The presentation will describe the idea of passive covert channels (PCC). By passive covert channels, one means a specific kind of CC, which does not generate its own traffic. A PCC only changes some fields in the packets generated by a legitimate user (or processes) of the compromised host. For example, a PCC can be implemented as a kernel module which will change the Initial Sequence Number (ISN) in all (or only some) outgoing TCP connections. The new ISNs will carry the secret message, which could be, for example, the password sniffed by malicious software running on the compromised machine. A passive covert channel will be very hard to detect, since the packets used for carrying the message are beyond any suspicion. The idea of a PCC seems very simple, but it must be carefully implemented so as to not disturb normal user operations. In the example implementation mentioned above, this means that the kernel module, which changes the ISN numbers for every outgoing SYN packet, must also change the ACK number for incoming packets back to the proper value and in addition not forget about changing later SEQ numbers in the consecutive outgoing packets belonging to the same TCP connection. During the lecture, a quick overview of how packets are handled by the Linux kernel will be presented. The focus will be put on the new NAPI based kernels (>2.4.20 & 2.6). The detailed kernel execution path (network subsystem map) will be shown. This path is traversed when new packets come into the network interface and terminates when they reach the transport layer (as well as the opposite direction) or are forwarded to another host. After this, afew possibilities of how to insert on-the-fly packet changers (like a PCC) will be discussed. The PCC idea will be demonstrated with proof-of-concept code that implements an ISN based TCP passive covert channel in the Linux kernel. The presented software can be very useful when it is combined with information gathering software, like a password sniffer. It also provides a simple protocol, which ensures the integrity of the transmitted messages as well as forcing retransmissions in the case of lost packets. Finally, different approaches to detection will be discussed and will be supported by some live demos as well. The detection part of the presentation will include host based methods and also some ideas about building network based detectors. Host based detection issues will be closely related to the more general problem of detecting a system compromise.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.