sign in sign up
<<
Home , Covert channel

International Journal of Network Security, Vol.20, No.5, PP.898-906, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).11) 898

An Efficient Approach to Resolve Covert Channels

Muawia A. Elsadig1 and Yahia A. Fadlalla2 (Corresponding author: Muawia A. Elsadig)

College of Computer Science and Technology, Sudan University of Science and Technology1 Khartoum, Sudan Lead Consultant/Researcher, InfoSec Consulting, Hamilton, Ontario, Canada2 (Email: [email protected]) (Received May 8, 2017; revised and accepted Oct. 21, 2017)

Abstract dition, the database user must obtain security clearance that allows them to access a particular data level [16]. In The competitive edge of many companies and public trust other words, any system must ensure that the users ob- in government institutions can often depend on the secu- tain the data which they are authorized for [35]. There- rity of the information held in their systems. Breaches fore, civilian and military government agencies are used of that security, whether deliberate or accidental, can be to building up their relational database systems based on profoundly damaging. Therefore, security is a highly topi- the hierarchical classification levels such as Top Secret, cal issue for both designers and users of computer systems. Secret, Confidential and Unclassified. A system is said to be secure if it supports the policy of The Mandatory Access Control (MAC) is a common a security model in a demonstrable way. Two users, or security access control model that requires users and re- processes operating on their behalf, are communicating sources to be classified and assigned security labels [14], indirectly or covertly in such a system if they are com- In other words, objects and subject are labelled with dif- municating through means that violate the interpretation ferent security levels [13]. MAC is an approach to restrict of the supported security model. Research to eliminate unauthorized users from accessing objects that hold sen- or resolve covert communication channels is limited com- sitive information. It is a B1 level requirement of the Or- pared to the real, rapid, and often dangerous threats these ange Book [9], and interested readers can see more about channels continuously pose. That is due; at large; to their the Orange Book in [23]. When a system ororganizes ingenious, inventive, and numerous scenarios. In order its data into different classification levels and mandates for any two users to establish a , they both with its access control utilizing the MAC model, then must know one another’s identity. This paper proposes the system will be defined as a Multilevel Secure Sys- a design that is based on the fact that it is impossible tem (MLS). The MLS is an implementation of MAC. It is inside a system for any process to recognize any user, for mainly developed for databases and computers that be- whom other processes are invoked, in order to covertly long to highly sensitive government organizations such as communicate with him or her - identities of all users are the U.S. Department of Defense [10]. In Multilevel Se- hidden. Our design is sought to eliminate covert channels cure Database Management Systems, users are cleared at that are known to a system and those that are unknown different clearance levels (i.e. Top-secret, Secret, Con- and waiting to be discovered and potentially utilized il- fidential and Unclassified. While data is given different licitly. The design is sought to eliminate covert channels sensitivity levels (i.e. Top-secret, Secret, Confidential and indifferent to the scenario they employ. Unclassified) [38]. A covert channel scenario exists if la- Keywords: Covert Channels; Channel bandwidth; Cryp- belled data is being transferred to an unauthorized user tography; ; Network Protocols; Security without violating Mandatory Access Controls. The unau- Model; Security Policy thorized user in this case is a user that hasn’t the appro- priate clearance to access this labelled data. Commonly, a covert channel is a method of exploiting a communi- 1 Introduction cation channel by a process in order to pass information without violating the system security policy. It is note- It is well known that a large number of databases contain worthy to mention that any proposal to solve a covert data that needs to be categorized into different security channel problem should take into account the system us- levels to securely manage the access to this data. In ad- ability and usefulness. In other words, a useful covert International Journal of Network Security, Vol.20, No.5, PP.898-906, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).11) 899 channel solution is a solution that doesn’t diminish the lenge that is posed [6]. Another good contribution in net- usability and performance of the overt channel - a legit- work is done by Wendzel et al. [40]. They imate channel that is supposed to allow labelled data to introduced a unified description that assist in categorizing be accessed by a legitimate user. This paper introduces network hiding methods. This valuable effort provides a a design that is supposed to fully eliminate any potential unified taxonomy of hiding techniques, enables the com- covert channel scenario that is intended to leak labelled parison between them and offers an evaluation framework information to unauthorized parties. to assess hiding methods novelty. The rest of this paper is organized as follows: The It is noteworthy to mention that covert channels are next section gives a general overview of covert channel not always used to threaten information security. Some concepts and their development. Section 3 illustrates the practical uses for covert channels were presented, [11, 12, typical covert channel model, which reflects the general 34, 36] such as use of covert channels by network ad- concept of the covert channel scenario through address- ministrators to distribute secret information among the ing so called prisoners problem. Section 4 sheds some network users, use of covert channels to secure authen- light onto some common fundamental concepts to give a tication processes, etc. As an example of using covert concrete idea that facilitates a full understanding of our channels legitimately, Singh et al. proposed an approach proposed design which is presented in Section 5. Then that uses covert communication to enhance Vehicular Ad- Section 6 outlines the evaluation criteria of the proposed hoc Networks (VANETs) security [34]. VANETs have design. The paper is concluded in Section 7 and subse- become a hot area of research as they pose many se- quently the future work is presented in Section 8. curity challenges [8]. Moreover, any suggested security solution for VANETs has to ensure an acceptable over- head that doesn’t affect their protocols performance [7]. 2 Covert Channel Development Singh’s model exploits a storage covert channel approach to convey secure data while the transmission of unimpor- A covert channel allows people to exchange hidden infor- tant data can be done through the system overt channel. mation in an undetectable way - in a way that doesn’t di- However, this trend, the trend of using covert channels minish legitimate communication procedures, which com- for useful purposes, doesn’t change the fact that covert plicates the detection of such kinds of threats. In addition, channels are ongoing, devolved and a dangerous threat, a covert channel can also be exploited to pass malicious as covert channel techniques are developed according to activities such as Trojans and viruses etc. so traditional the rapid development of computer system and network firewall systems couldn’t recognize them. protocols. It is illogical to attain full elimination of covert chan- nels; however, it is possible to reduce them through an effi- cient and careful system design. Initially, the covert chan- nel was introduced in stand-alone systems and was later 3 Typical Covert Channel Model extended to exploit environments. Ac- cordingly, there are two scenarios in which covert channels This section introduces the typical concept of covert chan- exist: network-based system covert channels and stand- nels, which is illustrated through the common scenario alone system covert channels. In stand-alone covert chan- that is known as the prisoners problem [33]. nels, two processes of different security levels communi- Alice and Bob are prisoners who wish to communicate cate with each other covertly to leak hidden information, to each other, keeping in mind the end goal is to arrange (i.e. a high security level process leaks secret data to their escape. The possible communication channel that another process with low security level). In, contrast, a can be used to speak to each other is under monitoring network covert channel exploits network protocol to carry by so called Wendy (Warden). Wendy is dedicated to covert messages [4]. watch the communication between them. When Wendy Recently, different techniques have been developed catches any suspicious information, Alice and Bob will be that increasingly magnify covert channel threats. These moved into solitary confinement and that results in killing rapidly developed techniques present security experts any hope for them to exchange any piece of information. with a real challenge to fight against this ongoing threat. Therefore, in order to avoid this situation, Alice and Bob Interested readers are referred to [6], for in depth in- should find a secret channel to exchange their messages in formation on the rapid development of covert channels, a manner such that Wendy cannot be able to detect them. in which a lack of covert channel countermeasures is In this case, this channel is known as a covert channel clearly noticed. In the same context, Elsadig et al. in- which allows two communication parties to exchange their troduced a valuable concept, the network covert chan- secret information covertly without being detected by a nel triangle (DSM - Development, Switching and Micro- monitoring system. protocol), which involves three elements that have the When Alice and Bob are establishing their communi- most direct impact in developing network covert chan- cation via networked computers, then the scenario is rep- nel technology. The DSM triangle reflects the impor- resenting another type of covert channel which is know as tance of network covert channels and the security chal- a network covert channel [5]. International Journal of Network Security, Vol.20, No.5, PP.898-906, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).11) 900

