Chapter 5 Hidden Channel
There may be hidden channels in the operating system, database system, network, and distributed database management system. The operating system is in the bottom of the computer system. Its security is the basis of all security in the system, that is, the security issue of the operating system is The core of all security issues) The research on hidden channels abroad has been quite in-depth and extensive. Domestic due to technical restrictions (mostly developed foreign countries, there is no source code), so in-depth research is more difficult.
It is because there is little unit in China to develop large operating systems and database management systems, but also do not have to detect and prove the safety of their system, do not need to block hidden channels or reduce hidden bandwidth work, because of the source code Detailed description of system design. However, actually as a user of the operating system, especially those with safety responsibility, should also be concerned about the problem of hidden channels, because they should at least have a full understanding of the security of their work platform, choose a secure system to prevent The damage caused by the system security is damaged. What's more, you have to develop your own secure computer system in China, but also face the challenge of hidden channels. Therefore, it is necessary to study the hidden passage.
The concept of hidden passage is formed in the early 1970s. The study of hidden passages in the 1980s has received extensive attention from the computer security community. The DOD "Trusted Computer System Evaluation Guidelines" (TCSEC) incorporates the restrictions and analysis of hidden channels into the security computer system. The standard.
First, the definition of hidden channel
Safety? ? And the safety agency gives a variety of definitions of hidden channels from different angles, but its substantial meaning is the same, listing the most important ways:
B.W.Lampson is given
Definition 1: Hidden channel refers to the channel that violates the attention of the designer and is used to communicate.
TCSec definition
Definition 2: The hidden channel is a communication channel, which makes a process to violate information in violation of the system security policy.
NCSCC (National Computer Security Center) definition
Definition 3: Given a non-autonomous security policy model M and it implements communication between the two main body I (Si) and I (SJ) in the I (M) in one operating system is hidden And when communication between the two main body Si and Sj in the model m is illegal.
These definitions are described:
1. The hidden passage is a channel that can be transmitted, but it is not a channel for the system designer design industry.
2. Since it is not designed to transmit information channels, the system security policy (mainly refers to non-autonomous security policies), without controlling such channels.
3. Since there is no security control, this channel can be utilized to transmit information in a manner that violates security policies.
If a system does not implement forced access control, any two users (as long as they are willing) can be legally transmitted, and do not need to be transmitted secretly by hidden channels, so the system with hidden channels actually takes certain safety. Measures, especially systems for enforce access control. When the information of the user's transmission information is not open, the hidden channel is meaningful.
In short, hidden channel is a communication channel, but it is not a channel for the design of the system designer to communicate, so it can bypass the inspection of the system forced safety mechanism, so that the process can transmit information in violation of the system security policy. Thus a big threat to the safety of computer systems.
Therefore, for a given system to determine the hazard of system security, take some corresponding measures to reduce the harm caused by hidden channels, which is an indispensable manager or developer who has safety responsibility for computer systems. .
In the study of hidden channels, first encounter a problem is the identification of hidden channels, how to search for hidden channels in the system.
1 The identification method of the simplest hidden channel is to analyze the hidden channels of the target operating system than the typical hidden paths of other systems (such as other operating systems). However, this analytical method cannot find all possible hidden channels, and cannot discover the hidden path of the target system. 2 To fully analyze the hidden passage, you must analyze the formal formula and source code of the system. However, the analysis source code has been greatly working, and some automation tools have been developed abroad, and the formal manual or source code has been developed to identify hidden channels. But we can't get it.
Second, the hidden pass
Example 1: The earliest was also found is the most classic hidden passage is the disk shifting channel, which is found in the KVM / 370 system in 1977.
Assuming that there are H and Ls in the system, the security level of the H is higher than the security level. H hidden with Trojan Trojan attempts to disclose information to the pryer L, but according to the strategy of forced access control, the information cannot be accessed by H, so h does not dare to transfer information directly to L, and also worry about the supervision of the audit, so H and L seek to use the system's security vulnerability, use the legal means to leak information on the surface.
