Covert Channels Paul Seymer [email protected] Some (Good) Definitions Covert Channels: ● (official) Prof. Fleck's Covert Channel Slides 9: “A covert channel is a path for the illegal flow of information between subjects within a system, utilizing system resources that were not designed to be used for inter-subject communication.” ● “A path of illegal information flow using mediums not intended for communication” (a liberal paraphrasing) ● (general) Communication through a medium that violates a global security policy without violating local ones. Some (Good) Definitions ● Prof. Fleck's Covert Channel Slide 9: “two human users talking over coffee is not a covert channel” ● This is an example of an overt channel: communication channels being used as intended. • downloading web content from a public web server • using emailing to submit a class assignment to your TA • talking to a relative on the telephone • waving to a friend Some More (Good) Definitions Covert Channels: ● (general) Communication through a medium that violates a global security policy without violating local ones ● (specific) DoD standards : Orange Book circa early 1980s ● Storage Channel: via a shared storage location ● Timing Channel: via some observed event frequency Timing Channels ● Sita and Rama want to communicate without anyone else knowing. They both sit on the same computer network. ● Rama knows to watch his local network traffic starting at the top of every hour, for 5 minutes. ● Sita wants to send Rama the following message : “Dogs barking. Can't fly without umbrella” How could this be accomplished? Timing Channels ● Sita converts her message into ASCII decimal values: D o g s b a r k i n g . C a n ' t f l y ... 68 111 103 115 32 98 ... ● Sita pings (the ICMP one) Rama's computer 68 times, then 111, then 103, …. ● Rama observes the network, counts the pings, and looks up the values in an ASCII table to recover the text. Storage Channels ● Sita and Rama want to communicate. This time, Rama is in a foreign country, on a network that blocks the ICMP protocol, so the timing channel wont work. ● Rama is in another time zone, and the two won't be online at the same time. ● Sita must leave Rama the message via some Storage Channel, so he may retrieve it later, when he is online. How could this be accomplished? Storage Channels ● Sita runs a web server. Rama has access to the server via HTTP, and can download pages without raising suspicion. ● Sita sticks are reverse proxy in front of the web server that modifies outgoing TCP packets to store custom bit patterns in a reserved (unused) field of the packet header. S o u r c e P o r t D e s t i n a t i o n P o r t S e q u e n c e N u m b e r A c k n o w l e d g m e n t N u m b e r 0 0 0 W i n d o w S i z e C h e c k s u m U r g e n t P o i n t e r ● As these bits are usually ignored, they will remain when sent Storage Channels ● Rama connects to the server to download some web page. ● He has a browser plug-in that reads these bits, and reconstructs the message. ● But wait a sec... 3 bits can only hold values 0 through 7 ? Can this still be used? ● Sita and Rama must mitigate an issue with the channel's bandwidth (capacity), or create a larger channel. ● The two will need to modify how the messages are sent through the channel...as the maximum size of the channel is smaller the message fragments that need to be sent. ● “D” = 68, which needs a minimum of 7 bits to send. Channel Capacity ● Shannon-Hartley Theorem C = B log2 (1 + S/N) B: bandwidth S/N : Signal (power) to Noise (power) Ratio * but lets assume a noiseless channel for now: ● Packets from Web Server : 10 packets / sec ● Sita's storage channel capacity: 3 bits * 10 packets / sec = 30 bits / sec Some (Bad) Definitions ● The Characteristics section of the “Covert Channels” Wikipedia* page. Some True or False: • Steganography is not a type of Covert Channel? (paragraph 2) • Covert channels are hard to create in modern environments? (paragraph 1) • Covert channels are easily detectable by “monitoring system performance”? • A covert channel is not the same thing as means for “disallowed” communication relayed through an Overt channel? (paragraph 3) • “Secure operating systems can easily control legitimate Channels” (paragraph 3) * http://en.wikipedia.org/wiki/Covert_channel Some (Bad) Definitions ● The Characteristics section of the “Covert Channels” Wikipedia* page. Some True or False: (false) • Steganography is not a type of Covert Channel? (paragraph 2) (false) • Covert channels are hard to create in modern environments? (paragraph 1) (false) • Covert channels are easily detectable by “monitoring system performance”? (false) • A covert channel is not the same thing as means for “disallowed” communication relayed through an