processes to represent users, so the processes request and consume the system resources on behalf of the associated users. In our proposed design, the Extended TCB Theater (ETCB) that is illustrated in Section 5, a user is assumed to have neither stolen nor forged the identity of a legit- imate user that is given to provide authorized access to the TCB system. Commonly, there are three types of authentication Figure 1: Typical covert channel model mechanisms: password-based [1, 15, 20, 25, 27, 39], token- based and biometrics-based [17, 21, 22, 43]. Password- based is the most popular one and it uses something a user knows (i.e. password, personal identity number (PIN) 4 Fundamental Concepts etc.). While token-based uses something a user possesses (i.e. smart cards, physical keys etc.). The last type is This section has introduced fundamental security con- biometrics-based which is known as something a user is cepts that are required to understand our proposed de- and does (i.e. fingerprint matching, iris scanning, voice sign which is illustrated in Section 5. These concepts recognition etc.) [28]. encompass Authentication, Multilevel Security and Cryp- Pham et al. discussed the shortcomings of the afore- tosystems. In addition, this section sheds some light on a mentioned authentication mechanisms and recommended storage covert channel that threatens multilevel security the new mechanism that has emerged recently, which systems. is known as electroencephalography (EEG) [28]. EEG is a type of biometrics and combines the advantages 4.1 Authentication of password-based and biometrics-based authentication mechanisms without their shortcomings. Accordingly, Authentication, authorization and accounting (AAA) is a Pham et al. proposed an authentication system based framework to apply policies, control and manage access to on EEG signals to be used in multilevel security systems. resources and examine the usage of these resources [42]. Authentication is a process of verifying the identity of a 4.2 Multilevel Security subject so as to ensure no subject can gain access to an information resource (object) unless their identity is ver- The development of database systems and their utiliza- ified. The next step after verification is Authorization tion by various people with various interests makes it cru- which determines what a subject accesses after authen- cial to design completely secured database systems [31]. tication. Authorization is classed into two types, Course Commonly, any secure Database Management System Authorization and Fine Authorization. As an example, (DBMS) uses some rules to control access to its data. The having access to a payroll system is a Course Authoriza- setting of these rules is defined as the system security pol- tion while determining which function is allowed to be icy, in which any company enforces its security policy to accessed after getting into a payroll system is a Fine Au- allow only authorized users to access what they are au- thorization. thorized for. The access process encompasses subject and Accountability is concerned with recording what a sub- object. The subject is an active process request to ac- ject does, when it does it and where it does it. cess an object, while the object is a passive entity such These combined processes (authentication, authoriza- as information resources. The rules that control the ac- tion and accounting) are considered vital for effective net- cess process can be abstracted by what is called an access work management and security. Moreover, authentication control matrix. Each element of this matrix represents an is considered the foundation of all security systems [28]. authorized mode of access as illustrated in Figure 2. An effective and successful authentication procedure Each subject is assigned a clearance, and each object is heavily based on the efficiency of the verification pro- a classification [18]. Clearances and classifications are cedure that is being used. The trusted computing base formed into so called access classes. Each access class (TCB) is the mechanism that is used to perform the au- involves two parameters (a hierarchical and a group of thentication procedures as a part of its whole security nonhierarchical categories). Top secret and Secret are ex- mission. It maintains enforcement of the security policy amples of hierarchical components while Navy, Military of a given system. The careful design and implementa- is an example of a group of nonhierarchical categories [9]. tion of a TCB for any system is paramount to its overall MAC, which is mainly based on the Bell-LaPadula security. System users are considered outside the system model [10, 26] allows a labelled object to be transferred boundaries, so the TCB doesn’t deal directly with the sys- to a subject if and only if the object access class is dom- tem users. The TCB is dealing with the processes inside inated by that of the subject. The TCB mechanism is the system that act on behalf of the real system users. closely similar to MAC concepts. It is the set of security Normally, inside a system boundary, the system creates components in which to enforce a system security policy. International Journal of Network Security, Vol.20, No.5, PP.898-906, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).11) 901

