| Covert timing channels have been considered a significant threat in multi-level systems (MLS) because of their capability in aiding information leakage across level boundaries leading to security policy violations. However, their threat in general purpose systems has not been considered in much detail. In fact, under the commonly assumed threat model, covert timing channels are only induced into a system after the host software or OS has been compromised. As a result, much of the effort is focused on protecting this subversion rather than explicitly addressing the problem of covert timing channels.;In this dissertation, we show that this model takes a rather conservative view of the capabilities of covert timing channels and understates the threat they pose in general purpose systems. We describe how, in addition to hiding information leakage, covert timing channels can act as mechanisms that allow sensitive information captured at one system layer to traverse across various hardware/software boundaries within a system, eventually onto the network. This property allows the covert timing channel mechanism to not be a part of the host OS or software, making their subversion unnecessary. More importantly, it is possible to induce covert network timing channels which do not require an attacker to control the host's network output subsystem (via software or by compromising hardware). This allows covert timing channels to leak sensitive information over a network under conditions that would usually be assumed to be hostile for this purpose. The central thesis of this work is that covert timing channels are a threat to the security of general purpose networked system. Towards that end, we focus on showing that an attacker, through creative placement of a covert channel source outside the host's usual trusted computing base (TCB), can create covert timing channels which can aid in the exfiltration of sensitive data over a network. Specifically, we build and analyze two covert network timing channels which can leak secrets over a network without compromising the host OS or its software. Finally, we describe techniques to hide the presence of these superimposed network timing channels from network monitors. |
