Ph.D. Thesis Covert Channels in Modern Computer Systems: The cases of Mobile and Cloud Ken Block College of Computer and Information Science Northeastern University Ph.D. Committee Guevara Noubir Advisor, Northeastern University Yunsi Fei Northeastern University Engin Kirda Northeastern University Ricardo Rodriguez External Member, Raytheon July 2018 Abstract Covert Channels have existed for centuries, from the time of Histiaeus to the modern day. Like its historical roots, the modern covert channel’s life cycle consists of identifying new attack vectors, developing countermeasures and continuing with the next thrust and parry cycle. The front line in this conflict now includes mobile devices and cloud computing centers. In this thesis, we investigate the potential of a particular covert channel form, its performance limits and explore mitigation techniques and effectiveness. We emphasize permissionless, resource compromising channels where there is complexity faced by both the attacker and the provider / defender in creating and mitigating the attacks respectively. Two channels discussed herein utilize shared resources as the critical communications element while the third uses external entities to communicate with target devices. Furthermore, one channel leverages the physical structure of a mobile device. A second relies on an external source that freely communicates with a mobile device’s unprotected sensor while the third, a cloud platform-based attack, targets shared resources whose very existence provides economic benefit to the service provider. Initially, we describe a privacy attack whereby a seemingly innocuous app receives and exfiltrates loca- tion information obtained indirectly from an external source despite user efforts to suspend all location acquisition and supporting services such as GPS, cellular, Wi-Fi, Bluetooth and NFC. Source locations may include stores, malls, railways, airports, hotels, cross-walks and bus stations. A location resident system encodes a unique ID that references position data and transmits it via magnetic field manipu- lation. A victim’s local magnetometer, available to any app without permission and functioning as the receiver, detects the encoded pattern in the presence of motion and other environmental noise. The pat- tern’s payload is transmitted off-board the Android device at a later time when communication services are enabled. We can therefore establish a partial history of device locations despite the user’s effort to prevent tracking, short of powering off the device. We achieve an aggregate location ID accuracy of 86% with a bit error rate of 1.5%. Next, we form an ultrasonic, permissionless bridge between two co-resident AndroidTM apps using the speaker as the acoustic source and the accelerometer as the receiver. The MEMs sensors’ resonance behavior is exploited as an alternative to the permissions requisite microphone. Information is extracted by one app which is granted permission to access sensitive information but is blocked from external access. A second app is allowed external access but is prevented by Android protections from direct access to the sensitive information. This bridge enables sensitive information to flow to an eventual off-board destination, operating unconstrained by the Android system and without alerting the victim. 4 We achieve bit error rates of 10− with channel capacity approaching 40 bits per second when applying performance boosting techniques such as a MIMO-like dual channel configuration and an Amplitude Shift Keying modulation scheme. These performance levels are very reasonable for acquiring personally identifiable and other sensitive information. Finally, we consider an alternative family of channels that exploit cloud co-residency. Here we describe a stealthy channel where a hostile client-server application pair, masquerading as a legitimate hosted site ii with valuable content, exploits shared resources on a cloud server. We demonstrated this stealthy timing channel attack achieving worst case native BERs of 1.87 10 2 and 5 10 4 by applying spreading gain. × − × − This channel, built on out of the box libraries and application configurations, executed continuously for 24 contiguous days in a major university Computer Science department datacenter. It shared the same highly dynamic environment that actively supported over 1000 virtual and physical nodes. iii Contents 1 Introduction 1 1.1 Motivation Summary for Thesis . .1 1.2 Mobile Device Position Identification Summary . .1 1.3 Mobile Device Sensitive Information Extraction Summary . .2 1.4 Cloud Platform Attack Summary . .3 1.5 Existing Work and Mitigation Attempts Overview . .3 1.5.1 Attack Vector Summary . .3 1.5.2 Mitigation . .4 1.6 Thesis Overview . .4 1.7 App Download Behavior and Enticement . .5 1.7.1 Age Based Demographics and Behaviors . .5 1.7.2 Trust . .6 1.7.3 Multi-app Consideration . .6 1.7.4 Nationality / Country Considerations . .6 1.7.5 Emerging Defense . .7 1.7.6 Legal Protections . .7 1.7.7 Attack Strategy and Summary . .7 2 Permissionless Tracking Using Magnetic Fields 9 2.1 Introduction . .9 2.2 Background and Motivation . 10 2.3 Threat Model . 12 2.3.1 Vulnerability . 12 2.3.2 Threat . 12 2.3.3 Attack . 13 2.3.4 Exploit . 13 2.3.5 Trust . 14 2.3.6 Data . 14 2.4 System Design . 14 2.4.1 Magnetometer Based Tracking System Overview . 14 2.4.2 Magnetic Flux Determination . 15 2.4.3 Challenges and Tradeoffs . 17 2.4.4 Design Decisions, Observations and Parametrics . 17 2.4.5 Coil and Electronics Design . 19 2.5 Code Selection and Payload Design . 20 2.6 Signal Processing . 21 2.7 Testing and Evaluation Approach . 23 2.7.1 Testing Methodology . 24 2.7.2 Magnetic Field Characteristics . 25 iv 2.8 Testing Results . 26 2.8.1 Sampling Rates . 26 2.8.2 Processing . 27 2.8.3 Stationary Testing . 29 2.8.4 Walking Results . 29 2.8.5 Contiguous Identical Bit Assessment . 32 2.9 Mitigation . 33 2.10 Related Work . 34 2.11 Conclusion . 35 3 Android Ultrasonic Covert Channel 36 3.1 Introduction . 36 3.2 Background and Motivation . 38 3.3 Threat Model . 40 3.3.1 Vulnerability . 40 3.3.2 Threat . 41 3.3.3 Attack . 41 3.3.4 Exploit . 41 3.3.5 Trust . 42 3.3.6 Data . 42 3.4 System Design . 42 3.4.1 Challenges . 42 3.4.2 Solution Overview . 43 3.4.3 Phase I: Channel Identification . 44 3.4.4 Phase II: Data Transfer . 51 3.4.5 Key Stealth Factors . 52 3.4.6 Performance Boosting Design . 53 3.5 Testing and Evaluation Approach . 54 3.5.1 Test Environments . 54 3.5.2 Evaluation Approach . 56 3.6 Results . 58 3.6.1 Channel Identification Results . 58 3.6.2 Error Testing Results . 60 3.6.3 Device Family Uniformity . 63 3.6.4 Capacity, Throughput and Performance Boosting . 64 3.6.5 Capacity . ..