COVERT STORAGE CHANNEL MODULE Xenia Mountrouidou College of Charleston Xiangyang Li Johns Hopkins University Information Security Institute

Outline Start reserving your topology Learning Goals Audience Background Variations

Reserve Topology Go to: https://goo.gl/KTOVfA Use the Rspec: http://mountrouidoux.people.cofc.edu/Cy berPaths/files/csc_lab_rspec.txt

Learning Goals Generate regular traffic based on a distribution Generate covert storage traffic channel traffic with TCP flag manipulation Analyze the TCP packets Detect the presence of covert storage traffic in a network using entropy Use Wireshark, GENI

Audience CS majors Some background work is needed

Background Linux, SFTP and Wireshark Covert Storage Channels TCP Flags GENI

What are Covert Storage Channels? A Covert Storage Channel is a communications channel that is hidden within the medium of legitimate communications channel. Covert channels manipulate a communications medium in an unexpected or unconventional way by using resources that are not meant for communication in order to transmit information in an undetectable manner. How do we use TCP Flags as carriers? A Covert Storage Channel uses the TCP Flag (TF) header field in a network packet, a six-bit field used to set up TCP connection for transmitting messages. The two communicating parties, start exchanging messages based on pre-agreed coding scheme.

Covert Channels Covert channels transmit hidden information. Covert Timing Channel (CTC): e.g., packet inter-arrival time patterns Covert Storage Channel (CSC): e.g., network packet headers CSC’s use a specific information carrier. Accomplices use pre-agreed coding. Network traffics are complex, ideal for CSC. CSC applications: command control, data exfiltration. (https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/introduction_to_network/tcp_and_packets.html) November 2016

CSC Examples Single Packet - TCP Flags as Carrier Valid Invalid Multi Packet - Sequence Number as Carrier URG ACK PSH RST SYN FIN 1 URG ACK PSH RST SYN FIN 1 A single-packet CSC transmits information using the TCP flag field. Out of the 64 possible combinations of TCP flags for this 6-bit header field, only fewer than half are used in normal traffic. Significant use of invalid combinations can be a CSC instance. A multi-packet CSC looks at the relationship between packets. In normal traffic the packet sequence number changes in certain pattern, i.e., incrementing by 1 each time in one session. This CSC uses abnormal changes to encode secret information, i.e., decrease in value or increase by over 1 in incrementing its value. November 2016

How Cybercrime Exploits Covert Storage Channels? Researchers focus on methods toward more reliable CSC channels for the need of privacy and protection of communication parties. Conspirators seek advanced steganographic tools for purposes of: Data Exfiltration Command and Control (C&C)

How to Detect CSC? Anomaly detection through traffic modeling TCP flag usage of regular traffic is relatively stable. The usage for CSC traffic varies considerably. A normal profile is the TCP flag frequency distribution of regular traffic. Distance of ongoing traffic to the normal profile indicates whether something abnormal is happening: Relative entropy or Kullback–Leibler divergence measures the difference from model distribution Q to observation distribution P. Mahalanobis distance is used to detect anomalies by comparing one observation x=(x1,x2, …xn) to a set of observations (from regular traffic) of mean μ and covariance matrix S. Here x is a specific TCP flag. November 2016

CSC Lab for non-CS Majors Draw Topology Generate regular traffic Use TCP flag manipulation Generate covert storage channel traffic Detect the presence of covert storage traffic Experiments on GENI GENI: Virtual laboratory for networking and distributed systems research and education

Simulating Covert Storage Channels Real machines Small Network CSC traffic Regular traffic You control all these!

Variations and References Usage of different TCP header field as CSC Usage of Split-Join Network for transmitting CSC traffic J. Chow, X. Li, and X. Mountrouidou, Raising flags: Detecting covert storage channels using relative entropy, IEEE International Conference on Intelligence and Security Informatics (IEEE ISI 2017), Beijing, China, July 22-24, 2017.

Questions? LET’S EXPERIMENT!