1 / 18

CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems. Covert Channels. Covert Channels. Covert Channels Using Other Protocols Hiding within a Protocol Local Covert Channels Defending against Covert Channels. Covert Channels.

harmone
Download Presentation

CIT 380: Securing Computer Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 380: Securing Computer Systems Covert Channels CIT 380: Securing Computer Systems

  2. Covert Channels • Covert Channels • Using Other Protocols • Hiding within a Protocol • Local Covert Channels • Defending against Covert Channels CIT 380: Securing Computer Systems

  3. Covert Channels • Covert channel: a path of communication that was not designed for such communication. • IDS look for abnormal traffic • Use traffic that already exists: ping, DNS, HTTP. • Avoid creating abnormal traffic patterns. • Use encryption • Avoids keyword detection by IDS. • Prevents incident response from viewing data. CIT 380: Securing Computer Systems

  4. Using Other Protocols • Use non-TCP/UDP protocols • Don’t show up on port scan. • Don’t show up on netstat on machine. • Use standard protocols for other purposes • DNS • HTTP • Reverse the direction of traffic • Internal machine initiates covert channel. CIT 380: Securing Computer Systems

  5. Loki Tunnel shell using ICMP echo packets. • Uses ICMP data for commands/responses. • Uses Blowfish encryption algorithm. Loki2 can also tunnel via DNS lookups. • Can swap between ICMP and DNS tunneling. Other ICMP shells, often use echo reply only • icmp_backdoor • sneaky-sneaky • lyceum CIT 380: Securing Computer Systems

  6. TunnelShell • Multi-protocol backdoor with evasion. • ICMP: standard ICMP shell. • TCP: uses only ACK packets to communicate, bypassing packet filters, and showing no port used on local machine. • UDP: UDP shell without binding port. • IP: IP without using a higher level protocol. • Fragment: uses fragmented IP packets. CIT 380: Securing Computer Systems

  7. WWW Shells Simple shells • Web program that acts as a shell. • ex: CGI Telnet, PHP Shell Reverse WWW Shell • Web client that checks server for commands. • Use predefined or random time intervals. • Looks like a browser surfing the web. HTTP request (shell prompt) GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krj HTTP/1.0 HTTP response (ls command) g5mAlfbknz CIT 380: Securing Computer Systems

  8. HTTP Tunnels Tunnel any protocol over HTTP • Bypass firewalls. • Most software supports proxies. • Can use SSL for encryption. • Malware embeds self in IE as a BHO, then uses HTTP to phone home with IE’s permissions. GoToMyPC • Commercial HTTP tunnel. • Remote desktop access protocol like VNC. CIT 380: Securing Computer Systems

  9. TCP/IP Headers Requirements • Headers must not be used by end systems. • Headers must not be modified by routers. IP Headers • IP Identification • IP options (may be modified by routers) TCP Headers • Sequence numbers • Bits reserved for future use. • TCP options (may be modified by routers) CIT 380: Securing Computer Systems

  10. Covert_TCP IP covert channel • Insert one byte into IPID field of each packet. TCP sequence number channel • Inserts one byte into sequence numbers. • Sends SYN with encoded ISN. • Server responds with RST to acknowledge. • Each byte transferred requires two packets. CIT 380: Securing Computer Systems

  11. Covert_TCP TCP ACK number bounce channel • Inserts one byte into the ACK number. • Uses 3 hosts: client, server, bounce server Operation • Client: SYN w/ encoded ISN, spoofing IP of server. • Bounce server: SYN/ACK or RST w/ encoded ISN+1 to spoofed source IP (server) • Server: receives bounced packet, recovers byte from ISN. CIT 380: Securing Computer Systems

  12. Nushu Passive covert channel. • Inserts data into TCP packets from other apps. • Alters sequence numbers to contain data. • Runs as a Linux kernel module. Receiver sniffs data off network. • Receiver IP address not in any packets. • Receiver must be at gateway where it can sniff all of the packets sent by Nushu. CIT 380: Securing Computer Systems

  13. Steganography • A covert channel via data files. • Share data files openly • Use file sharing sites like Flickr. • Use sites with photographs like Ebay. • Hack another site and replace data files. • Both sides must know • Steganographic technique. • Locations used to dump files. CIT 380: Securing Computer Systems

  14. Local Covert Channels Binary coding • At each time interval one bit is transferred. • If condition true, then bit is 1, otherwise 0. CPU Usage • Use 100% CPU to signal a 1. Disk Usage • Create enormous file to signal a 1. File Locking • Writer locks file to transfer a 1. • If reader cannot lock file, it must be locked, so it’s a 1. CIT 380: Securing Computer Systems

  15. Covering your Covering Tracks • Covert backdoors hide data from network. • But process listings will show backdoors. • How can you hide the backdoors? • Alter process / command names. • Use rootkit to hide processes. • Embed backdoor in kernel mode rootkit. CIT 380: Securing Computer Systems

  16. Detecting Covert Channels Pattern matching • Use snort or similar tool to match patterns in cleartext channels. Counting connections • If backdoor creates a TCP connection for each command, an abormal # of TCP flows exists. Timing analysis • Analyze packet timing and data size to identify interactive sessions on unexpected ports/protos. Entropy analysis • ICMP packets with entropy values of natural language may be covert channel, while entropy values of random data may indicate an encrypted covert channel. CIT 380: Securing Computer Systems

  17. Stopping Covert Channels Host-based security. • Stop attackers from gaining access to install. Use stateful firewall • Blocks ACK tunneling. Use firewall to limit outgoing data • Stop ICMP echo replies. • Should your db server be browing the web? CIT 380: Securing Computer Systems

  18. References • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. • Scott Campbell, “Detecting Illicit ICMP Communication Channels,” http://www.nersc.gov/~scottc/papers/ICMP_Backdoor_Detection.html • daemon9, “Project Loki,” http://www.phrack.org/issues.html?issue=49&id=6&mode=txt, Phrack, Vol 7, Issue 49, 1996. • daemon9, “Loki 2: The Implementation,” http://www.phrack.org/issues.html?issue=51&id=6&mode=txt, Vol 7, Issue 51, 1997. • Craig H. Rowland, “Covert Channels in the TCP/IP Protocols Suite,” http://www.firstmonday.org/issues/issue2_5/rowland/, 1996. • Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003. • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. • J. Christian Smith, “Covert Shells,” http://www.s0ftpj.org/docs/covert_shells.htm, 2000. • van Hauser, “Placing Backdoors through Firewalls” (reverse www shell), http://freeworld.thc.org/papers/fw-backd.htm, 2000. CIT 380: Securing Computer Systems

More Related