Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Switlick. Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions.

Published bySusan Lindsey Modified over 8 years ago

Similar presentations

Presentation on theme: "Mike Switlick. Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions."— Presentation transcript:

1 Mike Switlick

2 Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions

3 What is a covert channel? Any communications channel that can be exploited by a process to transfer information in a manner that violates the system security policy. Method of communication that is not part of the actual systems design but can be used to transfer information to outside sources

4 Takes advantage of Global Variables such as: Linux kernel used to track disk reads TCP initial number sequence field used to track TCP/IP communications CPU cycle If you can signal or store a bit in it, it can be used to leak illicit data

5 Types of Covert Channels Storage -shared resource or system variable that can be used to transfer info from a stored data source (encoded into a global variable) -altered by a system call (operating system level) -programming function method (executable level)

6 -application (user level) -storage channel only realized if variable can be viewed or referenced by another process (and enclosed data decoded) -most popular Storage

7 Example If a global variable is a file lock attribute of a file -lock on signals a 1 -unlocked signals a 0 Using pseudo binary code

8 Example Trusted software kernel variable Sender receiver

9 Timing channel -uses timing or ordering relationships to shared resources as global variable -bits and bytes are signaled (not stored) by timed or ordered processes to a shared resource such as a CPU -requires cooperation between sender and receiver using a clock

10 Timing Receiver monitors the amount of time that the sender runs a process -if it is run more than 10 sec, it signals a 1 -if less than 10 sec, it signals a 0

11 Noiseless covert channel Sender and receiver are able to communicate using a channel that is exclusive to them

12 Noisy covert channel Sender and receiver communicate on a channel that isn’t exclusive to them. -harder to use due to other traffic that creates noise

13 Covert requirements Sender / receiver have potential to communicate Existing global variable accessible by both Sender able to alter global variable Detectable by receiver Able to synchronize operation

14 Internet protocol exploitation Use transport and network layers as covert channel Less noise than file attributes or cpu cycles Too many protocol variations to list TCP/IP gives preference to preceding fragment when reassembling data

15 Bunratty Attack Application layer covert channel that takes advantage of Microsoft Messaging API (MAPI) -features and capabilities built into it in MAPI client, the Exchange Inbox -users have access to a message store of Personal Folders containing Inbox, Outbox that users see as root -Personal Folders are one of several not visible

16 Bunratty attack Secret msgs MAPISP Search root FreeBusy data Top of persnl Inbox Calendar Outbox Sent Items Projects Not visible visible root

17 SecretMessages -can write software to create secret messages in hidden folder in root level directory -modifies routing table so MSG.secret goes to secret messages folder and doesn’t pass through inbox first -can contain commands to gain remote control of system or read e-mail etc. -like e-mail except almost invisible to end user

18 Covert_tcp Transport and Network layers Uses fields in TCP/IP header as global variables to transmit ASCII data IP packet id field TCP initial sequence number field TCP acknowledged sequence number field

19 Covert_tcp Fields less likely to be altered by perimeter devices or software like packet filters Not seriously affected by network or system operations Hide content while masquerading as packet in initial connection request and established connection

20 Covert_tcp Fields not meant to carry bytes Usually keep track of states – only requires a few bits Transfers data 1 ASCII character at a time per packet parses IP ID to obtain value then value is divided by 256 to obtain ASCII value

21 Packet one: 18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S 537657344:537657344(0) win 512 (ttl 64, id 18432) Decoding… (ttl 64, id 18432/256) gives ASCII 72 (H) Packet two: 18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S 537657344:537657344(0) win 512 (ttl 64, id 17664) Decoding… (ttl 64, id 17664/256) gives ASCII 69 (E) Packet three: 18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S 537657344:537657344(0) win 512 (ttl 64, id 19456) Decoding… (ttl 64, id 19456/256) gives ASCII 76 (L)

22 Packet four: 18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S 537657344:537657344(0) win 512 (ttl 64, id 19456) Decoding… (ttl 64, id 19456/256) gives ASCII 76 (L) Packet five: 18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S 537657344:537657344(0) win 512 (ttl 64, id 19456) Decoding… (ttl 64, id 19456/256) gives ASCII 79(O) Packet six: 18:50:13.551117 nextime.getreal.com 7180> vlast.getreal.com.www: S 537657344:537657344(0) win 512 (ttl 64, id 2560) Decoding… (ttl 64, id 2560/256) gives ASCII 10 (carriage return)

23 Questions?

Download ppt "Mike Switlick. Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions."

Similar presentations

CCNA – Network Fundamentals

CCNA – Network Fundamentals
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Operating-System Structures

Operating-System Structures
Network Layer and Transport Layer.

Network Layer and Transport Layer.
UDP - User Datagram Protocol UDP – User Datagram Protocol Author : Nir Shafrir Reference The TCP/IP Guide - (http://www.TCPIPGuide.com) Version 3.0 - Version.

UDP - User Datagram Protocol UDP – User Datagram Protocol Author : Nir Shafrir Reference The TCP/IP Guide - ( Version Version.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
File Transfer Protocol (FTP)

File Transfer Protocol (FTP)
Lecturer: Tamanna Haque Nipa

Lecturer: Tamanna Haque Nipa
Communication Network Protocols Jaya Kalidindi CSC 8320(fall 2008)

Communication Network Protocols Jaya Kalidindi CSC 8320(fall 2008)
Process-to-Process Delivery:

Process-to-Process Delivery:
Data Communications and Networks

Data Communications and Networks
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
A form of communication in which electronic messages are created and transferred between two or more devices connected to a network.

A form of communication in which electronic messages are created and transferred between two or more devices connected to a network.
Presentation on Osi & TCP/IP MODEL

Presentation on Osi & TCP/IP MODEL

Similar presentations

Ads by Google