1. Field of the Invention
The present invention relates to the field of system communication auditing, and in particular to overt and covert communication channel traffic auditing and controlling.
2. Background Art
Communication systems, such as a computer network, often provide the capability to send messages between computers, between users, or between systems, to share resources, and to provide remote access to users. Communications systems are subject to various levels of security. For example, there may be a password required to be an active user on the communication system. There may be restrictions on certain types of data transfers between users. There may be different classes of users with different permissions to use the communication system. Messages may be encrypted so that only authorized users can read the messages. The rules and restrictions of a communications system are referred to here as the system's security policy. A problem with current communications systems is an inability to recognize and prevent certain types of misuse of the system that violate the system security policy. Another problem with current communications systems is an inability to quantify system parameters such as data traffic, timing, storage, and other performance indicators.
A communication system can be said to be made up of "overt" and "covert" channels. A channel is a communication path in the communication system. For example, in a computer network, the conducting medium that connects two computers together (e.g. twisted pair, ethernet, token ring network, etc.) is a physical channel. An overt channel is a logical communication path that is intended to be part of the communication system (e.g. the conducting medium). A covert channel is a communication channel that allow the transfer of information in a manner that violates or breaches the system's security policy.
When someone attempts to circumvent or disobey the security policy of a system, it is said that the communications system is under "attack". The person attacking the system is referred to as an intruder, a malevolent user, a hacker, or simply as an unauthorized user. The communication of an attacker is referred to as an illicit communication.
An example of one way that an attacker uses a covert channel for illicit communication is to attempt to use the presence or absence of messages to encode information. Another method is to use the number of messages exchanged to encode information. The attacker could also have the timing of messages, the identity of the sender or receiver, or the size of the message represent information. If it is possible for an attacker to utilize a system to communicate information as described in the above and like examples, it is said that a covert communication channel exists.
By way of background, attacks on a communication system are either active attacks or passive attacks. Active attacks on a communication system may result in unauthorized information release or modification or denial of resources. That is, the attacker actually accesses the network to send false information or to obtain information in violation of the security policy. The security of an overt communication channel can be compromised in an active attack when an intruder taps into a communication system or network and discards or delays all communication packets going in one or both directions. Thus, a node or a group of nodes that are completely cut off from the rest of the system by the intruder has no way of determining when the next packets should be arriving from its correspondent peer entity.
In a passive attack, the intruder simply releases the contents of a message or mounts a traffic analysis attack to infer user behavior or exploit covert channels. That is, as described above, the presence, timing, size, and/or addressees of data transfers represent traffic characteristics that can be used to communicate using a covert channel.
Covert channels in computer systems are generally classified into two categories, storage and timing covert channels. Covert storage channels involve the direct or indirect modification of storage memory by one process (the sender of a covert message) and the direct and indirect reading of the memory location by another process (the receiver of the covert message). Covert timing channels are exploited when the sender process modulates the use of its own resources in a manner that affects the response of the receiver process. In both cases, for a covert channel to exist, the sender and receiver must share some common computational resource.
A potential system hacker, attacker, or malevolent user may attempt to eavesdrop on the system by establishing a passive monitoring system and gathering information by inference or analyzing the system traffic. For example, by observing either the volume of communication between a source and a destination or the overall communication volume among nodes in the system, an eavesdropper can gain some insight into the behavioral patterns of the system users. Using the insight thus gained, the malevolent user can exploit the system covert channels by collaborating with another malevolent user or a willing accomplice.
Some examples of covert channels can be found in "Transmission Schedules To Prevent Traffic Analysis," 9th Annual Computer Security and Applications Conference, 1993, Orlando, Fla., B. R. Venkatraman and R. E. Newman-Wolfe, incorporated herein by reference.
A typical transmission system and a scheme for using it covertly are illustrated in FIGS. 1, 2 and 3. FIG. 1 shows a slotted time packet transmission system. A slot is the basic time unit during which a given node may send or receive at most one packet. If at most one node of a total of n nodes can transmit per slot, then n(n-1) slots are needed to complete a transmission between all nodes in the system. If all n nodes can transmit in a slot, then at most n slots are needed. On the average, therefore, some number of slots between n and n(n-1) are needed to complete a transmission.