Overt channel? (paragraph 3) (false) • “Secure operating systems can easily control legitimate Channels” (paragraph 3) * http://en.wikipedia.org/wiki/Covert_channel Steganography ● Greek origin → steganos : “covered” + graphei : “writing” ● Broad definition : Hiding some information inside some thing so that an outside observer cannot distinguish the version of the thing with the hidden information from the version without it. ● Examples: • Replacing bits in an image file, with bits from some message • Writing on a post card with “disappearing ink” (ink that is only viewable after contact with some chemical) th • Replacing every 20 frame of a video (like in the Pitt, Norton movie) ● The thing being hidden within is the Cover and provides a Cover Channel. The means through with information is hidden in the Cover provides the Covert Channel. Steganography 7 1 8 2 5 4 3 6 Steganography 7 1 789BEC 8 789BDC 789BED 689BEC 2 4 5 788BEC 789AEC 789BEC 3 6 779BEC F3EDAC Steganography 78 = 01111000 1 9B = 10011011 ED = 11101101 789BED 789BEC 68 = 01101000 8 9B = 10011011 78 = 01111000 EC = 11101100 9B = 10011011 689BEC EC = 11101100 F3 = 11110011 6 ED = 11101101 AC = 10101100 F3EDAC Steganography 78 = 01111000 1 9B = 10011011 ED = 11101101 789BED 789BEC 1 bit / Pixel 68 = 01101000 8 9B = 10011011 78 = 01111000 EC = 11101100 9B = 10011011 689BEC EC = 11101100 1 bit / Pixel F3 = 11110011 What is the 6 ED = 11101101 Channel AC = 10101100 F3EDAC Capacity ? 9 bit / Pixel Better Steganography ● “Russian Spies' Use of Steganography Is Just the Beginning” (2010) http://www.technologyreview.com/view/419833/russian-spies-use-of-steganography-is-just-the-beginning/ ● “Silent Skype calls can hide secret messages” (2013) http://www.newscientist.com/article/dn23044-silent-skype-calls-can-hide-secret-messages.html#.Undaa_k_tXs ● “4 New Ways to Smuggle Messages Across the Internet” (2013) http://spectrum.ieee.org/telecom/security/4-new-ways-to-smuggle-messages-across-the-internet Steganography creates a covert channel over an overt channel, by hiding secrets within a cover channel. The difference then becomes a matter of intent. The nature of the message decides if it is a covert channel or an overt one...if the intent of the sender is to communicate covertly, in a way other than the intended use of the channel, it is...by definition, a covert channel. Not-So-Obvious Covert Channels “a” Not-So-Obvious Covert Channels “a” could mean: • “a” • “0” • “61” • “Attack at dawn” • “Get the the embassy asap” Pre-shared knowledge between sender and receiver dictates the contents of the channel Book Ciphers ● A means of sending secret messages where a book (remember those?) was used as an index reference for code words. Only the sender and receiver know which book to use. ● A message sender would send a receiver a list of places in the book to look up and find the message word. ● Index Examples: 400, 302, 423 Page 6, line 2, character position 6 ● “Book” examples A particular edition of an english dictionary A particular translation of a bible. More Covert Channels ● “DNS as a Covert Channel Within Protected Networks” Seth Bromberger, NESCO http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/DNS_Exfiltration_2011-01-01_v1.1.pdf ● “Embedding Covert Channels into TCP/IP” Steven J. Murdoch and Stephen Lewis, http://www.cl.cam.ac.uk/~sjm217/papers/ih05coverttcp.pdf ● Embedding plain text, over HTTP • Leveraging the volume of HTTP traffic, and variation on content • How is this Overt? How is this Covert? Will using HTTP change your answers? SSH Tunneling? Is this Covert, or Overt? Using Covert Channels ● (almost) Everything is “Dual Use” • Using magical powers for good Protecting free speech and free press Protecting other forms of clandestine communication • Using magical powers for evil Communicating illegal content Exfiltrating data out of “secure” environments Coordinating Terrorist Attacks Controlling Botnets and RATs Prisoner Problem ● “The Prisoner's Problem and the Subliminal Channel” Gustavus J. Simmons (CRYPTO '83) http://www.iacr.org/cryptodb/data/paper.php?pubkey=1754 ● Two prisoners, physically isolated from one another wish to communicate: They create a covert channel within legitimate looking messages (the cover channel). ● The warden's employees transport the messages only if they appear to be innocent (e.g. an overt channel) “Journalist” Adversary Model ● A foreign correspondent “Jill” is reporting under a cover identity in a country without a free press, ruled by an oppressive regime. ● Jill wishes to submit an inflammatory news story about the regime to her bosses back home. ● The Regime owns every domestic ISP, and is capable of filtering inbound and outbound Internet traffic based on IP address and TCP/UDP port.