L Open a file directory belonging to his own, H. Power with this directory, assume that the disk is from 51 tracks to the 59th track belongs to this directory, H, and L, follow the following agreed:
1. L Request to read the track 55 (after this request is completed, release the CPU);
2. H requests a track 53 (send "
0
"
) Or read track 57 (send "
1
"
(After the request is completed, release the CPU immediately);
3. L At the same time, the track 51 and the track 59 are requested to observe the order of the two requests to complete to determine the information sent by the H. If the access track 51 is completed, then l Confirmed received "
0
"
, Reverse, L confirmed to receive "
1
"
.
The above operation can be transferred between H and Ls. (Of course, I have to take certain synchronization measures)
H read tacho 57,
Then L-read track 59 is completed first
51
(53)
555
57
599
Pass
51
53
555
(57)
599
Pass
H read tacho 53,
Then L-read track 51 is completed first
The reason for this hidden passage is that the system supports different security-level users shared resources (in this case, shared disk space). The direct cause of this hidden passage is
KVM / 370
The read and write optimization strategy - evaporation algorithm (elevator algorithm) adopted. This algorithm guarantees priority
/
Writing the track in front of the movement direction of the magnetic arm.
However, this strategy satisfies a condition that provides a variable that can be used to store information - the moving direction of the magnetic arm (the magnetic arm represents 0, and it represents 1), and the state of this variable can be The high security stage is changed and observed by a low security stage.
Almost all operating systems have disk read and write optimization strategies that control magnetic arms move, which often generate some state variables that can be utilized by hidden channels.
1. Can I generate hidden channels with the status of shared system resources? ?
Example 2. The CPU is a system resource that can be utilized, can be shared by multiple users, and there are H and Ls two processes, H's security level is higher than L, H. Hi contains Trojan S, attempt to pass the information to L. They agree that a range of space points T1, T1, T1, ... (at least two CPU schedules are allowed).
L Request to use the CPU at each point in time, and h at each time point, if you want to send 0, the CPU is not requested; if you want to send 1, request to use the CPU (assuming H's priority than L). So, at each time point, L If you can get the right of the CPU immediately, you can confirm that you receive 0. If you want to wait, you will confirm that the received 1 is received, this hidden passage is called "time S (h) sender
L sender
××
××
××
××
××
××
1
1
0
0
T1
T2
T3
T4
T5
......
......
......
Slice interval time hidden passage ", its process is shown below:
Example 3 Printer coupling hidden channel
The S and R is set to Trojan and the peekeeper, and S is higher than R.
Whenever S is to transmit "0", check if you have been connected to the printer, do not connect the printer, release the join.
Whenever S is to transmit "1", check if you have connected the printer and join the printer.
So, r is trying to join the printer. If he can connect, it will confirm that "0" is received; otherwise, confirm that "1" is received.
Of course, S and R should be processed by appropriate synchronization (such as R to "1", immediately release the printer immediately), can transfer continuous bits between S and R.
The common feature of Example 2 and Example 3 is to transmit information using the system that can be shared in the system but can only be used exclusive system resource. It is pointed out in some definitions:
Defining a four-hidden channel refers to the storage of the status of the description resource in a variable and passing these variables to transmit information.
2. By judging if the object is present, you can also generate hidden channels.
Example 4 Directory Structure Hidden Channel
In the Red Hat Linux system, the system is divided into three categories: reading, writing, executive, directory is also a file. For the catalog, read the user can read the directory list, which means that the user can establish or delete files in this directory, means that the user is allowed to switch from the parent directory of the directory to the directory. It can only be deleted only when the content in a directory is empty.
Suppose there is user H, L, H user security in the system is safe than l, and H users have built a directory D, and L is authorized to write and execute.
