Covert channels in modern computer systems : the cases of mobile and cloud

Covert Channels have existed for centuries, from the time of Histiaeus to the modern day. Like its historical roots, the modern covert channel’s life cycle consists of identifying new attack vectors, developing countermeasures and continuing with the next thrust and parry cycle. The front line in this conflict now includes mobile devices and cloud computing centers. In this thesis, we investigate the potential of a particular covert channel form, its performance limits and explore mitigation techniques and effectiveness. We emphasize permissionless, resource compromising channels where there is complexity faced by both the attacker and the provider / defender in creating and mitigating the attacks respectively. Two channels discussed herein utilize shared resources as the critical communications element while the third uses external entities to communicate with target devices. Furthermore, one channel leverages the physical structure of a mobile device. A second relies on an external source that freely communicates with a mobile device’s unprotected sensor while the third, a cloud platform-based attack, targets shared resources whose very existence provides economic benefit to the service provider. Initially, we describe a privacy attack whereby a seemingly innocuous app receives and exfiltrates location information obtained indirectly from an external source despite user efforts to suspend all location acquisition and supporting services such as GPS, cellular, Wi-Fi, Bluetooth and NFC. Source locations may include stores, malls, railways, airports, hotels, cross-walks and bus stations. A location resident system encodes a unique ID that references position data and transmits it via magnetic field manipulation. A victim’s local magnetometer, available to any app without permission and functioning as the receiver, detects the encoded pattern in the presence of motion and other environmental noise. The pattern’s payload is transmitted off-board the Android device at a later time when communication services are enabled. We can therefore establish a partial history of device locations despite the user’s effort to prevent tracking, short of powering off the device. We achieve an aggregate location ID accuracy of 86% with a bit error rate of 1.5%. Next, we form an ultrasonic, permissionless bridge between two co-resident AndroidTM apps using the speaker as the acoustic source and the accelerometer as the receiver. The MEMs sensors’ resonance behavior is exploited as an alternative to the permissions requisite microphone. Information is extracted by one app which is granted permission to access sensitive information but is blocked from external access. A second app is allowed external access but is prevented by Android protections from direct access to the sensitive information. This bridge enables sensitive information to flow to an eventual off-board destination, operating unconstrained by the Android system and without alerting the victim. We achieve bit error rates of 10−4 with channel capacity approaching 40 bits per second when applying performance boosting techniques such as a MIMO-like dual channel configuration and an Amplitude Shift Keying modulation scheme. These performance levels are very reasonable for acquiring personally identifiable and other sensitive information. Finally, we consider an alternative family of channels that exploit cloud co-residency. Here we describe a stealthy channel where a hostile client-server application pair, masquerading as a legitimate hosted site