1 / 10

Covert Channel Designs: Techniques and Detection Methods

Learn about covert channel designs, detection methods, and examples of passive covert channels and tunneling using NDIS. Discover the importance of covert channels in maintaining secrecy and the risks they pose. Understand storage channels, timing channels, steganography, and ways to detect and prevent covert communication.

gweber
Download Presentation

Covert Channel Designs: Techniques and Detection Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Covert Channels Thomas Arnold CSCI 5235/Summer 2010 7/12/2010

  2. Outline • Background • Covert Channel Designs • Detection Methods • Example: Passive Covert Channel • Example: Tunneling NDIS

  3. What are covert channels? • You want to communicate with someone without being observed • Cryptography/Encryption is not good enough • You want to hide the fact you are communicating at all • Best way is to hide the communication in innocuous-looking network traffic or data • Firewall must let the traffic pass through

  4. Why would you need covert channels? • Stealing of confidential information • Government/corporate espionage, Intelligence gathering of criminal/terrorist activity • Malware • Rootkits, keyloggers, botnets, etc.

  5. Covert Channel Techniques • Storage Channels • Hide data within unused TCP/IP packet header fields • TCP Flags field, TCP ISN, etc. • Timing channels • Modulate system resources in such a way that a receiver can observe and decode it • Port Knocking, varying packet rates, etc. • Steganography • Hide messages in email, images

  6. Detection/Prevention • Detection • Network traffic analysis • Higher bandwidth usage • Formatting of HTTP headers • Request regularity • Prevention • Block susceptible outbound ports/protocols

  7. Example: Passive TCP Covert Channels • Technique uses existing traffic (does not generate it’s own) • Requires that attacker control the network gateway as well • Uses the TCP ISN field to transmit data • Compromised gateway filters out secret TCP ISN to send to attacker, and forwards the legitimate traffic to the intended destination • Pros/Cons • Blends in with existing traffic, difficult to detect • ISN data must not look too conspicuous, and gateway processing can be very complicated to filter out and forward the legitimate traffic

  8. Example: Passive TCP Covert Channels

  9. Example: Tunneling using NDIS • Idea is to tunnel information on existing protocols such as HTTP, DNS, and ICMP • Pros/Cons with each protocol • HTTP good for large data transfer, but more conspicuous • DNS not great for data transfer, but good for C&C • ICMP is good for C&C but is often blocked • Author of The Rootkit Arsenal proposes writing your own TCP/IP stack using MS Windows NDIS

  10. Example: Tunneling using NDIS • Since you have already have root privileges, you can implement a Kernel Mode NDIS Driver • Complete control, can act as a NIC and create your own MAC/IP addresses, and format any of the protocol headers as you wish • Built in diagnostic tools such as ipconfig, netstat, etc. (as well as firewalls) can’t see it because they use the native TCP/IP stack • Pros/Cons • Extremely difficult to detect, but also hard to implement

More Related