Unclassified security levels and so on as illustrated in Fig- ure 4.

Figure 2: An example of TCB model

Figure 4: User clearance levels

It assigns labels to objects, users and processes. The TCB should be carefully designed and protected to enforce ac- Generally, it is commonly known that any system en- cess controls effectively. forces the two rules: (1) simple security property and (2) Fadlalla asserted that covert channels still exist in star property providing multilevel security [30, 37]. Multi- many systems despite the fact that many effective criteria level Security is expected to help in the decision to access were presented to disallow any attempt at covert commu- a domain with security classifications, a domain where nication between two processes. These criteria include its information has security levels (i.e. Confidential, Se- CTCPEC, TCSEC and the Bell-LaPadula model etc. [9]. cret etc.) [29]. Based on some specific requirements and As mentioned, in Multilevel Secure Database Manage- definitions, the (NSA) has de- ment Systems, users are cleared at different clearance lev- fined various levels of security for computer and network els (i.e. Top-secret, Secret, Confidential and Unclassified. systems. These definitions were stated on the evalua- Data is given different sensitivity levels (i.e. Top-secret, tion criteria: Trusted Computer System Evaluation Cri- Secret, Confidential and Unclassified) [38]. To illustrate teria (TCSEC) and Trusted Network Interpretation of the the concept of a security level classifications approach an Trusted Computer System Evaluation Criteria. Accord- example is given below. ingly, six hierarchical ratings levels are defined: A1, B3, Example 1. Imagine a database system with five user B2, B1, C2 and C1. A1 is the most secure level while C1 classifications as follows: Top Secret, Secret, Confidential is the least secure. The requirements for MLS are pre- and Unclassified. According to these classifications, the sented in Division B, which includes three sub-levels (B3, database would be classified into the same security level B2 and B1). Generally, we summarize that MLS refers classifications as shown in Figure 3. to a system in which at least two classification levels of information or more are processed at the same time, and not all users are cleared for all levels of information [41].

