Design of the multi-level security network switch system which restricts covert channel Conference:...
-
Upload
samson-joshua-watson -
Category
Documents
-
view
216 -
download
0
Transcript of Design of the multi-level security network switch system which restricts covert channel Conference:...
![Page 1: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/1.jpg)
Design of the multi-level security network switch system which restricts covert
channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference onAuthors: Xiong Liu, Haiwei Xue, Xiaoping Feng, Yiqi Dai, Department of Computer Science and Technology, Tsinghua University, Beijing 10084, China
1
![Page 2: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/2.jpg)
Covert channel
• In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.
2
![Page 3: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/3.jpg)
Multi-level Security Local Area
Network system (MSL)• The low level host can send data packet to
high level host, but high level host cannot send data packet to low level host.
• TCP/IP SYN/ACK packet cannot be sent back in the above mechanism. So it must allow the sending of SYN/ACK.
• The SYN/ACK may become a loophole for the covert channel.
3Low level High level host
![Page 4: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/4.jpg)
System architecture
• Monitor in each hosts• Controller• Filter
4
![Page 5: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/5.jpg)
System architecture- Monitor
• The system can monitor the hosts’ actions to specify the hosts’ security level by the monitors.
• The user must install the monitor in their computer.
• Monitor communicate to the controller.
5
![Page 6: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/6.jpg)
System architecture- controller
• Functions:– Host registering: Make sure that all the hosts
and switches connected to the network are authorized.
– Flow computing: Compute the packet’s flow path based on the network’s topological structure. It can make sure all of the data flow paths are compatible with the system’s security policy
6
Level: 2 Level: 3
![Page 7: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/7.jpg)
System architecture- controller (cont.d)
– Flow updating: When the flow path has been computed, the Controller updates the flow tables of switches which locate on the path to set up it.
7
![Page 8: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/8.jpg)
System architecture- filter
• Content check module– Level 1: Check the data field and flags
field.– Level 2: Check the unused fields and
optional field.– Level 3: Check the sequence number
and acknowledgement number.– Level 4: Check the covert channel which
uses packet retransmission or packet loss to send information.
8
![Page 9: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/9.jpg)
Experiment
9
![Page 10: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/10.jpg)
Conclusion
• This paper proposed a design of multi-level security network switch system which can restrict covert channel.
• The design can guarantee the availability and security of the information exchange among hosts in multi-level security network system. The experiment showed that the design is available.
10
![Page 11: Design of the multi-level security network switch system which restricts covert channel Conference: Communication Software and Networks (ICCSN), 2011 IEEE.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e4f5503460f94b46bc0/html5/thumbnails/11.jpg)
Reference
• http://en.wikipedia.org/wiki/Covert_channel
• [L-BLP security model in local area network],http://www.ejournal.org.cn/CN/abstract/abstract44.shtml
11