Ding Liping: Covert channel analysis in cloud computing environment

From the Institute of Software Research, Chinese Academy of Sciences, National Engineering Research Center system security and Trusted computing, Ms. Ding Liping for you to share "cloud computing environment covert channel analysis." She described in detail the three aspects of covert channels, security threats and covert channels in cloud computing environments, and their work.

▲ Institute of Software Research, CAS Ding Liping

Covert Channel

The concept of covert channel at operating system level refers to the way that malicious process realizes information leakage through collusion information system sharing resources. Covert channel analysis is a mandatory requirement for vulnerability analysis at home and abroad, which requires you to submit a report of covert channel analysis, build a scene to measure, and propose elimination measures. Specific analytical work: identification, measurement and disposal. Covert channel analysis is an important problem in the field of information security, and it is difficult to study. The reason is based on the mandatory access control research as a basis, the mass code based on the source of the static analysis is more complex, like the core source code good millions of lines, each product has some technical barriers, leading to very little resources.

The analysis of the channel is divided into three blocks: identification, measurement, disposal:

• Identification is a static analysis of the system, analysis of the source code, emphasis on the design and Code analysis, found that all potential covert channels;

• Measurement is an evaluation of channel transmission capability and threat level, and how much bandwidth the transmission capacity of covert channel is, and how much the whole threat to the system, make evaluation;

• Disposal is to include the signal audit, elimination, limitation. The disposition of the channel includes the elimination of measures to destroy the existence of channel conditions, including the reduction of the channel to the system can tolerate, reduce its bandwidth. The channel audit emphasizes the monitoring and recording of the related operation of the latent channel, which is the transmission mechanism of the covert channel.

The covert channel is essentially the channel of information transmission, focus on the study of transmission media, according to the characteristics of shared resources are divided into storage and time types, four-level operating system requirements for storage-type covert channel transmission analysis, five-tier time and storage to be analyzed, which extends storage and time channel two. The discovery of a shared resource as a covert channel in operating system, database or network is the core of the covert transmission mechanism; the choice of transmission medium is the source that can improve the capacity and concealment of the channel.

Another way to improve the transmission accuracy and invisibility of covert channels is to improve the coding mechanism of the channel. Use the letter frequency characteristic, the coding expectation length is larger or the multiplex coding mechanism.

The focus of operating system covert channel is to prevent the problem. For the development of a certain version of the hidden channel to do some analysis, to eliminate it to take some measures, focusing on its identification, scene construction, capacity measurement and so on. This is our list of related studies. Kemmerer that the covert channel is a channel for transferring information from one subject to another by using an item that is not a normal data object, and the shared resource matrix method is designed by the definition. Tsai and others believe that covert channel is illegal communication between two subjects violating the mandatory security policy model. The semantic information flow method is proposed to judge the visibility of kernel variables, so as to find hidden channels and lack of analytical tools. The Chins of our country has extended the idea of semantic information flow, designed a code-level identification method retrospective search method, which introduces "pruning rules" to remove the shared variables that cannot form a covert channel during the identification process. There are fewer people in the database covert channel research, and there is a lot of sharing resources in the database system, so the research in this field is worthwhile. The network covert channel concentrates on the positive research, using the transmission channel to transmit the secret information, for example the data section adds some things to conceal transmits the information to another node. The network covert channel transfers the information leakage threat from the system to the middle of the system, and more research is Purdue University (Purdue University) proposed an IP time covert channel, called IPCTC.

Security threats and covert channels in cloud computing environment

Security threat and covert channel relationship in cloud computing environment. Cloud computing deploys infrastructure, platforms, and applications to the cloud, which poses great challenges to information security, both conceptual and technical, and many experts say cloud computing poses a huge threat.

• Intruder: Cloud computing platform provides a cheap, efficient and stable intrusion platform.

• Users: Worry about the security of deploying applications and services in an uncontrolled environment.

• Service providers: Due to privacy protection and business rules, cloud service providers can not record and monitor the operations performed by customers, resulting in information leakage and other forms of attack difficult to record and find.

At three levels, cloud security is a very big problem and difficult to solve.

Virtualization technology is the core of the cloud computing platform. Virtualization technology provides a large amount of shared resources and becomes the source of hidden information. We use the lifecycle of a virtual machine as an example to analyze the threats to cloud computing. The hidden channel relies on the existence of shared resources, the more the hidden channels the more the shared resources.

A virtual machine has a create, start, run, stop, and destroy lifecycle. There are many threats in the life cycle. It runs the longest period of time, start up has been running, the running phase we think with A1 and A2, A1 represents the virtual machine based on shared child resources hidden channel. For example, due to the CPU load and cache caching of the hidden Channel, in the cloud computing platform, although the VMM for each virtual machine assigned virtual CPU, but the final task is still in order to execute on the physical CPU, by observing the physical CPU load status, It is possible to speculate on the confidential information of other virtual machines on the same physical platform, and the hidden channel based on cache is similar to CPU load channel, and the secret information of the virtual machine is leaked by using the cache delay time.