4.3 Covert Channel When dealing with a data object, as one subject writes to and another reads from, in this case the data object is con- sidered an overt channel because this entity (data object) is mainly intended to hold data (i.e. files, buffers etc.). When subjects exchange information through a non-data object entity, then a covert channel exists. That means Figure 3: Database security level classification covert channels use a non-data object (an object that isn’t used to hold data) to send data from one subject to an- other. There are two types of covert channel, storage A user can access the database according to two pa- and timing covert channels [3]. In a storage channel, the rameters (their security level and database security level). unauthorized information is being exchanged through a These classifications are hierarchical in nature. In other non-data object (i.e. one high process writes information words, an unclassified user can only see the unclassi- to a non-data object, and then a low process reads that fied database while the Top-Secret user can see all other information). This scenario is legally accepted because database security levels (Top Secret, Secret, Confidential the two processes can write to or read from a non-data and Unclassified). Confidential can see Confidential and object. However, from a different perspective, the sce- International Journal of Network Security, Vol.20, No.5, PP.898-906, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).11) 902 nario is violating the system security policy because the encryption key and the decryption key are different. So, information is exchanged between a high process and low the decryption key is kept secret while the encryption key process, which is prohibited. Therefore, it is noteworthy is made public [9]. to say that detection of covert channels is highly difficult since the covert channel doesn’t diminish the system le- gal operations. Timing covert channels occur by means of 5 Extended TCB Theater one process that can modulate signals or secret messages to another process that is not authorized to gain such The extended TCB Theater is a security design that aims information. After modulation of the secret message by to eliminate any potential covert channel that is sup- the sender process, then the intended process (receiver) posed to pass classified information to unauthorized users observes and decodes the secret message [4]. covertly. The design is an extended version of our design, Commonly, most covert channel detection methods TCB Theater presented in [9]. The enhanced version, rely heavily on identifying illegal flow of information in called Extended TCB Theater (ETCBT) is a combina- source code or top-level specifications. As a matter of tion of two approaches, authentication and cryptography. fact, some excluded resources in the interpretation phase This is to ensure that the identity of a user is kept secret of any security model represent fruitful areas for develop- from other users. So, covert processes - that work on be- ing covert channels. These resources include design detail, half of users - would never know each other and this is implementation detail etc. expected to fully eliminate any potential covert channel that intends to leak confidential information to unautho- 4.4 Cryptosystems rized parties. The ETCBT is controlling the request that is made by a subject to access an object; the subject would A cryptographic system has five components: be any process that wishes to utilize object resources. As • A plaintext message. a matter of fact, some processes are legitimate processes that work on behalf of legitimate users, while some pro- • A ciphertext message. cesses can be malicious (i.e. processes infected by Trojan • A key space. horses or by any other means of malicious activity) that • An enciphering transformation: the transformation work on behalf of covert users -legitimate users that com- of a plaintext into ciphertext. municate with each other covertly. Therefore, this design is mainly built to break the connection between covert • A deciphering transformation: the transformation of processes through hiding the true users’ identities. a ciphertext into plaintext.

Commonly, there are two rules that each cryptographic 5.1 ETCBT Assumptions system should adhere to, these rules are: There are three assumptions that our proposed system 1) The two main operations of any cryptographic sys- heavily relies on: tem, enciphering and deciphering transformations, have to work for all keys of the key space. 1) The design assumes that a user can’t be seen on the 2) Any cryptographic system must depend on maintain- ETCBT system after assigning a process to work on ing the security of the keys not on the secrecy of the their behalf. encryption/decryption algorithms. 2) The design assumes that more than two processes are running at the same time. It is commonly ex- pected that most times this assumption is valid, but in case this assumption is not valid, the ETCBT in- troduces a new approach to ensure the validity of this assumption. The ETCBT ensures the presence of this assumption by introducing a confusing pro- cess in the case that only two processes are running at a given time. If two covert processes try to infer Figure 5: Diagram of a cryptographic system [9] that they are the only communicated processes at a given time, the confusing process defeats that.

