From 70eb26b9f5301b776e085f337b4a2346fc945efa Mon Sep 17 00:00:00 2001 From: Arthur Grisel-Davy Date: Wed, 28 Feb 2024 11:25:22 -0500 Subject: [PATCH] add pococha project --- pococha/bibliography.bib | 82 ++++++++++++++++++++ pococha/main.typ | 126 ++++++++++++++++++++++++++++++ pococha/template.typ | 164 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 372 insertions(+) create mode 100644 pococha/bibliography.bib create mode 100644 pococha/main.typ create mode 100644 pococha/template.typ diff --git a/pococha/bibliography.bib b/pococha/bibliography.bib new file mode 100644 index 0000000..545d179 --- /dev/null +++ b/pococha/bibliography.bib @@ -0,0 +1,82 @@ +@article{lampson_covertchannel, + author = {Lampson, Butler W.}, + title = {A Note on the Confinement Problem}, + year = {1973}, + issue_date = {Oct. 1973}, + publisher = {Association for Computing Machinery}, + address = {New York, NY, USA}, + volume = {16}, + number = {10}, + issn = {0001-0782}, + url = {https://doi.org/10.1145/362375.362389}, + doi = {10.1145/362375.362389}, + journal = {Commun. ACM}, + month = {oct}, + pages = {613–615}, + numpages = {3}, + keywords = {security, protection, leakage of data, proprietary program, confinement, privacy} +} + +@inproceedings{simmons1984prisoners, + title={The prisoners’ problem and the subliminal channel}, + author={Simmons, Gustavus J}, + booktitle={Advances in Cryptology: Proceedings of Crypto 83}, + pages={51--67}, + year={1984}, + organization={Springer} +} + +@ARTICLE{survey_zander, + author={Zander, Sebastian and Armitage, Grenville and Branch, Philip}, + journal={IEEE Communications Surveys & Tutorials}, + title={A survey of covert channels and countermeasures in computer network protocols}, + year={2007}, + volume={9}, + number={3}, + pages={44-57}, + doi={10.1109/COMST.2007.4317620} +} + +@article{betz2017survey, + title={Survey on covert channels in virtual machines and cloud computing}, + author={Betz, Johann and Westhoff, Dirk and M{\"u}ller, G{\"u}nter}, + journal={Transactions on Emerging Telecommunications Technologies}, + volume={28}, + number={6}, + pages={e3134}, + year={2017}, + publisher={Wiley Online Library} +} + +@INPROCEEDINGS{xled, + author={Guri, Mordechai and Zadov, Boris and Daidakulov, Andrey and Elovici, Yuval}, + booktitle={2018 16th Annual Conference on Privacy, Security and Trust (PST)}, + title={xLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs}, + year={2018}, + volume={}, + number={}, + pages={1-12}, + doi={10.1109/PST.2018.8514196} +} + +@INPROCEEDINGS{bitjabber, + author={Zhan, Zihao and Zhang, Zhenkai and Koutsoukos, Xenofon}, + booktitle={2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)}, + title={BitJabber: The World’s Fastest Electromagnetic Covert Channel}, + year={2020}, + volume={}, + number={}, + pages={35-45}, + doi={10.1109/HOST45689.2020.9300268} +} + +@ARTICLE{intrumentation_survey, + author={Krishnamurthy, Prashanth and Khorrami, Farshad and Karri, Ramesh and Paul-Pena, David and Salehghaffari, Hossein}, + journal={IEEE Transactions on Information Forensics and Security}, + title={Process-Aware Covert Channels Using Physical Instrumentation in Cyber-Physical Systems}, + year={2018}, + volume={13}, + number={11}, + pages={2761-2771}, + doi={10.1109/TIFS.2018.2833063} +} \ No newline at end of file diff --git a/pococha/main.typ b/pococha/main.typ new file mode 100644 index 0000000..1b01d38 --- /dev/null +++ b/pococha/main.typ @@ -0,0 +1,126 @@ +#import "template.typ": * +#show: ieee.with( + title: "Power Covert Channel", + abstract: [ + ], + authors: ( + ( + name: "Arthur Grisel-Davy", + organization: [University of Waterloo], + location: [Waterloo, Canada], + email: "agriseld@uwaterloo.ca" + ), + ( + name: "Sebastian Fischmeister", + organization: [University of Waterloo], + location: [Waterloo, Canada], + email: "sfischme@uwaterloo.ca" + ), + ), + index-terms: ("Covert Channel", "Power Consumption"), + bibliography-file: "bibliography.bib", +) +#text(fill: orange)[ += Introduction + +Some computers process such sensitive information that they are disconnected from the networks. +These computers are called air-gapped systems. +Depending on the level of security required, such systems might only be accessible through human interfaces. +An operator might add new information to the system using a portable storage that they connect to the machine. +Other form of security can inspect the portable storage to verify that no data is exfiltrated by the operator. + +Air-gapped systems are interesting targets for attackers. +The infomration they hold is so valuable that they require extreme measure to protect, at the cost of convenience and speed. +These systems are high-effort high-reward targets, often with very little public information about there design. + +Past researchs and attacks reveals that air-gapped systems are vulnerable to covert-channel attacks. +A covert-channel is a type of attacks that enable the transmission of information between entities that are not supposed to be able to communicate. +Electromagnetic emmissions, optical emmissions, vibrations, radio-frequencies, termal emmissions, are all potential covert channels. +To protect against these, additional shields are installed around sensitive machines to block these covert-channels. + + + +In order to exfiltrate data from an air-gapped system, attackers must use