add pococha project
This commit is contained in:
Arthur Grisel-Davy
parent
6655896f04
commit
70eb26b9f5
3 changed files with 372 additions and 0 deletions
126
pococha/main.typ
Normal file
126
pococha/main.typ
Normal file
|
|
@ -0,0 +1,126 @@
|
|||
#import "template.typ": *
|
||||
#show: ieee.with(
|
||||
title: "Power Covert Channel",
|
||||
abstract: [
|
||||
],
|
||||
authors: (
|
||||
(
|
||||
name: "Arthur Grisel-Davy",
|
||||
organization: [University of Waterloo],
|
||||
location: [Waterloo, Canada],
|
||||
email: "agriseld@uwaterloo.ca"
|
||||
),
|
||||
(
|
||||
name: "Sebastian Fischmeister",
|
||||
organization: [University of Waterloo],
|
||||
location: [Waterloo, Canada],
|
||||
email: "sfischme@uwaterloo.ca"
|
||||
),
|
||||
),
|
||||
index-terms: ("Covert Channel", "Power Consumption"),
|
||||
bibliography-file: "bibliography.bib",
|
||||
)
|
||||
#text(fill: orange)[
|
||||
= Introduction
|
||||
|
||||
Some computers process such sensitive information that they are disconnected from the networks.
|
||||
These computers are called air-gapped systems.
|
||||
Depending on the level of security required, such systems might only be accessible through human interfaces.
|
||||
An operator might add new information to the system using a portable storage that they connect to the machine.
|
||||
Other form of security can inspect the portable storage to verify that no data is exfiltrated by the operator.
|
||||
|
||||
Air-gapped systems are interesting targets for attackers.
|
||||
The infomration they hold is so valuable that they require extreme measure to protect, at the cost of convenience and speed.
|
||||
These systems are high-effort high-reward targets, often with very little public information about there design.
|
||||
|
||||
Past researchs and attacks reveals that air-gapped systems are vulnerable to covert-channel attacks.
|
||||
A covert-channel is a type of attacks that enable the transmission of information between entities that are not supposed to be able to communicate.
|
||||
Electromagnetic emmissions, optical emmissions, vibrations, radio-frequencies, termal emmissions, are all potential covert channels.
|
||||
To protect against these, additional shields are installed around sensitive machines to block these covert-channels.
|
||||
|
||||
|
||||
|
||||
In order to exfiltrate data from an air-gapped system, attackers must use alternate communication mediums called covert channels .
|
||||
The term covert channel was first introduced by Lampson @lampson_covertchannel covert channel is not originally inteded for information communication.
|
||||
]
|
||||
|
||||
== Contributions
|
||||
|
||||
= Related Work
|
||||
In 1969, Butler W. Lampson introduced the term _covert channel_ @lampson_covertchannel in the context of confining programs running on the same machine.
|
||||
The problem is to prevent programms from communicating eventhough they share the same operating system and hardware ressources.
|
||||
This problem is still relevant today with the groth of cloud computing resulting in more layers of programs sharing ressources.
|
||||
The problem of isolating programms is not only within the same Operating System (OS) anymore but also between virtual machines sharing hardware @betz2017survey.
|
||||
|
||||
In 1984, Simmons @simmons1984prisoners extend the concept of covert channels outside of a single machine or computer science.
|
||||
The covert channel --- or subliminal channel --- is now more broadly a way of communicating secret information in full view of an external observer.
|
||||
To the observer, the activity is normal and do not appear to enable communication.
|
||||
Simmons also introduces the requirement of authenticating the messages to resist active tampering from the observer.
|
||||
In this study, we will dismiss the authentication part as it is either not relevant or trivial to implement once the communication is established with cryptographic premitives.
|
||||
|
||||
This broad definition by Simmons allows to imagine a wide variety of covert channels in the computer science domain alone.
|
||||
One active area of research is to leverage network protocoles to enable covert communication @survey_zander.
|
||||
By manipulating seemingly innocuous parts of the protocol --- such as unused bits, time-to-live values, or checksums ---, attackers can transmit information to the receiver.
|
||||
The receiver can decode the message possibly from anywhere on the internet, enabling exfiltration of information outside the local network smuggled within legitimate traffic.