The Cryptosystems are categorized into two classes: 3) The design assumes that a trusted, secure and direct symmetric cryptosystems and asymmetric cryptosystems. communication path should be attained between a For symmetric cryptosystems, a same key is used for user and the ETCBT system. To ensure the two com- both operations, encryption and decryption, and this key munication parties are authenticated by each other should be kept secret. In asymmetric cryptosystems, the and their exchanged data is secured. International Journal of Network Security, Vol.20, No.5, PP.898-906, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).11) 903

5.2 ETCBT Components and Descrip- tion The ETCBT system consists of four essential components listed below and illustrated in Figure 6.

1) Theater Office. 2) TCB. 3) Confusing Process Generator. 4) The user.

5.2.1 Theater Office This unit is the same as the “Box Office” unit illustrated in the previous model [5]. A user is required to ob- tain “pass-information” to be able to access the TCB. This pass-information is provided by the Theater Office. When the Theater Office provides the user with the pass- information, it sends encrypted information about the user to the TCB at the same time. The detail of how this unit works is discussed in the next section.

5.2.2 TCB This unit consists of four components: the Database Trusted Guard, the Reference Monitor, the Authentica- Figure 6: ETCBT design diagram tor, and the Secure Data Block. The Secure Data Block has a direct communication channel with the Theater Of- fice, whereas the rest of the components are logically con- change is required by the system security policy. The nected to the Theater Office. Theater Office is responsible for providing the aforemen- tioned privileges. Then the user uses his log on identifier 5.2.3 Confusing Process Generator and encryption key/keys to only communicate with the Theater Office. This unit works only under special conditions, when there When a user needs to access an object, they send their are only two processes running at the same time. When plain login identifier to the Theater Office - unencrypted this condition is met, the Reference Monitor sends a re- identifier. That means the user must be identified by quest to the Confusing Process Generator, and then the the Theater Office. Then the Theater Office does the latter unit generates a confusing process. The Reference following scenarios simultaneously: Monitor receives the confusing process and prompts the Database Trusted Guard to give the confusing process 1) Send encrypted “pass information” to the user, which access to the same object that is being used by the afore- includes a temporary login identifier along with a new mentioned two processes. In this case, the two processes user encryption key to be used to communicate with will be confused about which process has performed the the TCB. last operation on the shared object. Therefore, this breaks 2) Send a “ticket” to the TCB through the Secure Data up any potential covert communication, if we assume that Block unit, which is connected to all other TCB’s the two processes have an intention to leak classified in- components. The ticket is an encrypted packet that formation covertly. consists of the following parts:

5.2.4 The User • The “pass-information” which is encrypted with a shared key between the TCB Authenticator This unit represents a user who wishes to access the TCB. and the Theater Office. In other words, the user who wishes to access an object in a classified database (Multilevel Security System). • Users’ login identifiers and a list of their allowed processes to be executed on the TCB. This in- formation is encrypted with a key. This key is 5.3 How ETCBT Works shared between the Theater Office and the TCB A user is granted an access class, a list of user allowed Reference Monitor. processes to be executed on the TCB, and a permanent • Users’ login identifiers and their access classes login identifier. These are permanent privileges unless a are both encrypted with a key. This key is International Journal of Network Security, Vol.20, No.5, PP.898-906, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).11) 904