alternate communication mediums called covert channels . +The term covert channel was first introduced by Lampson @lampson_covertchannel covert channel is not originally inteded for information communication. +] + +== Contributions + += Related Work +In 1969, Butler W. Lampson introduced the term _covert channel_ @lampson_covertchannel in the context of confining programs running on the same machine. +The problem is to prevent programms from communicating eventhough they share the same operating system and hardware ressources. +This problem is still relevant today with the groth of cloud computing resulting in more layers of programs sharing ressources. +The problem of isolating programms is not only within the same Operating System (OS) anymore but also between virtual machines sharing hardware @betz2017survey. + +In 1984, Simmons @simmons1984prisoners extend the concept of covert channels outside of a single machine or computer science. +The covert channel --- or subliminal channel --- is now more broadly a way of communicating secret information in full view of an external observer. +To the observer, the activity is normal and do not appear to enable communication. +Simmons also introduces the requirement of authenticating the messages to resist active tampering from the observer. +In this study, we will dismiss the authentication part as it is either not relevant or trivial to implement once the communication is established with cryptographic premitives. + +This broad definition by Simmons allows to imagine a wide variety of covert channels in the computer science domain alone. +One active area of research is to leverage network protocoles to enable covert communication @survey_zander. +By manipulating seemingly innocuous parts of the protocol --- such as unused bits, time-to-live values, or checksums ---, attackers can transmit information to the receiver. +The receiver can decode the message possibly from anywhere on the internet, enabling exfiltration of information outside the local network smuggled within legitimate traffic. + +However, covert channels are not limited to digital mediums. +Simmilarily to side channels, covert channels can leverage physical phenomenon generated by the machine to transmit information. +In this context, the goal is not for the communication to appear legitimate anymore but to remain invisible to an observer. +Covert channels relying on side-channels can leverage optics @xled, electromagnetism @bitjabber or analog emissions of physical instrumentation @intrumentation_survey to transmit covert information to remote receivers. +Each method has its advantages and drawbacks and each is designed for a specific attack scenario. + + + + += Threat Model +For this study, the attacker's primary goal is exfiltrating information from an air-gapped machine without physical interraction. +We suppose that the attacker can deploy a malware on the machine and that this malware is capable of accessing relevant information. +The method by which the attacker deploys the malware is outside the scode of this study. +Once the malware is active, the attacker cannot access the machine physically. +However, the attacker can access the power distribution infrastructure of the machine at various positions. +The attacker can also actively tamper with the power infrastructure. + +The secondary goal of the attacker is to remain stealthy and not raise suspicions. +The longer the side-channel remain active, the more data the attacker can extract. +This is an important goal considering that the exfiltration data rate might be very low compared to common digital communication methods. + += Proposed Solution +The proposed solution leverages the power consumption of the machine to transfer information to the attacker. +The malware gather the information and encodes it as power consumption patterns. +The attacker monitors the power consumption of the machine and reads the patterns to decode the information. + +#text(fill: orange)[ +== Choice of Encoding + +There are two types of expected noise on the line. +First, if a new machine is starting or changime regime, there will be an average shift. +The reader will do its best to follow the level shift but it can produce reading errors on multiple bits in a row. +This is an example of burst errors. +The second type is high noise. +If the maximum influence of the transmitting machine is small relative to the noise amplitude of the line, there could be a lot of bits missread spread out across the message. +In this case, there are two main mechanisme to tune to reduce the influence of the noise. +First, we can take full advantage of the fact that speed is not a priority. +Increasing the symbole length is an effective way of increasing the clarify of the signal by alowing a strong filtering (the DC component stays longer so it takes more filtering to make it disapear). +The second mechanism is a better signal processing at reception. +Median filtering preserv sharp changes and should be adequate for this work. +A smarter form of filtering can be employed (selective median / low-pass filter) but the sharpness of the transition should be preserved. + +=== Data Encoding +For these reasons and because the overhead of error-tolerant encoding is not an issue here, the Reed-Solomon encoding with a many error-correction symbole can be a good candidate. +If