L In the program of Trojm Horse Stermus into User H, the Trojan Martial Art of Trojan is disclosed to L, which is as follows:
(1) If the sender S is to pass 0, the directory D is built in the directory D; if you want to pass 1, then delete the directory D1.
(2) Receiver L tries to establish a directory D1. If it is successful, it is confirmed that the received 1 (R must be deleted immediately); if it fails, it will be confirmed to receive 0.
D1
Di
Send "0" and establish D1 failed
Di
Send "0" and establish D1 failed
(3)
After appropriate synchronization, transfer
(1)
Transfer the next bit.
3. Use the system's management mechanism to generate hidden channels
Example 5 Procedures Hidden Track Process Number (PID) is the only symbol of the logo process in the system, in many operating systems (such as
3. Use the system's management mechanism to generate hidden channels
Example 5 processes hidden
The process number (PID) is the unique symbol of the system's flag process. In many operating systems (such as Red Hat Linux), the process number is used to manage the process number, the process number of the new process is the process number of the previous process. Based on the basis, this management mechanism using the system can also generate hidden channels, and the operation procedure is as follows:
1 The receiver creates a child process and ends it immediately, record its process number; 2 sending party
0
"
, Then don't do anything, if you send "
1
"
Built a child process and end it immediately;
3 The receiver builds a child process and ends it immediately, record its process number, if the new process number is different from the previous process number, then confirm that the receipt
0
"
If the new process number is different from the last process number, it is confirmed that ""
1
"
;
4 Do a good job, transfer to 2, transfer the next bit.
The transfer process is shown in the next flow chart.
Receiving and receiving receiving
P1 P2 P3 P4 P5 P6 P7
Transfer information 1 0 1 0
E.g:
Its transmission process is represented by the following flowchart:
Create a child process P1
Hazel intends to send information
Confirm that "0"
No
Create a child process PJ
Compare PI and P1 or
Compare the current PI with the previous PI-1
Create a child process Pi
Confirm that "1" received
Send "0"
Send "1"
Process number 1
Process number 2
Accumulation
Send a party
Accumulation
example
4
,example
5
Reflect the meaning of hidden channels:
Defining a five-hidden channel refers to the use of resource allocation policies and resource management methods. There should be as follows:
1 The existence of hidden channel does not mean that the system is safe, and in a system without enforcing access control, there is no difference between the security level, and any two users can be legally transmitted. Information can be implemented by a clear channel. Therefore, there is a system with hidden channels that actually take a certain security measures.
2 The formation of hidden channels often depends on the side effects of certain resource allocation strategies and resource management methods in the system, but this does not mean that these strategies and methods are wrong. The performance and efficiency of the system are important objectives that system designers must pursue. . The contradiction between safety and efficiency and performance is objectively existing, and the appropriate balance point is to be found, and all security vulnerabilities are blocked without affecting efficiency and performance (at least less influence).
3 Despite the acceptance of the passage, the peer is illegal, but the operation itself is legal.
4 One of the most important causes of hidden channels is shared system resources between users of different security levels, so there is a state variable that can be modified by high security-level users and low security-level users.
Third, the classification of hidden channels
The hidden passage is usually divided into storage hidden channels and time hidden channels.
The storage implicit channel is the two communication process of the hidden channel, and one process is written directly or indirectly, while the other process is directly or indirectly read the result of the memory cell.
Time-hidden channels refers to a process of process to system performance. It can be observed by another process and can be measured using a time baseline, or refers to the channel of information using events.
For example, the disk army hidden channel can be considered as a storage hidden passage because the transmission process modifies the direction of the magnetic arm, and the receiving program can observe the result of its modification.
The printer coupled channel can also be seen as a storage hidden passage, the sending process allows the printer to be "busy" or "idle" state to make the reception process observed.
Directory structural hidden channels can also be considered as a storage hidden channel, a transmission process creation or deleting a directory, and the receiving process can indirectly observe if the directory exists.