shared between the Theater Office and the TCB efficient design has been proposed by this paper to pre- Trusted Guard. vent any two users with different classes (i.e. Top Secret level and Confidential level) from initiating a covert com- These scenarios ensure separate communication be- munication channel. As a matter of fact, the design is tween the Theater Office and the TCB’s components. not preventing two processes from being communicated This design relies on cryptography to secure the commu- covertly. However, the process that passes a covert mes- nication between its components as described above. So, sage never knows to which user the receiving process be- each component has a logical separate secure path to the longs. So, at the level of processes communication, the other components, which ensures the separation between processes will never identify each other on the level of the the users and the processes are working on their behalf. true users that they are operating on their behalf. This In return, this will successfully prevent any attempts to design is expected to totally overcome the covert chan- establish any covert communication. nel problem in multilevel security systems even if there are only two processes running at the same time. When there are only two active processes, the design introduces 6 Approach Evaluation Criteria a so called “confusing process” to confuse the two active processes and thus prevents them from having a successful Our evaluation is based on implementations of real sce- covert communication. narios that are expected to reflect realistic results which prove our approach’s expectations. Our design is sought With the rapid development of computer networks, to completely stop any two users - usually with different many enterprises build up their local network. Defi- access levels - to benefit from their covert communication. antly, these networked computers store a great amount To initiate a covert channel, two users who are presented of data or information and the users continuously ex- inside the systems by two different processes, have to iden- change information over the network. This phenomenon tify each other. One of the two users is the sender of the has boosted the need for secure communication [24]. In illicit information and the other is the receiver. Our de- this sense, some recent woks have been presented such as sign hides all users’ identities from the TCB. Our design those at [2, 32]. does not prevent; nor does it worry about; illicit signaling between processes, rather, it prevents illicit signaled infor- mation to reach its intended receiver. Hiding users’ identi- An extension of the Bell-Lapadula model to suit local ties prevents any potential covert communication between area networks, called the L-BLP model, has been pro- any two users. Our approach establishes a trusted path posed in [32]. This is where each host is assigned a se- service which ensures users direct and uncompromised curity level, and then according to these levels the mon- secure communication with TCB; the Trusted Guard is itoring device controls all communications between these placed between a process and the database. Each TCB hosts by applying the L-BLP security policy. The L-BLP component is forced to know the least information about defines system topologies and builds up new state transi- users necessary to serve them; and is certainly not aware tion rules to control the flow of information securely. This of their identities. Therefore, our evaluation is dependent represents a multilevel security local area network MSL. on the cryptosystem used; we assume it to be effective The L-BLP model allows a low-level host to send informa- in terms of its efficiency and usability. The evaluation tion to another with a high level and prevent a high-level procedure may consider either symmetric or asymmetric host sending information to a low-level host. However, cryptosystem. Taking into account the development in this scenario isn’t valid for a TCP/IP network, which re- cryptosystem techniques; e.g., Elliptic Curve Cryptogra- quires a Knowledge message (ACK) to ensure packet de- phy (ECC) challenges RSA. ECC attains better security livery. When a packet is sent by a low host to a high one, in case of using a smaller key compared to RSA [19]; con- the low host waits to receive the ACK message, but the sequently; it decreases the processing overhead and that high host is prevented by L-BLP model policy from send- is one important criterion when it comes to evaluating ing any information to the low host. Solving this problem a cryptosystem’s performance. Any suitable supported (by allowing the high host to send an ACK message to programming language may be used to implement our the low one) causes a covert channel scenario as a high design, e.g., C++. while this section demonstrates our host can exploit the ACK message to pass information to approach’s evaluation criteria, the implementation and a low host which is against security rules [24]. Our design evaluation results are left as future work, as indicated is expected to solve this problem as it is mainly based on in Section 8. the separation between a user and the process that oper- ates on their behalf. If a user (a Host in terms of network) acknowledges another user (another Host), this acknowl- 7 Conclusion and Discussion edgment is within the level of the users. Therefore, the processes are not being involved as per our design pol- Based on hiding all user identities from the TCB and thus icy and thus prevent any attempt to handle any covert from the processes that are operating on their behalf, an communication. International Journal of Network Security, Vol.20, No.5, PP.898-906, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).11) 905

