Communication Model and Capacity Limits of Covert Channels Created by Software Activities

It has been shown that digital and/or analog characteristics of electronic devices during executing programs can create a side-channel which an attacker can exploit to extract sensitive information such as cryptographic keys. When the attacker modifies the software application to exfiltrate sensitive information through a channel, this channel is called a covert channel. In this paper, we model this covert channel as a communication channel and derive upper and lower capacity bounds. Because the covert channels are not designed to transmit information, they are exposed not only to the errors created by the transmission, but also by varying the execution time of computer activities, and/or by insertions from other activities such as interrupts, stalls, etc. Combining all of these effects, we propose to model the covert channel as an insertion channel where the transmitted sequence is a pulse amplitude modulated signal with random pulse positions. Utilizing this model, we derive capacity bounds of the covert channel with random insertion and substitution due to the noise and jitter errors, and propose a receiver design that can correctly detect the computer-activity-created signals. To illustrate the severity of leakages, we perform experiments with high clock speed devices at some distance. Further, the theoretical derivations are compared to empirical results, and show good agreement.

[1]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[2]  Milos Prvulovic,et al.  Quantifying information leakage in a processor caused by the execution of instructions , 2017, MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM).

[3]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[4]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[5]  J. R. Rao,et al.  The EM Side–Channel(s):Attacks and Assessment Methodologies , 2003 .

[6]  Milos Prvulovic,et al.  A new approach for measuring electromagnetic side-channel energy available to the attacker in modern processor-memory systems , 2015, 2015 9th European Conference on Antennas and Propagation (EuCAP).

[7]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[8]  Koen De Bosschere,et al.  Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86 Processors , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[9]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[10]  Nader Sehatbakhsh,et al.  A Directive Antenna Based on Conducting Disks for Detecting Unintentional EM Emissions at Large Distances , 2018, IEEE Transactions on Antennas and Propagation.

[11]  David Naccache,et al.  Temperature Attacks , 2009, IEEE Security & Privacy.

[12]  John G. Proakis,et al.  Probability, random variables and stochastic processes , 1985, IEEE Trans. Acoust. Speech Signal Process..

[13]  Y. Tsunoo,et al.  Cryptanalysis of Block Ciphers Implemented on Computers with Cache , 2002 .

[14]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[15]  Jun Hu,et al.  Achievable information rates for channels with insertions, deletions, and intersymbol interference with i.i.d. inputs , 2010, IEEE Transactions on Communications.

[16]  Brendan Knowles Double ridge horn antenna , 2012 .

[17]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[18]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[19]  Paolo Ienne,et al.  A first step towards automatic application of power analysis countermeasures , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[20]  Daniel Genkin,et al.  Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation , 2015, CHES.

[21]  David J. C. MacKay,et al.  Reliable communication over channels with insertions, deletions, and substitutions , 2001, IEEE Trans. Inf. Theory.

[22]  Ruby B. Lee,et al.  Capacity estimation of non-synchronous covert channels , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[23]  Mordechai Guri,et al.  USBee: Air-gap covert-channel via electromagnetic emission from USB , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[24]  I. Miller Probability, Random Variables, and Stochastic Processes , 1966 .

[25]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[26]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[27]  Milos Prvulovic,et al.  Experimental Demonstration of Electromagnetic Information Leakage From Modern Processor-Memory Systems , 2014, IEEE Transactions on Electromagnetic Compatibility.

[28]  Milos Prvulovic,et al.  A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[29]  Milos Prvulovic,et al.  Capacity of the EM Covert/Side-Channel Created by the Execution of Instructions in a Processor , 2018, IEEE Transactions on Information Forensics and Security.

[30]  Vahid Tarokh,et al.  Bounds on the Capacity of Discrete Memoryless Channels Corrupted by Synchronization and Substitution Errors , 2012, IEEE Transactions on Information Theory.

[31]  Werner Schindler,et al.  A Timing Attack against RSA with the Chinese Remainder Theorem , 2000, CHES.

[32]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[33]  Eleni Drinea,et al.  Directly Lower Bounding the Information Capacity for Channels With I.I.D. Deletions and Duplications , 2010, IEEE Transactions on Information Theory.

[34]  Kannan Ramchandran,et al.  Achievable Rates for Channels With Deletions and Insertions , 2011, IEEE Transactions on Information Theory.

[35]  Eric Cole,et al.  Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization , 2012 .

[36]  Mordechai Guri,et al.  GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies , 2015, USENIX Security Symposium.

[37]  Daniel Genkin,et al.  Get your hands off my laptop: physical side-channel key-extraction attacks on PCs , 2015, Journal of Cryptographic Engineering.

[38]  Robert H. Sloan,et al.  Power Analysis Attacks of Modular Exponentiation in Smartcards , 1999, CHES.

[39]  William A. Gardner Two alternative philosophies for estimation of the parameters of time-series , 1991, IEEE Trans. Inf. Theory.

[40]  Michael Hutter,et al.  The Temperature Side Channel and Heating Fault Attacks , 2013, CARDIS.

[41]  Srdjan Capkun,et al.  Thermal Covert Channels on Multi-core Platforms , 2015, USENIX Security Symposium.