The process number hidden channel can also be seen as a storage hidden passage, whether the sending process takes up the current process number, and the receiving process can be indirectly observed.
These examples can be seen as a state variable, the transmission process writes it, and the process is read to observe the result of the former write.
For example, the hidden passage of the CPU used in Example 2 can be regarded as a time hidden passage. Since the transmission process H can be observed by l, and can be measured every other time slice using the clock.
Time-hidden channel emphasizes a real-time clock or a clock timer or other timing baseline that can test time, which enables the receiving process to calculate the relative time between the two successive events, while the storage hidden passage does not require a clock or timer. . Another direct way to eliminate time hidden channel is to revoke the access to the clock, and when there is no time reference reference, the time cannot work. However, this does not completely eliminate the time hidden passage. Even if the reception process cannot directly access the clock, it still has a way to determine the time interval. For example, if a user enters a string at the speed of 10 characters per second, the process can get a time counter in 0.1 seconds, and each time a character will illustrate the past 0.1 seconds. In multiprocessor systems, one process can determine time intervals for another process using a loop number of cyclic programs.
This classification method, foreign and domestic articles have been put forward in foreign countries, and its main opinion is that some hidden channels can be a storage hidden passage or a time hidden channel, so it is recommended to read / read / read / Write and perform measurements at time as the properties of hidden channels. A hobby channel can have both attributes. In fact, from the previous definition four, it can be seen that the storage variable describing the resource status is the composition element of hidden channels, whether the storage hidden channel or the time hidden passage must use the resource status variable to encode information.
On this basis, each proposes some classification methods, such as: China proposes "direct" hidden pass and "process" hidden channel. "Direct" - Influe the information disclosed by the channel, direct manifestation on the output device; "Process" - the recipient of the information is the process.
For example, some people have proposed "Operation Request Refused" and "Operation Request Delay". The former - Receive process is rejected (two states: rejection, execution), the latter - Receive process is delayed (depending on the delay time, the feature of the time hidden channel).
This will not be discussed in detail below. Examples are given below to indicate the characteristics of the storage hidden channel.
For example, for the previous disk army hidden path to achieve a short improvement:
1. L Request to read 55 tracks;
2. H requests reading 51 track (zero 0) or request reading 59 track (pass 1);
3. L Request to read the 52 track and measure its completion time t, if the wait time is less than a certain value (this value is determined in advance), then confirm that it receives 0, otherwise it will be confirmed to receive 1.
51 52 55 59
as the picture shows:
Obviously the magnetic arm moves from 59 tracks to 52 tracks than moving from 51 tracks to 52 tracks.
The above example is still in the direction of the magnetic arm, is made of low-direction, or by high-point low, but it must rely on a clock or a top time based, and this is the time hidden channel The most important feature.
For example, for the aforementioned disk shift, the operation process does not make any modifications, only? ?
For example, modify the directory structure hidden channel as follows:
S (sender)
R (Receiver)
failure
D1
D1
failure
0
1
1
0
......
......
......
T1 T1 ΔT
T2 T2 ΔT
T3 T3 ΔT
T4 T4 ΔT
T5
D1
D1
Then it has become a time hidden channel because the recipient must rely on a clock to measure the result of the event.
The above example illustrates that the general storage hidden passage can be converted to a time hidden passage, can it be transformed into a storage hidden channel? If you can transform each other, we only need to study and analyze a type, simplify our research. From now on, people think that the search, analysis, and restrictions on time hidden channels are more difficult. If the two can transform each other, the research of the time hidden passage can be transformed into the storage hidden passage.
Fourth, the bandwidth of hidden channels
It means that the information is transmitted by hidden channels, and the calculation of hidden channel bandwidth is one of the main contents of hidden channel analysis. Because of the way to deal with hidden belt, the implicit passage is first eliminated, and when the hidden passage cannot be completely eliminated, the bandwidth of the hidden channel must be restricted, because the bandwidth is, the more information leaked within the unit time, the safer security The greater the sexual threat. Generally, the threat of hidden tract is measured by calculating the maximum width of the hidden passage.