8 Future Work [12] T. S. Fatayer and K. A. A. Timraz, “Mlscpc: Multi- level security using covert channel to achieve pri- Our future work would be focused in verifying our design vacy through cloud computing,” in World Sympo- through a real or simulated environment to give realistic sium on Computer Networks and Information Secu- results. In addition, this design is expected to be ex- rity (WSCNIS’15), pp. 1–6, 2015. tended to suit a network environment as an approach to [13] D. Gollmann, “,” Wiley Interdis- fix network-based covert channels. The network covert ciplinary Reviews: Computational Statistics, vol. 2, channel techniques are dramatically increased, developed no. 5, pp. 544–554, 2010. and pose a real challenge. [14] Y. Huang and X. Ma, “A security model based on database system,” in International Conference References on Electrical and Control Engineering (ICECE’10), pp. 4954–4957, 2010. [1] A. Asimi, Y. Asimi, A. Abdellah, and Y. Sadqi, [15] M. S. Hwang, S. K. Chong, and T. Y. Chen, “Dos- “Strong zero-knowledge authentication based on vir- resistant id-based password authentication scheme tual passwords,” International Journal Network Se- using smart cards,” Journal of Systems and Software, curity, vol. 18, no. 4, pp. 601–616, 2016. vol. 83, no. 1, pp. 163–172, 2010. [2] M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. [16] S. Jajodia and R. Sandhu, “Toward a multilevel se- McKeown, and S. Shenker, “Ethane: Taking control cure relational data model,” ACM SIGMOD Record, of the enterprise,” in ACM SIGCOMM Computer vol. 20, no. 2, pp. 50–59, 1991. Communication Review, vol. 37, pp. 1–12, 2007. [17] O. Kaiwartya, M. Prasad, S. Prakash, D. Samadhiya, [3] P. Dong, H. Qian, Z. Lu, and S. Lan, “A network A. H. Abdullah, and A. O. A. Rahman, “An investi- covert channel based on packet classification,” In- gation on biometric internet security.,” International ternational Journal Network Security, vol. 14, no. 2, Journal Network Security, vol. 19, no. 2, pp. 167–176, pp. 109–116, 2012. 2017. [4] M. A. Elsadig and Y. A. Fadlalla, “Survey on covert [18] N. Kaur, R. Singh, M. Misra, and A. K. Sarje, “Con- storage channel in computer network protocols: De- currency control for multilevel secure databases,” In- tection and mitigation techniques,” in The Interna- ternational Journal Network Security, vol. 9, no. 1, tional Conference on Advances in Information Pro- pp. 70–81, 2009. cessing and Communication Technology (IPCT’16), [19] A. V. N. Krishna, A. H. Narayana, and S. K. Murthy, pp. 79–85, 2016. “A hybrid digital signature scheme on dependable [5] M. A. Elsadig and Y. A. Fadlalla, “Survey on covert and secure data,” International Journal of Elec- storage channel in computer network protocols: De- tronics and Information Engineering, vol. 6, no. 2, tection and mitigation techniques,” International pp. 87–93, 2017. Journal of Advances in Computer Networks and Its [20] C. C. Lee, C. H. Liu, and M. S. Hwang, “Guess- Security, vol. 6, no. 3, pp. 11–17, 2016. ing attacks on strong-password authentication proto- [6] M. A. Elsadig and Y. A. Fadlalla, “Network proto- col,” International Journal Network Security, vol. 15, col covert channels: Countermeasures techniques,” no. 1, pp. 64–67, 2013. in 9th IEEE-GCC Conference and Exhibition (GC- [21] C. T. Li and M. S. Hwang, “An efficient biometrics- CCE’17), pp. 706–714, 2017. based remote user authentication scheme using smart [7] M. A. Elsadig and Y. A. Fadlalla, “Performance anal- cards,” Journal of Network and computer applica- ysis of popular manet protocols,” in 9th IEEE-GCC tions, vol. 33, no. 1, pp. 1–5, 2010. Conference and Exhibition (GCCCE’17), pp. 1085– 1089, 2017. [22] C. T. Li and M. S. Hwang, “An online biometrics- [8] M. A. Elsadig and Y. A. Fadlalla, “Vanets security based secret sharing scheme for multiparty cryp- issues and challenges: A survey,” Indian Journal of tosystem using smart cards,” Network, vol. 3, no. 4, Science and Technology, vol. 9, no. 28, 2016. pp. 5, 2010. [9] Y. Fadlalla, Approaches to Resolving Covert Stor- [23] S. B. Lipner, “The birth and death of the orange age Channels in Multilevel Secure Systems, 1997. book,” IEEE Annals of the History of Computing, ISBN:0-612-23861-X. vol. 37, no. 2, pp. 19–31, 2015. [10] O. S. Faragallah, E. M. El-Rabaie, F. E. A. El-Samie, [24] X. Liu, H. Xue, X. Feng, and Y. Dai, “Design of the A. I. Sallam, and H. S. El-Sayed, Multilevel Security multi-level security network switch system which re- for Relational Databases, pp.304, 2014. stricts covert channel,” in IEEE 3rd International [11] T. S. A. Fatayer, “Generated un-detectability covert Conference on Communication Software and Net- channel algorithm for dynamic secure communica- works (ICCSN’11), pp. 233–237, 2011. tion using encryption and authentication,” in Pales- [25] Y. J. Liu, C. C. Chang, and S. C. Chang, “An effi- tinian International Conference on Information and cient and secure smart card based password authen- Communication Technology (PICICT’17), pp. 6–9, tication scheme,” International Journal of Network May 2017. Security, vol. 19, no. 1, pp. 1-10, 2017. International Journal of Network Security, Vol.20, No.5, PP.898-906, Sept. 2018 (DOI: 10.6633/IJNS.201809 20(5).11) 906

