Re: Covert Channels

From: Valdis.Kletnieksat_private
Date: Wed Oct 16 2002 - 21:16:32 PDT

  • Next message: kam: "Re: Covert Channels"

    On Wed, 16 Oct 2002 16:14:16 PDT, kam said:
    > The problem with your idea is that it will never work for the actual
    > exploitation of a system or network. If you plan on using this medium as a
    > communication channel, that's one thing, but you will never get a host
    > machine to respond to options in these fields. 
    It's not *intended* to be used as an exploit - by definition, a "covert
    channel" is a communications path used to transmit data without being
    noticed.  The "classic" covert channel is *two* cooperating processes
    at *different* security levels that are not permitted to communicate
    directly because they *are* at different levels.  You would then be
    able to "tunnel" Top Secret information out to the non-Secret process
    by (for example) alternately filling a shared disk and releasing it, or
    causing the system paging rate to go up and down, or creating/deleting
    a pre-arranged filename, to send a message by Morse code or whatever.
    The non-TS process then uses 'df' or 'uptime' or 'ls' or whatever to watch
    the freespace/paging rate/files to receive the message.
    I remember a number of years ago a telnet-over-DNS covert channel, where
    the "inside" process would issue strange DNS requests to send data out,
    and a subverted DNS server on the "outside" would send the inbound data in the replies...
    And just recently, there was a program to tunnel things over ICMP (remember,
    many ICMP carry an IP packet header so that space can be used for data storage).
    You could use things like the TCP ISN value to leak close to 4 bytes of
    information per 3-packet handshake without your firewall ever twigging to
    what's being tunneled right under its nose - I haven't seen actual code
    for this one.  You can get yourself another 4 bytes per ACK if you use the
    sequence number field to send data rather than actually ACK packets - I'll
    bet that most firewalls don't keep *THAT* much state to detect that an
    ACK is out-of-bounds.
    If you're sufficiently desperate, there's the ICMP Timestamp Request/Reply,
    lots of places to hide stuff in IP option headers, etc etc etc...
    Even as early as the DOD Orange Book, it was recognized that it's impossible
    to eliminate covert channels on a shared-access computer system/network, and
    as a result, the requirements are of the form "designed to limit maximum
    bandwidth of the covert channel to N bits/second" (where N was on the order
    of 150 bits/sec) - this in a day when 1200 baud modems were considered fairly
    				Valdis Kletnieks
    				Computer Systems Senior Engineer
    				Virginia Tech

    This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 06:16:49 PDT