Slide 1OutlineWhat are covert channels?Why would you need covert channels?Covert Channel TechniquesDetection/PreventionExample: Passive TCP Covert ChannelsExample: Passive TCP Covert ChannelsExample: Tunneling using NDISExample: Tunneling using NDISCovert ChannelsThomas ArnoldCSCI 5235/Summer 20107/12/2010Outline•Background•Covert Channel Designs•Detection Methods•Example: Passive Covert Channel•Example: Tunneling NDISWhat are covert channels?•You want to communicate with someone without being observed•Cryptography/Encryption is not good enough–You want to hide the fact you are communicating at all–Best way is to hide the communication in innocuous-looking network traffic or data–Firewall must let the traffic pass throughWhy would you need covert channels?•Stealing of confidential information–Government/corporate espionage, Intelligence gathering of criminal/terrorist activity•Malware–Rootkits, keyloggers, botnets, etc.Covert Channel Techniques•Storage Channels–Hide data within unused TCP/IP packet header fields•TCP Flags field, TCP ISN, etc.•Timing channels–Modulate system resources in such a way that a receiver can observe and decode it–Port Knocking, varying packet rates, etc.•Steganography–Hide messages in email, imagesDetection/Prevention•Detection–Network traffic analysis•Higher bandwidth usage•Formatting of HTTP headers•Request regularity•Prevention–Block susceptible outbound ports/protocolsExample: Passive TCP Covert Channels•Technique uses existing traffic (does not generate it’s own)•Requires that attacker control the network gateway as well•Uses the TCP ISN field to transmit data–Compromised gateway filters out secret TCP ISN to send to attacker, and forwards the legitimate traffic to the intended destination•Pros/Cons–Blends in with existing traffic, difficult to detect–ISN data must not look too conspicuous, and gateway processing can be very complicated to filter out and forward the legitimate trafficExample: Passive TCP Covert ChannelsExample: Tunneling using NDIS •Idea is to tunnel information on existing protocols such as HTTP, DNS, and ICMP•Pros/Cons with each protocol–HTTP good for large data transfer, but more conspicuous–DNS not great for data transfer, but good for C&C–ICMP is good for C&C but is often blocked•Author of The Rootkit Arsenal proposes writing your own TCP/IP stack using MS Windows NDISExample: Tunneling using NDIS•Since you have already have root privileges, you can implement a Kernel Mode NDIS Driver–Complete control, can act as a NIC and create your own MAC/IP addresses, and format any of the protocol headers as you wish•Built in diagnostic tools such as ipconfig, netstat, etc. (as well as firewalls) can’t see it because they use the native TCP/IP stack•Pros/Cons–Extremely difficult to detect, but also hard to