add pococha project

2024-02-28 11:25:22 -05:00 · 2024-02-28 11:25:22 -05:00 · 70eb26b9f5
commit 70eb26b9f5
parent 6655896f04
3 changed files with 372 additions and 0 deletions
--- a/pococha/bibliography.bib
+++ b/pococha/bibliography.bib
@ -0,0 +1,82 @@
@article{lampson_covertchannel,
  author = {Lampson, Butler W.},
  title = {A Note on the Confinement Problem},
  year = {1973},
  issue_date = {Oct. 1973},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  volume = {16},
  number = {10},
  issn = {0001-0782},
  url = {https://doi.org/10.1145/362375.362389},
  doi = {10.1145/362375.362389},
  journal = {Commun. ACM},
  month = {oct},
  pages = {613–615},
  numpages = {3},
  keywords = {security, protection, leakage of data, proprietary program, confinement, privacy}
 }
@inproceedings{simmons1984prisoners,
  title={The prisoners’ problem and the subliminal channel},
  author={Simmons, Gustavus J},
  booktitle={Advances in Cryptology: Proceedings of Crypto 83},
  pages={51--67},
  year={1984},
  organization={Springer}
 }
@ARTICLE{survey_zander,
  author={Zander, Sebastian and Armitage, Grenville and Branch, Philip},
  journal={IEEE Communications Surveys & Tutorials}, 
  title={A survey of covert channels and countermeasures in computer network protocols}, 
  year={2007},
  volume={9},
  number={3},
  pages={44-57},
  doi={10.1109/COMST.2007.4317620}
 }
@article{betz2017survey,
  title={Survey on covert channels in virtual machines and cloud computing},
  author={Betz, Johann and Westhoff, Dirk and M{\"u}ller, G{\"u}nter},
  journal={Transactions on Emerging Telecommunications Technologies},
  volume={28},
  number={6},
  pages={e3134},
  year={2017},
  publisher={Wiley Online Library}
 }
@INPROCEEDINGS{xled,
  author={Guri, Mordechai and Zadov, Boris and Daidakulov, Andrey and Elovici, Yuval},
  booktitle={2018 16th Annual Conference on Privacy, Security and Trust (PST)}, 
  title={xLED: Covert Data Exfiltration from Air-Gapped Networks via Switch and Router LEDs}, 
  year={2018},
  volume={},
  number={},
  pages={1-12},
  doi={10.1109/PST.2018.8514196}
 }
@INPROCEEDINGS{bitjabber,
  author={Zhan, Zihao and Zhang, Zhenkai and Koutsoukos, Xenofon},
  booktitle={2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)}, 
  title={BitJabber: The World’s Fastest Electromagnetic Covert Channel}, 
  year={2020},
  volume={},
  number={},
  pages={35-45},
  doi={10.1109/HOST45689.2020.9300268}
 }
@ARTICLE{intrumentation_survey,
  author={Krishnamurthy, Prashanth and Khorrami, Farshad and Karri, Ramesh and Paul-Pena, David and Salehghaffari, Hossein},
  journal={IEEE Transactions on Information Forensics and Security}, 
  title={Process-Aware Covert Channels Using Physical Instrumentation in Cyber-Physical Systems}, 
  year={2018},
  volume={13},
  number={11},
  pages={2761-2771},
  doi={10.1109/TIFS.2018.2833063}
 }
--- a/pococha/main.typ
+++ b/pococha/main.typ
@ -0,0 +1,126 @@
 #import "template.typ": *
 #show: ieee.with(
  title: "Power Covert Channel",
  abstract: [
  ],
  authors: (
    (
      name: "Arthur Grisel-Davy",
      organization: [University of Waterloo],
      location: [Waterloo, Canada],
      email: "agriseld@uwaterloo.ca"
    ),
    (
      name: "Sebastian Fischmeister",
      organization: [University of Waterloo],
      location: [Waterloo, Canada],
      email: "sfischme@uwaterloo.ca"
    ),
  ),
  index-terms: ("Covert Channel", "Power Consumption"),
  bibliography-file: "bibliography.bib",
 )
 #text(fill: orange)[
 = Introduction
 Some computers process such sensitive information that they are disconnected from the networks.
 These computers are called air-gapped systems.
 Depending on the level of security required, such systems might only be accessible through human interfaces.
 An operator might add new information to the system using a portable storage that they connect to the machine.
 Other form of security can inspect the portable storage to verify that no data is exfiltrated by the operator.
 Air-gapped systems are interesting targets for attackers.
 The infomration they hold is so valuable that they require extreme measure to protect, at the cost of convenience and speed.
 These systems are high-effort high-reward targets, often with very little public information about there design.
 Past researchs and attacks reveals that air-gapped systems are vulnerable to covert-channel attacks.
 A covert-channel is a type of attacks that enable the transmission of information between entities that are not supposed to be able to communicate.
 Electromagnetic emmissions, optical emmissions, vibrations, radio-frequencies, termal emmissions, are all potential covert channels.
 To protect against these, additional shields are installed around sensitive machines to block these covert-channels.
 In order to exfiltrate data from an air-gapped system, attackers must use alternate communication mediums called covert channels .
 The term covert channel was first introduced by Lampson @lampson_covertchannel covert channel is not originally inteded for information communication.
 ]
 == Contributions
 = Related Work
 In 1969, Butler W. Lampson introduced the term _covert channel_ @lampson_covertchannel in the context of confining programs running on the same machine.
 The problem is to prevent programms from communicating eventhough they share the same operating system and hardware ressources.
 This problem is still relevant today with the groth of cloud computing resulting in more layers of programs sharing ressources.
 The problem of isolating programms is not only within the same Operating System (OS) anymore but also between virtual machines sharing hardware @betz2017survey.
 In 1984, Simmons @simmons1984prisoners extend the concept of covert channels outside of a single machine or computer science.
 The covert channel --- or subliminal channel --- is now more broadly a way of communicating secret information in full view of an external observer.
 To the observer, the activity is normal and do not appear to enable communication.
 Simmons also introduces the requirement of authenticating the messages to resist active tampering from the observer.
 In this study, we will dismiss the authentication part as it is either not relevant or trivial to implement once the communication is established with cryptographic premitives.
 This broad definition by Simmons allows to imagine a wide variety of covert channels in the computer science domain alone.
 One active area of research is to leverage network protocoles to enable covert communication @survey_zander.
 By manipulating seemingly innocuous parts of the protocol --- such as unused bits, time-to-live values, or checksums ---, attackers can transmit information to the receiver.
 The receiver can decode the message possibly from anywhere on the internet, enabling exfiltration of information outside the local network smuggled within legitimate traffic.
 However, covert channels are not limited to digital mediums.
 Simmilarily to side channels, covert channels can leverage physical phenomenon generated by the machine to transmit information.
 In this context, the goal is not for the communication to appear legitimate anymore but to remain invisible to an observer.
 Covert channels relying on side-channels can leverage optics @xled, electromagnetism @bitjabber or analog emissions of physical instrumentation @intrumentation_survey to transmit covert information to remote receivers.
 Each method has its advantages and drawbacks and each is designed for a specific attack scenario.
 = Threat Model
 For this study, the attacker's primary goal is exfiltrating information from an air-gapped machine without physical interraction.
 We suppose that the attacker can deploy a malware on the machine and that this malware is capable of accessing relevant information.
 The method by which the attacker deploys the malware is outside the scode of this study.
 Once the malware is active, the attacker cannot access the machine physically.
 However, the attacker can access the power distribution infrastructure of the machine at various positions.
 The attacker can also actively tamper with the power infrastructure.
 The secondary goal of the attacker is to remain stealthy and not raise suspicions.
 The longer the side-channel remain active, the more data the attacker can extract.
 This is an important goal considering that the exfiltration data rate might be very low compared to common digital communication methods.
 = Proposed Solution
 The proposed solution leverages the power consumption of the machine to transfer information to the attacker.
 The malware gather the information and encodes it as power consumption patterns.
 The attacker monitors the power consumption of the machine and reads the patterns to decode the information.
 #text(fill: orange)[
 == Choice of Encoding
 There are two types of expected noise on the line.
 First, if a new machine is starting or changime regime, there will be an average shift.
 The reader will do its best to follow the level shift but it can produce reading errors on multiple bits in a row.
 This is an example of burst errors.
 The second type is high noise.
 If the maximum influence of the transmitting machine is small relative to the noise amplitude of the line, there could be a lot of bits missread spread out across the message.
 In this case, there are two main mechanisme to tune to reduce the influence of the noise.
 First, we can take full advantage of the fact that speed is not a priority.
 Increasing the symbole length is an effective way of increasing the clarify of the signal by alowing a strong filtering (the DC component stays longer so it takes more filtering to make it disapear).
 The second mechanism is a better signal processing at reception.
 Median filtering preserv sharp changes and should be adequate for this work.
 A smarter form of filtering can be employed (selective median / low-pass filter) but the sharpness of the transition should be preserved.
 === Data Encoding
 For these reasons and because the overhead of error-tolerant encoding is not an issue here, the Reed-Solomon encoding with a many error-correction symbole can be a good candidate.
 If not, there is always the option to transmit each bit/chracter/message multiple time and decode using a majority decision (brutal but effective).
 === Line Encoding
 The line encoding is also important to help the receiver keep track of the clock and the levels.
 Because we are expecting levels shifts (because other machines are also pulling power from the transmission line), we don't want to consider a reading window that is too large.
 The larger the window, the grater the number of missread symboles at each level shift.
 We want to keep to window short to adapt rapidly to level shifts.
 However, a short window is not robust to series of 1s or 0s. 
 If multiple symbols is a row are identical, then the reader can get confused about what level the line is at.
 To alleviate this issue and keep a short window, the line encoding should guarantee a transition between levels regularily (or even better, at every symboles).
 The Manchester encoding is a possible candidate.
 = Discussion
 == Alternate usages
 Not necessarily for attacks, could be used to enable some sort of communication on legacy devices that don't have network capabilities.
 ]
--- a/pococha/template.typ
+++ b/pococha/template.typ
@ -0,0 +1,164 @@
 // This function gets your whole document as its `body` and formats
 // it as an article in the style of the IEEE.
 #let ieee(
  // The paper's title.
  title: "Paper Title",
  // An array of authors. For each author you can specify a name,
  // department, organization, location, and email. Everything but
  // but the name is optional.
  authors: (),
  // The paper's abstract. Can be omitted if you don't have one.
  abstract: none,
  // A list of index terms to display after the abstract.
  index-terms: (),
  // The article's paper size. Also affects the margins.
  paper-size: "us-letter",
  // The path to a bibliography file if you want to cite some external
  // works.
  bibliography-file: none,
  // The paper's content.
  body
 ) = {
  // Set document metdata.
  set document(title: title, author: authors.map(author => author.name))
  // Set the body font.
  set text(font: "STIX Two Text", size: 10pt)
  // Configure the page.
  set page(
    paper: paper-size,
    // The margins depend on the paper size.
    margin: if paper-size == "a4" {
      (x: 41.5pt, top: 80.51pt, bottom: 89.51pt)
    } else {
      (
        x: (50pt / 216mm) * 100%,
        top: (55pt / 279mm) * 100%,
        bottom: (64pt / 279mm) * 100%,
      )
    }
  )
  // Configure equation numbering and spacing.
  set math.equation(numbering: "(1)")
  show math.equation: set block(spacing: 0.65em)
  // Configure lists.
  set enum(indent: 10pt, body-indent: 9pt)
  set list(indent: 10pt, body-indent: 9pt)
  // Configure headings.
  set heading(numbering: "I.A.1.")
  show heading: it => locate(loc => {
    // Find out the final number of the heading counter.
    let levels = counter(heading).at(loc)
    let deepest = if levels != () {
      levels.last()
    } else {
      1
    }
    set text(10pt, weight: 400)
    if it.level == 1 [
      // First-level headings are centered smallcaps.
      // We don't want to number of the acknowledgment section.
      #let is-ack = it.body in ([Acknowledgment], [Acknowledgement])
      #set align(center)
      #set text(if is-ack { 10pt } else { 12pt })
      #show: smallcaps
      #v(20pt, weak: true)
      #if it.numbering != none and not is-ack {
        numbering("I.", deepest)
        h(7pt, weak: true)
      }
      #it.body
      #v(13.75pt, weak: true)
    ] else if it.level == 2 [
      // Second-level headings are run-ins.
      #set par(first-line-indent: 0pt)
      #set text(style: "italic")
      #v(10pt, weak: true)
      #if it.numbering != none {
        numbering("A.", deepest)
        h(7pt, weak: true)
      }
      #it.body
      #v(10pt, weak: true)
    ] else [
      // Third level headings are run-ins too, but different.
      #if it.level == 3 {
        numbering("1)", deepest)
        [ ]
      }
      _#(it.body):_
    ]
  })
  // Display the paper's title.
  v(3pt, weak: true)
  align(center, text(18pt, title))
  v(8.35mm, weak: true)
  // Display the authors list.
  for i in range(calc.ceil(authors.len() / 3)) {
    let end = calc.min((i + 1) * 3, authors.len())
    let is-last = authors.len() == end
    let slice = authors.slice(i * 3, end)
    grid(
      columns: slice.len() * (1fr,),
      gutter: 12pt,
      ..slice.map(author => align(center, {
        text(12pt, author.name)
        if "department" in author [
          \ #emph(author.department)
        ]
        if "organization" in author [
          \ #emph(author.organization)
        ]
        if "location" in author [
          \ #author.location
        ]
        if "email" in author [
          \ #link("mailto:" + author.email)
        ]
      }))
    )
    if not is-last {
      v(16pt, weak: true)
    }
  }
  v(40pt, weak: true)
  // Start two column mode and configure paragraph properties.
  show: columns.with(2, gutter: 12pt)
  set par(justify: true, first-line-indent: 1em)
  show par: set block(spacing: 0.65em)
  // Display abstract and index terms.
  if abstract != none [
    #set text(weight: 700)
    #h(1em) _Abstract_---#abstract
    #if index-terms != () [
      #h(1em)_Index terms_---#index-terms.join(", ")
    ]
    #v(2pt)
  ]
  // Display the paper's contents.
  body
  // Display bibliography.
  if bibliography-file != none {
    show bibliography: set text(8pt)
    bibliography(bibliography-file, title: text(10pt)[References], style: "ieee")
  }
 }