covert channels.
Source: PDF File
Html Format: http://64.233.187.104/search?q=cache...&hl=en&start=1
-
May 20th, 2005, 07:05 AM
#3
Junior Member
thanks mate
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|