not, there is always the option to transmit each bit/chracter/message multiple time and decode using a majority decision (brutal but effective). + +=== Line Encoding +The line encoding is also important to help the receiver keep track of the clock and the levels. +Because we are expecting levels shifts (because other machines are also pulling power from the transmission line), we don't want to consider a reading window that is too large. +The larger the window, the grater the number of missread symboles at each level shift. +We want to keep to window short to adapt rapidly to level shifts. +However, a short window is not robust to series of 1s or 0s. +If multiple symbols is a row are identical, then the reader can get confused about what level the line is at. +To alleviate this issue and keep a short window, the line encoding should guarantee a transition between levels regularily (or even better, at every symboles). +The Manchester encoding is a possible candidate. + += Discussion + +== Alternate usages +Not necessarily for attacks, could be used to enable some sort of communication on legacy devices that don't have network capabilities. +] \ No newline at end of file diff --git a/pococha/template.typ b/pococha/template.typ new file mode 100644 index 0000000..a11bf2c --- /dev/null +++ b/pococha/template.typ @@ -0,0 +1,164 @@ +// This function gets your whole document as its `body` and formats +// it as an article in the style of the IEEE. +#let ieee( + // The paper's title. + title: "Paper Title", + + // An array of authors. For each author you can specify a name, + // department, organization, location, and email. Everything but + // but the name is optional. + authors: (), + + // The paper's abstract. Can be omitted if you don't have one. + abstract: none, + + // A list of index terms to display after the abstract. + index-terms: (), + + // The article's paper size. Also affects the margins. + paper-size: "us-letter", + + // The path to a bibliography file if you want to cite some external + // works. + bibliography-file: none, + + // The paper's content. + body +) = { + // Set document metdata. + set document(title: title, author: authors.map(author => author.name)) + + // Set the body font. + set text(font: "STIX Two Text", size: 10pt) + + // Configure the page. + set page( + paper: paper-size, + // The margins depend on the paper size. + margin: if paper-size == "a4" { + (x: 41.5pt, top: 80.51pt, bottom: 89.51pt) + } else { + ( + x: (50pt / 216mm) * 100%, + top: (55pt / 279mm) * 100%, + bottom: (64pt / 279mm) * 100%, + ) + } + ) + + // Configure equation numbering and spacing. + set math.equation(numbering: "(1)") + show math.equation: set block(spacing: 0.65em) + + // Configure lists. + set enum(indent: 10pt, body-indent: 9pt) + set list(indent: 10pt, body-indent: 9pt) + + // Configure headings. + set heading(numbering: "I.A.1.") + show heading: it => locate(loc => { + // Find out the final number of the heading counter. + let levels = counter(heading).at(loc) + let deepest = if levels != () { + levels.last() + } else { + 1 + } + + set text(10pt, weight: 400) + if it.level == 1 [ + // First-level headings are centered smallcaps. + // We don't want to number of the acknowledgment section. + #let is-ack = it.body in ([Acknowledgment], [Acknowledgement]) + #set align(center) + #set text(if is-ack { 10pt } else { 12pt }) + #show: smallcaps + #v(20pt, weak: true) + #if it.numbering != none and not is-ack { + numbering("I.", deepest) + h(7pt, weak: true) + } + #it.body + #v(13.75pt, weak: true) + ] else if it.level == 2 [ + // Second-level headings are run-ins. + #set par(first-line-indent: 0pt) + #set text(style: "italic") + #v(10pt, weak: true) + #if it.numbering != none { + numbering("A.", deepest) + h(7pt, weak: true) + } + #it.body + #v(10pt, weak: true) + ] else [ + // Third level headings are run-ins too, but different. + #if it.level == 3 { + numbering("1)", deepest) + [ ] + } + _#(it.body):_ + ] + }) + + // Display the paper's title. + v(3pt, weak: true) + align(center, text(18pt, title)) + v(8.35mm, weak: true) + + // Display the authors list. + for i in range(calc.ceil(authors.len() / 3)) { + let end = calc.min((i + 1) * 3, authors.len()) + let is-last = authors.len() == end + let slice = authors.slice(i * 3, end) + grid( + columns: slice.len() * (1fr,), + gutter: 12pt, + ..slice.map(author => align(center, { + text(12pt, author.name) + if "department" in author [ + \ #emph(author.department) + ] + if "organization" in author [ + \ #emph(author.organization) + ] + if "location" in author [ + \ #author.location + ] + if "email" in author [ + \ #link("mailto:" + author.email) + ] + })) + ) + + if not is-last { + v(16pt, weak: true) + } + } + v(40pt, weak: true) + + // Start two column mode and configure paragraph properties. + show: columns.with(2, gutter: 12pt) + set par(justify: true, first-line-indent: 1em) + show par: set block(spacing: 0.65em) + + // Display abstract and index terms. + if abstract != none [ + #set text(weight: 700) + #h(1em) _Abstract_---#abstract + + #if index-terms != () [ + #h(1em)_Index terms_---#index-terms.join(", ") + ] + #v(2pt) + ] + + // Display the paper's contents. + body + + // Display bibliography. + if bibliography-file != none { + show bibliography: set text(8pt) + bibliography(bibliography-file, title: text(10pt)[References], style: "ieee") + } +}