January 27, 1999
3085 ENG II
In attendance:
Matt Bishop (MB), John Hughes (JH), Tuomas Aura (TA)

TOPICS: Techniques used to identify Covert Channels
John Hughes’ Work
Yu/Gligor Paper
Millen Paper
To-Do List  
    1. Techniques used to identify Covert Channels
      1. MB: Since transmit information over covert channel requires low bandwidth, discuss techniques used to deny service
        1. Ex. Machine A sends a File 1 or File 0 ever ten seconds. Machine B looks for File 0 or File 1.
          1. Block mechanism for sharing – all channels
            1. Impractical, don’t want to block network connections
            2. Prevent two people from accessing same directory
        2. Ex. Block CPU – randomize CPU channels – delays person
      2. Covert channels looks for limits of things
        1. Discover relationship between covert channels and denial of service (DOS) attacks.
        2. Any technique used for covert channels applicable to DOS; detecting points where DOS may occur
        3. DOS also used to located covert channels
      3. TA: Directory name – checking methods – create directory
        1. Not reading directory name
        2. Not allowed to create directory with the same name
        3. Hidden directory
      4. Reality vs. Virtual Reality - CPU usage time vs. clock
    2. John Hughes’ Work
      1. Locating limits in TCP protocol.
        1. Went through RFC, saw some limitations
          1. Sequence Numbers: 0-232-1 cycles through in 5 minutes; time out value is 2 minutes
            1. Faster connections can cycles through faster than 2 minutes
          2. Receiving duplicate packets
          3. TCP window, willing to receive packets in sequence range. If window (32 bit) is large, problems with urgent pointer (16 bit). Urgent pointer can point back to the open window; urgent pointer is offset.
            1. TA: Set window size to 232 – 216
          4. Possible to add urgent data, move urgent pointer further down, but urgent pointer should never shrink in size.
      2. Email most interesting high-speed connections to Matt, so he can use them when he talks to Russ Hobby.
    3. Yu/Gligor 1988 Paper – A Formal Specification and Verification Method for the Prevention of Denial of Service
      1. Resource Allocation
        1. Policy
      2. Implementation
      3. Analyze and Prove Fairness (liveness property of the system – no starvation)
      4. Yu/Gligor 1988 paper – specifies policy and implementation, builds formal model and analyzes it.
        1. Formal models – The main problem is that any time you want to prove fairness and have state machines, you must make assumptions:
          1. Process being held will eventually be released.
          2. Agreement between entities, not typically listed in policy
          3. Not easy to find assumptions: Going through assumptions more important than proving fairness
        2. What’s new? Nothing different in DOS.
    4. Millen 1992 Paper – A Resource Allocation Model for Denial of Service
      1. Policy that guarantees fairness
      2. Policy for allocation resources
        1. You always allocate more and more resources then you release all of them after using them
        2. Practical rules for allocating resources – resemble database rules
        3. General Approach
          1. Deadlock Detection
          2. Model system – prove no deadlock
          3. Policy – linear order to resources – never release them until you have them all.
            1. Same allocation rules for CPU and memory processes
            2. MB: OS is really database manager – should work for distributed systems as well.
        4. TA: Classical methods – not specific to security DOS
          1. Policy too restrictive for real systems
      3. Any policy that can prove fairness requires large amounts of resources.
        1. Internet user can exhaust the server
        2. Attacker invest $ amounts to attack. Result is damage in terms of cost, bandwidth, points of connection
        3. Model network as a graph.
          1. Cost of disconnecting node in graph
          2. Damage = Fsystem (Cost of attack)
          3. Evaluate damage
            1. Cut off one node – not a huge loss
            2. How many connections remain
              1. Damage = Number of Pairs that cannot communicate £ Nnodes
              2. Server – Damage = Number of Clients that cannot communicate with server
              3. Client – Damage = Number of Services a Client cannot use
            3. Specify problem more formally
              1. Paper – could come up with way to calculate damage exactly
    5. To-Do List
      1. JH – email list of high speed connections to Matt
      2. JH – look through Security Applications Conference Proceedings for DOS papers
      3. Copies of Yu/Gligor, Millen papers to DOS group
      4. MB – discuss "Extending the Take-Grant Protection System" (Frank, Bishop) at next meeting