Richard Gay - Interrupt-related Covert Channels from an Attacker's Perspective


Interrupt-related covert channels allow two processes running on a single system to communicate  with each other, circumventing the security mechanisms contained in standard  operating systems. These channels belong to the class of timing channels and use the CPU  as their shared resource. They transmit information by a sender process executing an operation  that induces a hardware interrupt, and a receiver process detecting the interrupt.  Both ends of the channel thus do not exploit that they share the CPU, but rather that  the receiver and sender-initiated interrupts share the CPU. Consequently this channel is in  general not prohibited by time-partitioning the CPU among all processes, as the literature  about timing channels suggests.

The topic of this talk is a practical implementation of an exploit that is able to transmit information through such a channel. A patch for the Linux O(1) scheduler has been developed which provides a reasonable environment for the exploit. Based on the exploit implementation, a theoretical model is constructed with whose help upper bounds for the implemented channel’s bandwidth are computed. In addition, practical experiments have been conducted on a standard computer, running the modified Linux kernel, to obtain also lower bounds for the bandwidth. The implemented exploit contains free parameters, whose values are shown to have a significant influence on the performance of the channel. For configuring the exploit tailored to a given target system, a generic framework is constructed that captures the interdependencies between the system, the exploit and the expected resulting bandwidth. An application of the framework to a concrete computer system demonstrates its benefit for an attacker. Since noise is difficult to model precisely and often unknown to an attacker, techniques are presented that reduce its impact on the channel.

A A A | Print | Imprint | Sitemap | Contact
zum Seitenanfang