Thursday, August 28, 2008


Covert channels

Because I’ve just written a short section about covert channels for a conference paper, I thought I’d do a related blog post here — I think it might be at least somewhat interesting even to the less-technical readers, and I haven’t had a serious computer technology post for a while.

A covert channel is a communication path (a channel) that’s layered on another communication path so as to send information in a hidden way, usually in a manner in which the main channel isn’t meant to be used. Covert channels are typically used either to steal communication resources or to send forbidden information — such as sending classified information to an uncleared recipient (as spies do).

Some examples will make things clearer. Perhaps some of you will remember hearing about a claim from the 1950s about subliminal advertising, wherein flashing a single frame of “Drink Coca-Cola!” on a movie screen would increase the sales at the concession stand, while being imperceptible to the viewers. The claim turned out to be fraudulent, but it’s an example of the type of thing we’re talking about. In this case, it’s recognizing that if we “steal” a little from the 24 frames per second of a film, we can send “information” that’s not part of the film without reducing the effectiveness of the primary channel (the actual film) to the point that it’ll be noticed and stopped.

In that example, we’re stealing a bit of bandwidth and using it in a similar, but not identical, manner to the main channel: we’re sending video frames, though the main channel is sending related frames that are meant to be viewed in sequence, while the covert channel (the subliminal ads) uses individual, independent frames.

Often, we’ll “misuse” some aspect of the main channel in order to create a covert channel. We’ve probably seen spy stories in which bits of a photograph are altered in order to hide information in them, or where text is altered in some subtle way — certain serifs are turned on or off according to a prearranged code.

Not surprisingly, computers make it easier than ever to exploit covert channels. No one need tediously code microdots onto a photograph, nor splice extra frames into 35mm film; it’s all done digitally. Twiddling the bits of a photo from my trip to Ireland to hide the message, “Meet at 21:30, usual place,” becomes quite easy when it’s all ones and zeroes.

Moreover, digital covert channels can be very hard to find, and even harder to shut down. The classic cases involve manipulating legitimate information in order to convey hidden information at such very low data rates — often on the order of a single bit every few seconds, or even as low as one bit per minute — that it’s nearly impossible to detect, and blocking it in general could cripple the main channel. What follows are some examples.

The Access Control Mechanism

Access control, in computer terms, means that the owner of some computer resource — a web page, for example — controls who can read (or modify, or delete) that resource. Anyone who can change the access controls on a set of web pages can use those access controls as a covert channel.

Suppose you and I arrange that you’ll start checking my blog at midnight tonight, and will re-check it every 30 seconds. And I will make my blog public to indicate a “1” bit, and private to indicate a “0” bit. As you wait to refresh the page, I change the setting or leave it unchanged, appropriately. This way, you retrieve one bit every 30 seconds, and eventually you’ll get a full message. Though it will certainly take some time to transmit much real data, we might know what situation we’re addressing, and we might have a prearranged code to make very few bits necessary.

As an alternative, we can set up a sequence, ahead of time, of certain blog posts. I can enable or disable comments on each of those posts, making each post represent one bit, and I can do that in advance of midnight. When you check in at 12, I can have over 1000 bits of information waiting for you.

The first example can be detected by noticing anomalous activity (it’s pretty unusual to alter a blog’s public/private status many times in a short period), and it can be mitigated by limiting the frequency of changes allowed. That has the consequence of limiting what I can do with my blog, but it’s unlikely to have any real effect on any legitimate use of the access controls.

But the second example is much harder to detect and to mitigate. It might perfectly well be reasonable for me to go back and disable comments in a bunch of old entries. Assuming that I normally have comments enabled, as I prepared my 1000-bit code that’s all I would appear to be doing. Even if an automated monitor flagged the activity, a human checking up on it would probably think everything was fine. And mitigating it by limiting the changes I could make or the number of entries a reader could look at in a short time would seriously affect legitimate use.

The Timing Mechanism

If you and I are sharing a multi-user computer, I can make computer events happen in such a way that the timing of the events, rather than the events themselves, conveys the information. That sort of covert channel is almost impossible to detect in general, and pretty much impossible to block, short of revoking my access to the computer system (after the problem has been detected).

The Innocent Request Mechanism

As I browse the Internet, my web browser requests various web pages. I can easily write a “transmitter” program to mimic a web browser and to request web pages from your server, one after another, and the pattern of pages that I request forms the code. This can actually be quite a high-bandwidth channel, because a request for a particular web page can represent not just a bit, but a character, a word, or even a whole sentence or concept. With a single page request I can tell you whether the enemy is coming by land or by sea, if we’ve arranged that signal beforehand.

There’s no way to stop this one other than completely blocking my ability to send network requests, essentially disconnecting my computer from the network — a severe move, which would only be made if what I was doing was already known. And since this channel appears to be carrying normal web browsing, it’s unlikely that it would ever be detected.


The summary is that covert channels can’t be shut down completely, but a secure system requires a thorough covert-channel analysis. It’s a rare computer system that needs such concern, of course. And, while we used to worry more about this in the past, mostly, it’s pretty easy these days to carry gigabytes of information on a wafer so small that it’d be mistaken for pocket lint.

In other words, these days, the easiest covert channel is simply a well hidden micro-SD card.

Which is, of course, one reason that DHS’s policy on searching laptops is so silly: the real Bad Guys will just get their information into the country in a way that DHS can’t detect, and the laptop seizures will only cause problems for the rest of us, who’ve done nothing wrong.

1 comment:

Catherine said...

I always find your posts interesting. Frequently I want to send you a hug! Sometimes your information scares me; for instance, "covert channels." I was not aware that they existed.