Time Protection: the Missing OS Abstraction

Timing channels enable data leakage that threatens the security of computer systems, from cloud platforms to smartphones and browsers executing untrusted third-party code. Preventing unauthorised information flow is a core duty of the operating system, however, present OSes are unable to prevent timing channels. We argue that OSes must provide time protection in addition to the established memory protection. We examine the requirements of time protection, present a design and its implementation in the seL4 microkernel, and evaluate its efficacy as well as performance overhead on Arm and x86 processors

Employing Entropy in the Detection and Monitoring of Network Covert Channels

The detection of covert channels has quickly become a vital need due to their pervasive nature and the increasing popularity of the Internet. In recent years, new and innovative methods have been proposed to aid in the detection of covert channels. Existing detection schemes are often too specific and are ineffective against new covert channels. In this paper, we expound upon previous work done with timing channels and apply it to detecting covert storage channels. Our approach is based on the assumption that the entropy of covert channels will vary from that of previously observed, legitimate, communications. This change in the entropy of a process provides us with a method for identifying storage channels. Using this assumption we created proof of concept code capable of detecting various covert storage channels. The results of our experiments demonstrate that we can successfully detect existing and unpublished covert storage channels accurately

Camouflaging Timing Channels in Web Traffic

Web traffic accounts for more than half of Internet traffic today. Camouflaging covert timing channels in Web traffic would be advantageous for concealment. In this paper, we investigate the possibility of disguising network covert timing channels as HTTP traffic to avoid detection. Extensive research has shown that Internet traffic, including HTTP traffic, exhibits self-similarity and long range persistence. Existing covert timing channels that mimic i.i.d. legitimate traffic cannot imitate HTTP traffic because these covert traffic patterns are not long range dependent. The goal of this work is to design a covert timing channel that can be camouflaged as HTTP traffic. To this end, we design a covert timing channel whose inter-arrival times are long range dependent and have the same marginal distribution as the interarrival times for new HTTP connection traffic. These inter-arrival times are constructed by combining a Fractional Auto-Regressive Integrated Moving Average (FARIMA) time series and an i.i.d. cryptographically secure random sequence. Experiments are conducted on PlanetLab, and the results are validated against recent real traffic trace data. Our experiments demonstrate that the traffic from this timing channel traffic is statistically indistinguishable from legitimate HTTP traffic and undetectable by all current detection schemes for timing channels

A method of IPD normalization to eliminate IP timing covert channels

Covert channels are used for information transmission in a manner that is not intended for communication and is difficult to detect. We propose a technique to eliminate the information leakage via IP timing covert channels by inter-packet delays normalization in the process of packets’ sending. The advantage of our approach is that the influence of counteraction tool on the communication channel's capacity is negligible. The novelty of the investigation undertaken is that the covert channel is eliminated preliminary, whereas state of the art methods focus on detecting active IP covert channels that may be insecure.This work was supported by the Competitiveness Program of MEPhI