|
||||
|
||||
However, covert channels are not limited to digital mediums.
|
||||
Simmilarily to side channels, covert channels can leverage physical phenomenon generated by the machine to transmit information.
|
||||
In this context, the goal is not for the communication to appear legitimate anymore but to remain invisible to an observer.
|
||||
Covert channels relying on side-channels can leverage optics @xled, electromagnetism @bitjabber or analog emissions of physical instrumentation @intrumentation_survey to transmit covert information to remote receivers.
|
||||
Each method has its advantages and drawbacks and each is designed for a specific attack scenario.
|
||||
|
||||
|
||||
|
||||
|
||||
= Threat Model
|
||||
For this study, the attacker's primary goal is exfiltrating information from an air-gapped machine without physical interraction.
|
||||
We suppose that the attacker can deploy a malware on the machine and that this malware is capable of accessing relevant information.
|
||||
The method by which the attacker deploys the malware is outside the scode of this study.
|
||||
Once the malware is active, the attacker cannot access the machine physically.
|
||||
However, the attacker can access the power distribution infrastructure of the machine at various positions.
|
||||
The attacker can also actively tamper with the power infrastructure.
|
||||
|
||||
The secondary goal of the attacker is to remain stealthy and not raise suspicions.
|
||||
The longer the side-channel remain active, the more data the attacker can extract.
|
||||
This is an important goal considering that the exfiltration data rate might be very low compared to common digital communication methods.
|
||||
|
||||
= Proposed Solution
|
||||
The proposed solution leverages the power consumption of the machine to transfer information to the attacker.
|
||||
The malware gather the information and encodes it as power consumption patterns.
|
||||
The attacker monitors the power consumption of the machine and reads the patterns to decode the information.
|
||||
|
||||
#text(fill: orange)[
|
||||
== Choice of Encoding
|
||||
|
||||
There are two types of expected noise on the line.
|
||||
First, if a new machine is starting or changime regime, there will be an average shift.
|
||||
The reader will do its best to follow the level shift but it can produce reading errors on multiple bits in a row.
|
||||
This is an example of burst errors.
|
||||
The second type is high noise.
|
||||
If the maximum influence of the transmitting machine is small relative to the noise amplitude of the line, there could be a lot of bits missread spread out across the message.
|
||||
In this case, there are two main mechanisme to tune to reduce the influence of the noise.
|
||||
First, we can take full advantage of the fact that speed is not a priority.
|
||||
Increasing the symbole length is an effective way of increasing the clarify of the signal by alowing a strong filtering (the DC component stays longer so it takes more filtering to make it disapear).
|
||||
The second mechanism is a better signal processing at reception.
|
||||
Median filtering preserv sharp changes and should be adequate for this work.
|
||||
A smarter form of filtering can be employed (selective median / low-pass filter) but the sharpness of the transition should be preserved.
|
||||
|
||||
=== Data Encoding
|
||||
For these reasons and because the overhead of error-tolerant encoding is not an issue here, the Reed-Solomon encoding with a many error-correction symbole can be a good candidate.
|
||||
If not, there is always the option to transmit each bit/chracter/message multiple time and decode using a majority decision (brutal but effective).
|
||||
|
||||
=== Line Encoding
|
||||
The line encoding is also important to help the receiver keep track of the clock and the levels.
|
||||
Because we are expecting levels shifts (because other machines are also pulling power from the transmission line), we don't want to consider a reading window that is too large.
|
||||
The larger the window, the grater the number of missread symboles at each level shift.
|
||||
We want to keep to window short to adapt rapidly to level shifts.
|
||||
However, a short window is not robust to series of 1s or 0s.
|
||||
If multiple symbols is a row are identical, then the reader can get confused about what level the line is at.
|
||||
To alleviate this issue and keep a short window, the line encoding should guarantee a transition between levels regularily (or even better, at every symboles).
|
||||
The Manchester encoding is a possible candidate.
|
||||
|
||||
= Discussion
|
||||
|
||||
== Alternate usages
|
||||
Not necessarily for attacks, could be used to enable some sort of communication on legacy devices that don't have network capabilities.
|
||||
]
|
||||
Loading…
Add table
Add a link
Reference in a new issue