*Corresponding Author
A Covert Channel Using Core Alternation
Yangwei Li
1
, Qingni Shen*
1
, Cong Zhang
1
, Pengfei Sun
1
, Ying Chen
1
, Sihan Qing
1,2
1
School of Software and Microelectronics &
MoE Key Lab of Network and Software Assurance,
Peking University, Beijing, China
Institute of Software, Chinese Academy of Sciences, Beijing, China
liyangwei@pku.edu.cn; qingnishen@ss.pku.edu.cn; {cong_zhang, sunpengfei, ying.chen}@pku.edu.cn;
qsihan@ss.pku.edu.cn
Abstract—The improvement in performance gained by the use
of multi-core processors led to security problem. In this paper,
we present a new covert channel which we called the "core-
alternative channel". This covert channel could exist in most
operating systems and virtualization platforms with multi-core
processors. We have developed CCCA (Covert Channels using
Core-alternation), a prototype that creates a core-alternative
channel and communicates data secretly. We discuss how to
mitigate and eliminate this channel. We quantitatively evaluate
the threat of core-alternative channel both between processes
on Linux and between virtual machines on the Xen hypervisor.
We also measured the bandwidth and communication
accuracy of this covert channel.
Keywords-multi core; core-alternative covert channel; CCCA
I. INTRODUCTION
A covert channel is generally referred to as a
communication mechanism that is neither designed nor
intended to transmit information [1]. A more formalized
definition is: Given a nondiscretionary (e.g., mandatory)
security policy model M and its interpretation I(M) in an
operating system, any potential communication between two
subjects I(Sh) and I(Si) of I(M) is covert if and only if any
communication between the corresponding subjects Sh and
Si of the model M is illegal in M [12]. Research in covert
channels can be divided into four categories, namely
explaining them, finding them, measuring them, and
mitigating them [3]. It has been widely recognized as a
serious threat to not only operating systems but also
virtualized platforms [11].
Multi-core processors brings improvement in
performance but also brings security problem, we present a
covert channel that exists in most systems with multi-core
processors, this covert channel use spacial information of
cores to transmit information.
We develop CCCA (Covert Channels using Core-
alternation), a covert channel communication prototype. This
system is effective in both Linux and Xen hypervisor [6]. In
Linux, it enables processes on a single operating system to
communicate with each other using multi-core processors as
the communication medium. In Xen hypervisor, it enables
processes in different DomU or Dom0 to communicate with
each other.
In an ideal dual-core environment, CCCA can transmit
data at 32.26bps on Ubuntu 10 and 19.23bps on Xen
hypervisor. Experimental results show that it can
communicate at the same bps with approximately 26.1%
accuracy, and at 3.70bps on Ubuntu 10 and 2.22bps on Xen
hypervisor with 100% accuracy when machines are hosting a
moderately loaded Web server.
The next section introduces the related work; Section 3
illustrates the threat scenario; Section 4 presents the
implementation of core-alternative channel, and Section 5
demonstrates the evaluation of CCCA. After that, we
describe our further work in Section 6 and conclude our
paper in Section 7.
II. R
ELATED WORKS
Covert channels became known to the community due to
Lampson’s prominent work [1]. Research in covert channels
can be divided into four categories, namely explaining them,
finding them, measuring them, and mitigating them [3]. In
1983, Kemmerer proposed one of the most widely used
methods in covert channel identification [2]: the shared
resources and the operations that are used to view and
modify resources are first enumerated, a Shared Resource
Matrix (SRM) is then constructed and each resource is
carefully examined to determine whether it can be used to
transfer information covertly. The non-interference approach
was introduced by Goguen and Meseguer [7]. One user
process is non-interfering with another when the output
observed by the second user process is unchanged if all
inputs from the first user process, from the initial state, are
eliminated as though they had never occurred.
Zhenghong Wang and Ruby B. Lee's modeling [8] made
p
rogress in the covert channel modeling. Unlike the non-
interference approaches, their approach was constructive,
allowing the direct examination of system architectures at
different abstraction levels for the presence or absence of the
mechanisms that can be exploited to create covert channels.
They divided covert channel into four types: Value-based
spatial channel, transition-based spatial channel, value-based
temporal channels, and transition-based temporal channels.
[8] found a covert channel they called Value-based temporal
channel which turn out to be direct temporal coordinate
channel in this paper. [4] claimed that a necessary and
sufficient condition for setting up a covert channel is (1) the
sender is able to invoke change(s) in the visible space of the
receiver, or (2) the sender is able to change when an object is
updated relative to the observation made by the receiver, but
it turned out to be imperfect when Storage Capsule system
was presented [10].
2012 26th International Conference on Advanced Information Networking and Applications Workshops
978-0-7695-4652-0/12 $26.00 © 2012 IEEE
DOI 10.1109/WAINA.2012.103
324