Re: Covert Channels

[Valdis.Kletnieks () vt edu]

On Wed, 16 Oct 2002 16:14:16 PDT, kam said:

> The problem with your idea is that it will never work for the actual
> exploitation of a system or network. If you plan on using this medium as a
> communication channel, that's one thing, but you will never get a host
> machine to respond to options in these fields. 

It's not *intended* to be used as an exploit - by definition, a "covert
channel" is a communications path used to transmit data without being
noticed.  The "classic" covert channel is *two* cooperating processes
at *different* security levels that are not permitted to communicate
directly because they *are* at different levels.  You would then be
able to "tunnel" Top Secret information out to the non-Secret process
by (for example) alternately filling a shared disk and releasing it, or
causing the system paging rate to go up and down, or creating/deleting
a pre-arranged filename, to send a message by Morse code or whatever.
The non-TS process then uses 'df' or 'uptime' or 'ls' or whatever to watch
the freespace/paging rate/files to receive the message.

I remember a number of years ago a telnet-over-DNS covert channel, where
the "inside" process would issue strange DNS requests to send data out,
and a subverted DNS server on the "outside" would send the inbound data in the replies...

And just recently, there was a program to tunnel things over ICMP (remember,
many ICMP carry an IP packet header so that space can be used for data storage).

You could use things like the TCP ISN value to leak close to 4 bytes of
information per 3-packet handshake without your firewall ever twigging to
what's being tunneled right under its nose - I haven't seen actual code
for this one.  You can get yourself another 4 bytes per ACK if you use the
sequence number field to send data rather than actually ACK packets - I'll
bet that most firewalls don't keep *THAT* much state to detect that an
ACK is out-of-bounds.

If you're sufficiently desperate, there's the ICMP Timestamp Request/Reply,
lots of places to hide stuff in IP option headers, etc etc etc...

Even as early as the DOD Orange Book, it was recognized that it's impossible
to eliminate covert channels on a shared-access computer system/network, and
as a result, the requirements are of the form "designed to limit maximum
bandwidth of the covert channel to N bits/second" (where N was on the order
of 150 bits/sec) - this in a day when 1200 baud modems were considered fairly
fast....
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: