#import "template.typ": * #show: ieee.with( title: "Power Covert Channel", abstract: [ ], authors: ( ( name: "Arthur Grisel-Davy", organization: [University of Waterloo], location: [Waterloo, Canada], email: "agriseld@uwaterloo.ca" ), ( name: "Sebastian Fischmeister", organization: [University of Waterloo], location: [Waterloo, Canada], email: "sfischme@uwaterloo.ca" ), ), index-terms: ("Covert Channel", "Power Consumption"), bibliography-file: "bibliography.bib", ) #text(fill: orange)[ = Introduction Some computers process such sensitive information that they are disconnected from the networks. These computers are called air-gapped systems. Depending on the level of security required, such systems might only be accessible through human interfaces. An operator might add new information to the system using a portable storage that they connect to the machine. Other form of security can inspect the portable storage to verify that no data is exfiltrated by the operator. Air-gapped systems are interesting targets for attackers. The infomration they hold is so valuable that they require extreme measure to protect, at the cost of convenience and speed. These systems are high-effort high-reward targets, often with very little public information about there design. Past researchs and attacks reveals that air-gapped systems are vulnerable to covert-channel attacks. A covert-channel is a type of attacks that enable the transmission of information between entities that are not supposed to be able to communicate. Electromagnetic emmissions, optical emmissions, vibrations, radio-frequencies, termal emmissions, are all potential covert channels. To protect against these, additional shields are installed around sensitive machines to block these covert-channels. In order to exfiltrate data from an air-gapped system, attackers must use alternate communication mediums called covert channels . The term covert channel was first introduced by Lampson @lampson_covertchannel covert channel is not originally inteded for information communication. ] == Contributions = Related Work In 1969, Butler W. Lampson introduced the term _covert channel_ @lampson_covertchannel in the context of confining programs running on the same machine. The problem is to prevent programms from communicating eventhough they share the same operating system and hardware ressources. This problem is still relevant today with the groth of cloud computing resulting in more layers of programs sharing ressources. The problem of isolating programms is not only within the same Operating System (OS) anymore but also between virtual machines sharing hardware @betz2017survey. In 1984, Simmons @simmons1984prisoners extend the concept of covert channels outside of a single machine or computer science. The covert channel --- or subliminal channel --- is now more broadly a way of communicating secret information in full view of an external observer. To the observer, the activity is normal and do not appear to enable communication. Simmons also introduces the requirement of authenticating the messages to resist active tampering from the observer. In this study, we will dismiss the authentication part as it is either not relevant or trivial to implement once the communication is established with cryptographic premitives. This broad definition by Simmons allows to imagine a wide variety of covert channels in the computer science domain alone. One active area of research is to leverage network protocoles to enable covert communication @survey_zander. By manipulating seemingly innocuous parts of the protocol --- such as unused bits, time-to-live values, or checksums ---, attackers can transmit information to the receiver. The receiver can decode the message possibly from anywhere on the internet, enabling exfiltration of information outside the local network smuggled within legitimate traffic. However, covert channels are not limited to digital mediums. Simmilarily to side channels, covert channels can leverage physical phenomenon generated by the machine to transmit information. In this context, the goal is not for the communication to appear legitimate anymore but to remain invisible to an observer. Covert channels relying on side-channels can leverage optics @xled, electromagnetism @bitjabber or analog emissions of physical instrumentation @intrumentation_survey to transmit covert information to remote receivers. Each method has its advantages and drawbacks and each is designed for a specific attack scenario. = Threat Model For this study, the attacker's primary goal is exfiltrating information from an air-gapped machine without physical interraction. We suppose that the attacker can deploy a malware on the machine and that this malware is capable of accessing relevant information. The method by which the attacker deploys the malware is outside the scode of this study. Once the malware is active, the attacker cannot access the machine physically. However, the attacker can access the power distribution infrastructure of the machine at various positions. The attacker can also actively tamper with the power infrastructure. The secondary goal of the attacker is to remain stealthy and not raise suspicions. The longer the side-channel remain active, the more data the attacker can extract. This is an important goal considering that the exfiltration data rate might be very low compared to common digital communication methods. = Proposed Solution The proposed solution leverages the power consumption of the machine to transfer information to the attacker. The malware gather the information and encodes it as power consumption patterns. The attacker monitors the power consumption of the machine and reads the patterns to decode the information. #text(fill: orange)[ == Choice of Encoding There are two types of expected noise on the line. First, if a new machine is starting or changime regime, there will be an average shift. The reader will do its best to follow the level shift but it can produce reading errors on multiple bits in a row. This is an example of burst errors. The second type is high noise. If the maximum influence of the transmitting machine is small relative to the noise amplitude of the line, there could be a lot of bits missread spread out across the message. In this case, there are two main mechanisme to tune to reduce the influence of the noise. First, we can take full advantage of the fact that speed is not a priority. Increasing the symbole length is an effective way of increasing the clarify of the signal by alowing a strong filtering (the DC component stays longer so it takes more filtering to make it disapear). The second mechanism is a better signal processing at reception. Median filtering preserv sharp changes and should be adequate for this work. A smarter form of filtering can be employed (selective median / low-pass filter) but the sharpness of the transition should be preserved. === Data Encoding For these reasons and because the overhead of error-tolerant encoding is not an issue here, the Reed-Solomon encoding with a many error-correction symbole can be a good candidate. If not, there is always the option to transmit each bit/chracter/message multiple time and decode using a majority decision (brutal but effective). === Line Encoding The line encoding is also important to help the receiver keep track of the clock and the levels. Because we are expecting levels shifts (because other machines are also pulling power from the transmission line), we don't want to consider a reading window that is too large. The larger the window, the grater the number of missread symboles at each level shift. We want to keep to window short to adapt rapidly to level shifts. However, a short window is not robust to series of 1s or 0s. If multiple symbols is a row are identical, then the reader can get confused about what level the line is at. To alleviate this issue and keep a short window, the line encoding should guarantee a transition between levels regularily (or even better, at every symboles). The Manchester encoding is a possible candidate. = Discussion == Alternate usages Not necessarily for attacks, could be used to enable some sort of communication on legacy devices that don't have network capabilities. ]