Referring to FIG. 1, a period is a set of successive slots during which one phase of the transmission schedule is carried out. In this model, a period consists of n(n-1) active slots and m idle slots, if n(n-1) slots are needed to complete one phase of a transmission schedule. A cycle comprises a set of successive periods in a cycle.
A covert channel due to transmission frequency can exist in a system such as shown in FIG. 1. FIG. 2 shows an example of a covert channel due to transmission frequency. Referring to FIG. 2, if a user on node i communicates with another user on node j more frequently than he does with other nodes in the system, or exchanges packets with the node at a predetermined frequency, then a covert channel could exist. For example, the user at node i and j could encode some information in the frequency of communication between them. Users may seem to be conducting normal and non-covert communication if only overt channels are monitored. However, the users may be exchanging information surreptitiously in unmonitored covert channels by timing the communication.
In FIG. 2, information can be encoded by timing the transmission of packets. In this case, by computing the interarrival times, i.e., the time interval between the previous message and the current message, the intruder and an accomplice can succeed in creating a covert channel.
Even if the average frequency is held constant by equal volume restrictions and each node agrees to send exactly one packet to every other node per period, the position of the packet transmitted to a particular node within the period could contain information, i.e., by Pulse Position Modulation. The bandwidth of this covert channel could be as large as log(n(n-1).apprxeq.2 log n bits/period.
FIG. 3 is an example of a covert channel using transmission order. In FIG. 3, a node in a system sends a packet to node A followed by a packet to node B to encode "1" and the reverse order (BA) to encode "O". If the intruder and his accomplice(s) can affect the transmission order in k nodes, then k| transmission orders are possible. Thus, the bandwidth of this covert channel could be as large as log(k|).gtoreq.k/2 log k bits per period. In this case, the intruder and his accomplice have encoded information by transmitting packets in a predetermined order so that they can communicate between themselves and with other nodes in the system.
Thus, an intruder may deduce important information from the mere presence of message traffic in a communication system. This information, then, may be used to extract or infer information on the activity or intentions of unsuspecting system members, or to provide a covert channel for communication between an intruder and an accomplice in the system. A secure communication system needs to be designed to prevent traffic analysis, and to prevent subsequent creation or exploitation of network covert channels. Countermeasures need to be implemented to prevent traffic analysis and mask the amount and nature of traffic between origin-destination pairs within the system.
The two basic approaches to communication security are (1) link-oriented security measures, which provide security by protecting message traffic independently on each communication link, and (2) end-to-end security measures, which provide protection for each message from its source to destination.
In a system employing link-oriented measure, encryption is performed independently on each communication link. A link-to-link security mechanism, however, requires that source, destination, and intermediate nodes be physically secure. If one single node becomes corrupt and cooperates with a potential attacker, the message traffic passing through that node will be exposed.
End-to-end security mechanisms do not suffer from the problems of link-to-link mechanisms. However, end-to-end security mechanisms cannot mask traffic patterns and thus cannot prevent all traffic analysis.
Covert channels can be eliminated by avoiding resource sharing. But this can be often impractical. There are, however, a few mechanisms that can be used to achieve protection beyond simple encryption and to prevent traffic analysis, thereby reducing the bandwidth of covert channels, if not eliminating them. In a "No Idle Slots" scheme, if the system is utilized at full capacity as allowed by a protocol, the idle slots can be completely eliminated and so can any possibility of covert channels. However, if a node is using all its capacity, i.e., there are no idle slots in a period, then the scheme is costly because the volume of true traffic may be only a fraction of the capacity being used due to padding.
In a "Capacity Limitation" scheme, the times at which the scheduling policy can respond to variations in the load are restricted. Since the cycle length is considerably longer than the period length, the nodes will have to buffer all the packets generated due to the additional load (in this cycle) and dispatch them at the usual rate. The nodes have to wait until the beginning of a new cycle before the period characteristics can be changed. Thus, a user trying to create a covert channel would be unsuccessful and no information is communicated. Since the cycle boundaries are far apart, the bandwidth of the covert channel is considerably reduced and is noisy. The capacity limitation scheme could introduce severe queuing delays and adversely affect the Quality of Service (QOS) requirements.