[26] W. Meanrach and S. Chittayasothorn, “A bitempo- [39] C. S. Tsai, C. C. Lee, and M. S. Hwang, “Password ral multilevel secure database system,” in Africon, authentication schemes: Current status and key is- pp. 1–7, 2007. sues,” International Journal Network Security, vol. 3, [27] J. Moon, D. Lee, J. Jung, and D. Won, “Improve- no. 2, pp. 101–115, 2006. ment of efficient and secure smart card based pass- [40] S. Wendzel, W. Mazurczyk, and S. Zander, “Uni- word authentication scheme,” International Journal fied description for network information hiding meth- Network Security, vol. 19, no. 6, pp. 1053–1061, 2017. ods,” Computer Science, vol. 22, no. 11, pp. 1456– [28] T. Pham, W. Ma, D. Tran, P. Nguyen, and D. Phung, 1486, 2016. “Eeg-based user authentication in multilevel security [41] T. C. Williams, Multi-Level Security Network Sys- systems,” in International Conference on Advanced tem, June 27, 2006. US Patent 7,069,437. Data Mining and Applications, pp. 513–523, 2013. [42] C. C. Yang, C. W. Lee, T. Y. Chang, M. S. Hwang, [29] F. S. Prass, L. M. Fontoura, and O. M. D. Santos, “A solution to mobile IP registration for AAA”, Lec- A Framework Based on Security Patterns for Trans- ture Notes in Computer Science, vol. 2524, pp. 329– formations, pp. 319-331. 337, 2003. [30] P. Sapra and S. Kumar, “Development of a con- [43] M. Zhang, B. Yang, W. Zhang, and T. Takagi, currency control technique for multilevel secure “Multibiometric based secure encryption, authenti- databases,” in International Conference on Opti- cation scheme with fuzzy extractor,” International mization, Reliabilty, and Information Technology Journal Network Security, vol. 12, no. 1, pp. 50–57, (ICROIT’14), pp. 111–115, 2014. 2011. [31] P. Sapra, S. Kumar, and R. K. Rathy, “Performance analysis of decomposition techniques in multilevel se- cure relational database systems,” in Proceedings of Biography the Second International Conference on Computa- tional Science, Engineering and Information Tech- Muawia A. Elsadig obtained his MSc degree in Com- nology, pp. 544–549, 2012. puter Network and Bachelor degree in Computer Engi- [32] T. G. Si, Y. X. Zhang, and Y. Q. Dai, “L-blp security neering. His research interests lie in the area of Infor- model in local area network,” Dianzi Xuebao (Acta mation Security, Network Security, Cybersecurity, Wire- Electronica Sinica), vol. 35, no. 5, pp. 1005–1008, less Sensor Networks, Network Protocols, and Informa- 2007. tion Extraction; ranging from theory to design to imple- [33] G. J. Simmons, “The prisoners’ problem and the sub- mentation. Elsadig worked at different accredited inter- liminal channel,” in Advances in Cryptology, pp. 51– national universities and has many publications at recog- 67, 1984. nized international journals and conferences. [34] A. Singh and K. Manchanda, “Establishment of bit Dr. Fadlalla is the lead researcher and scientist at In- selective mode storage covert channel in vanets,” foSec Consulting in Ontario, Canada. He earned B.Sc. in IEEE International Conference on Computational in Computer Science from the State University of New Intelligence and Computing Research (ICCIC’15), York at Utica, N.Y., USA; M.Sc. and Ph.D. in Com- pp. 1–4, 2015. puter Science from the University of New Brunswick at [35] P. D. Stachour and B. Thuraisingham, “Design of Fredericton, New Brunswick, Canada in 1985, 1992, and ldv: A multilevel secure relational database manage- 1996, respectively. Professor Fadlalla taught at the Uni- ment system,” IEEE Transactions on Knowledge and versity of New Brunswick at Fredericton and at the State Data Engineering, vol. 2, no. 2, pp. 190–209, 1990. University of New York at Albany. He is frequently in- [36] Y. Sun, X. Guan, and T. Liu, “A new method for vited nationally and globally to speak on contemporary authentication based on covert channel,” in Proceed- information security issues. He appears and was featured ings of the 8th IFIP International Conference on in Canadian television and newspapers as an information Network and Parallel Computing (NPC’11), pp. 160– and national security expert; likewise, he was featured 165, 2011. in newspapers in France, Morocco, Sudan, and England. [37] M. Thiyagarajan, C. Raveendra, and V. Thiagarasu, Professor Fadlalla is and was an information security con- “Web service authentication and multilevel security,” sultant to different private companies and government Indian Journal of Science and Technology, vol. 8, agencies in Canada. He has extensive publications record no. 15, 2015. in the areas of Computer Security, Information Assur- [38] B. Thuraisingham, “Multilevel secure database man- ance, Cryptography, and Cyber Security. He is a member agement system,” in Encyclopedia of Database Sys- of numerous professional associations and societies world- tems, pp. 1789–1792, 2009. wise.