A2 represents a hidden channel within a virtual machine. For example, the Linux operating system event identification covert channel, the transceiver of the channel to change and observe the state of a particular event conspiracy to pass confidential information. A1 and A2 respectively represent two kinds of information leakage modes both outside and inside the virtual machine.

Start and stop stages, we use A3 and A4 to express.

A3 represents an attack that tampered with the type of boot mirror. A malicious user tampered with a mirrored file that replaces a VM startup, causing the client to be implanted with a malicious program as an intruder in the startup phase of the cloud service. A4 represents a virtual machine attack that tampered with persisted data. When a virtual machine writes customer data to an ongoing device, it leaks customer information to an attacker or causes a deliberate loss of customer data. A3 and A4 can take precautions against the system with security policies.

A5, A6 is the traditional way of attack, A5 means Trojan or virus attack. A6 represents a tampering attack upon return. In the network environment, A5 and A6 represent the Man-in-the-middle attack mode or other network attack mode, hijacking the network session to perform malicious actions.

These three types of security threats cover the full lifecycle of the cloud service. From a low to high level, it can be considered an attack against VMM, VM, and application.

The first two attack modes are a new problem in the field of security research, which utilizes the features of dynamic use and resource sharing of cloud computing platform. With security policy, configuring a private cloud, a shared cloud, and a hybrid cloud can create a relatively secure, flexible and practical platform. However, even if security policies are deployed, covert channels are a key issue in cloud computing as long as resources are shared.

Current work

Ding Liping introduced to: "We do the work based on the Xen virtual machine, this is our improved casvisor, we have a security mechanism in the VMM layer to do the protection, start before the start of the casvisor, and then generate DOM0, In the system can run Windows XP and so on different operating systems, the operating system can be placed in different applications. This is its architecture. ”

Based on XCP covert channel analysis, we do some work, based on shared memory, under this platform, we analyze Xen, in order to complete the communication and collaboration between virtual machine domains, Xen provides two types of shared resources, namely, super stripe and event channel. is the notification mechanism between domain and domain. The event channel mechanism, together with the super call mechanism, completes the control and interaction between VMM and domain using the super calling mechanism.

Hidden channel based on shared memory, in order to realize shared memory between virtual machine Domani, Xen provides authorization table mechanism based on super call and event channel each domain has its own authorization table, DOMA creates a ring data structure and assigns to the virtual domain such as Domb access rights, This constitutes shared memory.

We think that the existing research on the classification of covert channels is basically due to the consideration of engineering time, the analysis method does not reflect the hidden channel in the cloud computing environment characteristics, need to be reclassified, we have three categories of covert channels, CC1, CC2, CC3 three categories. CC1 is a process-level leak, CC1 the operating system, is process-level similar to the traditional operating system. CC2 is a network-level covert channel, the malicious process PK in the virtual machine platform Domu, PX is the other hardware platform virtual machine or stand-alone operating system process. Process PK and PX can only communicate over the network connection, so CC2 communication can be abstracted as a network covert channel. CC3 system-level covert system, sending and receiving both sides of the malicious process on the same hardware platform in different virtual domains, confidential information through the operating system-level transmission, leaked to malicious users. CC3 type Covert channel is a kind of covert channel in cloud computing environment, which is caused by hardware resource sharing, such as channel based on shared memory, cache and CPU load. CC3 channel is critical for cloud computing customers ' data security, and if customers with business competitive relationships are on the same physical platform, CC3 type of information leaks will bring heavy economic costs.

The analysis of the process, we use this method, in the cloud computing environment, covert channels focus on the CC3 type of channel analysis. CC1 and CC2 types of information can be directly based on previous analysis results. To the CC channel analysis through the installation configuration LLVM mutation system, modifies makefile as the file, causes it to invoke LLVM to carry on the mutation, uses compiles the intermediate code to analyze the common aggregation information flow Diagram Construction tool, looks for latent covert channel, the system deployment examines to latent covert channel, Verify that it can be implemented in real-world scenarios. The capacity of the experiment is calculated and the corresponding covert channel disposal measures are designed.

Based on the source code to the information flow diagram identification method is our patent, this is our 17 articles published in this field, recognized at home and abroad, we proposed a cloud computing environment of covert channel analysis method, in the cloud computing top-level meeting was hired, and sent a doctoral student read the paper.

Cloud computing has set off another research boom in today's IT industry, which has brought real benefits to cloud computing. However, cloud security is the bottleneck that restricts cloud computing law. If the security problem can not be solved, cloud computing we think it is difficult to develop, how to isolate user data, ensure the confidentiality of data, integrity and availability, will be the focus of industry research, but also the key to solve cloud security.

Our covert channel analysis is static analysis, not the analysis of the operating system, the analysis of the source code, analysis of the source code to see what the shared variables and resources? The potential channel building scenario is eliminated by analyzing the relationship between the subject and object of the shared resource.

(Responsible editor: The good of the Legacy)