According to TESEC's suggestion, the bandwidth of hidden channels reaches 1 bits / sec, it is necessary to pay attention to the bandwidth of 100 bits / sec, and the corresponding processing measures must be taken.
The bandwidth affecting the hidden passage has the following factors:
1 noise
Noise refers to in a multi-user system, in addition to the receipt / send process of hidden channels, there are many other processes running because they compete with all kinds of system resources with receipt / send processes, so they can significantly reduce hidden channels. Efficiency, thus reducing the bandwidth of the hidden passage.
The noise depends on the scheduling policy of multi-user system and the system at that time, so this impact is random and cannot be determined. There is a literature that sometimes these interference processes may reduce 75% of the hidden channel bandwidth (this effect is very different).
Based on this, we may reduce the bandwidth of the hidden channel to a certain security threshold by adding noise between the system.
2 encoding
What method encoding is employed when the transmission information is transmitted during transmission information, often change the bandwidth of the hidden passage.
For example, when the time flows from 0 and the transmission 1, if it is assumed that the time of passing the time is much longer than the time of transmission 0, if 0010 replaces 111, the number of information in information can be reduced. Thereby increasing the transmission rate of information (specific encoding method, to make the closing can be identified, and restore the original information, this is not discussed in detail) to obtain maximum bandwidth.
If the transmission of 0 and the transmission 1 is approaching, the coding technology has no effect on the bandwidth.
When we analyze the maximum bandwidth of hidden channels, we want to analyze the characteristics of the hidden passage to estimate the coding method that the enemy may take to obtain its maximum bandwidth.
3 Many factors in the process of hidden channel implementation
In a system, multiple primitives can be utilized to implement the same hidden channel, but these primitives may be substantially different, which affects the bandwidth.
As another example, every time a bit transmitted in the hidden channel is switched between the transmission process and the receiving process, the length of time spent on the handover is influential to the bandwidth of the hidden belt. If two processes are attempted to convert controls between them, control may be forwarded to other processes waiting for operation in the system, thus causing time delay.
Another example, the synchronization between the sender and the recipient may also cause a delay to reduce bandwidth.
In order to calculate the maximum bandwidth of the hidden passage, we often assume that only two processes are received / sent in the system.
4 Influence of system configuration
Such as:
. The speed of hardware devices in the system (such as hard disk, memory, and CPU)
. The capacity of the device in the system (such as memory size, buffer size, etc.)
5. Prevention and treatment of hidden channels
1 search hidden channel
What is existence in the system, which hidden channels should be clear (more difficult to do this work).
2 eliminate hidden channels
The normal function of hidden channel uses the system, and through legal operations to achieve illegal delivery information, there is a certain difficulty to clear the hidden channel. As mentioned earlier, an important reason for hidden channels is to share system resources between users of different security levels (such as disk, CPU, memory, printer, process number, etc.), which makes high security-level users to use system resources. Low security-level users observed. Therefore, one possible way to eliminate hidden channels is to limit resource sharing between processes, especially between the same entity, but this may bring some resource idle, which greatly reduces the efficiency of use efficiency, and needs to seek Two full and beautiful methods or appropriate compromise
3 limit bandwidth
If you don't completely eliminate hidden channels, you must find ways to limit its bandwidth, limit bandwidth to the permitted range to satisfy security requirements.
The method for limiting the bandwidth is intentionally introduced into the noise, and intends to introduce the work of the external process to interruption / hair process, so that the time is delayed.
4 audit
The audit is an effective means to stop and scare all illegal operations. But for the hidden road that has not been discovered, the audit is no effect, because the primitives and operations of hidden channels are legal, do not violate the safety rules, only after confirming an hidden passage, there may be Targeted audit.
The information that should be recorded: 1 hidden passage; 2 sender and recipient's identity; 3 transmitted information.
