Transcript Covert Channels

Mike Switlick
Overview
What is a covert channel?
Storage / Timing
Requirements
Bunratty attack
Covert_tcp
Questions
What is a covert channel?
• Any communications channel that can be
exploited by a process to transfer
information in a manner that violates the
system security policy.
• Method of communication that is not part of
the actual systems design but can be used to
transfer information to outside sources
Takes advantage of Global
Variables such as:
•Linux kernel used to track disk
reads
•TCP initial number sequence field
used to track TCP/IP
communications
•CPU cycle
•If you can signal or store a bit in
it, it can be used to leak illicit data
Types of Covert Channels
•Storage
-shared resource or system variable
that can be used to transfer info
from a stored data source
(encoded into a global variable)
-altered by a system call
(operating system level)
-programming function method
(executable level)
Storage
-application
(user level)
-storage channel only realized if variable can
be viewed or referenced by another process
(and enclosed data decoded)
-most popular
Example
If a global variable is a file lock
attribute of a file
-lock on signals a 1
-unlocked signals a 0
Using pseudo binary code
Example
Trusted
software
Sender
variable
kernel
receiver
Timing channel
-uses timing or ordering relationships to shared
resources as global variable
-bits and bytes are signaled (not stored) by timed
or ordered processes to a shared resource such
as a CPU
-requires cooperation between sender and receiver
using a clock
Timing
Receiver monitors the amount of time that
the sender runs a process
-if it is run more than 10 sec, it signals a 1
-if less than 10 sec, it signals a 0
Noiseless covert channel
• Sender and receiver are able to
communicate using a channel that is
exclusive to them
Noisy covert channel
• Sender and receiver communicate on a
channel that isn’t exclusive to them.
-harder to use due to other traffic that
creates noise
Covert requirements
• Sender / receiver have potential to
communicate
• Existing global variable accessible by both
• Sender able to alter global variable
• Detectable by receiver
• Able to synchronize operation
Internet protocol exploitation
• Use transport and network layers as covert
channel
• Less noise than file attributes or cpu cycles
• Too many protocol variations to list
• TCP/IP gives preference to preceding
fragment when reassembling data
Bunratty Attack
Application layer covert channel that takes
advantage of Microsoft Messaging API (MAPI)
-features and capabilities built into it in MAPI
client, the Exchange Inbox
-users have access to a message store of Personal
Folders containing Inbox, Outbox that users see
as root
-Personal Folders are one of several not visible
root
Bunratty attack
Secret msgs
MAPISP
Not
Search root
visible
FreeBusy data
Top of persnl
Inbox
Calendar
Outbox
Sent Items
Projects
visible
SecretMessages
-can write software to create secret messages in
hidden folder in root level directory
-modifies routing table so MSG.secret goes to
secret messages folder and doesn’t pass
through inbox first
-can contain commands to gain remote control
of system or read e-mail etc.
-like e-mail except almost invisible to end user
Covert_tcp
• Transport and Network layers
• Uses fields in TCP/IP header as global
variables to transmit ASCII data
• IP packet id field
• TCP initial sequence number field
• TCP acknowledged sequence number field
Covert_tcp
• Fields less likely to be altered by perimeter
devices or software like packet filters
• Not seriously affected by network or system
operations
• Hide content while masquerading as packet
in initial connection request and established
connection
Covert_tcp
• Fields not meant to carry bytes
• Usually keep track of states – only requires
a few bits
• Transfers data 1 ASCII character at a time
per packet
• parses IP ID to obtain value then value is
divided by 256 to obtain ASCII value
Packet one:
18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S
537657344:537657344(0) win 512 (ttl 64, id 18432)
Decoding… (ttl 64, id 18432/256) gives ASCII 72 (H)
Packet two:
18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S
537657344:537657344(0) win 512 (ttl 64, id 17664)
Decoding… (ttl 64, id 17664/256) gives ASCII 69 (E)
Packet three:
18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S
537657344:537657344(0) win 512 (ttl 64, id 19456)
Decoding… (ttl 64, id 19456/256) gives ASCII 76 (L)
Packet four:
18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S
537657344:537657344(0) win 512 (ttl 64, id 19456)
Decoding… (ttl 64, id 19456/256) gives ASCII 76 (L)
Packet five:
18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S
537657344:537657344(0) win 512 (ttl 64, id 19456)
Decoding… (ttl 64, id 19456/256) gives ASCII 79(O)
Packet six:
18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S
537657344:537657344(0) win 512 (ttl 64, id 2560)
Decoding… (ttl 64, id 2560/256) gives ASCII 10 (carriage return)
Questions?