covert channels
play

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING - PowerPoint PPT Presentation

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to be problematic for Delft Lab on May 31st seems to be problematic for Twente Systems Security Covert Channels 2 14.05.2018 Prepare to vote 1


  1. COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL>

  2. HOUSEKEEPLING ▪ Lab on May 30th seems to be problematic for Delft ▪ Lab on May 31st seems to be problematic for Twente Systems Security – Covert Channels 2 14.05.2018

  3. Prepare to vote 1 Go to sh shakeq.com This presentation has been loaded without the Shakespeak add-in. Want to download the add-in for free? Go to 2 Log in with System http://shakespeak.com/en/free-download/. Voting is anonymous 30.04.2018

  4. For Delft: Will moving the lab from May 30th help you A. Yes, to May 31st B. Yes, to June 1st C. No The question will open when you start your session and slideshow. Close d Internet This text box will be used to describe the different message sending methods. # Votes: 8 TXT TXT The applicable explanations will be inserted after you have started a session.

  5. For Delft: Will moving the lab from May 30th help you A. Yes, to May 31st 25.0% B. Yes, to June 1st 50.0% C. No 25.0% Close d Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.

  6. For Twente: Will movnig the lab from May 31st help you? A. Yes, to May 30st B. Yes, to June 1st C. No The question will open when you start your session and slideshow. Close d # Votes: Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session. 29

  7. For Twente: Will movnig the lab from May 31st help you? A. Yes, to May 30st 17.2% B. Yes, to June 1st 27.6% C. No 55.2% Close d Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.

  8. COVERT CHANNEL A channel not intended for information transfer at all Systems Security – Covert Channels 8 14.05.2018

  9. CHANNELS FOR INFORMATION TRANSFER Systems Security – Covert Channels 9 14.05.2018

  10. WHAT WAS PROBABLY NOT INTENDED Systems Security – Covert Channels 10 14.05.2018

  11. TYPES OF COVERT CHANNELS ▪ There is an existing channel you are aware of ▪ Variations in that channel allow you to embed additional information ▪ You are not even aware that this channel exists Systems Security – Covert Channels 11 14.05.2018

  12. COVERT CHANNELS VS. SIDE CHANNELS Covert channels are A side channel is more or „used“ by a (malicious) less the unintentional device or program to leakage of information from transmit information in a a device or program that way that makes them can be observed by an hard to detect. adversary. Systems Security – Covert Channels 12 14.05.2018

  13. TYPICAL COVERT CHANNELS ▪ System state (load, global settings, shared resources) ▪ Network protocols ▪ Protocol features and freedom of choice ▪ Radio protocols ▪ Hidden transmissions in existing radio protocols ▪ Previously unknown transmission features ▪ Light ▪ Sound Systems Security – Covert Channels 13 14.05.2018

  14. EXAMPLE SYSTEM LOAD ▪ Two docker containers running on a local system ▪ Both are isolated from each other ▪ Container 1 spawns a lot of processes ▪ Container 2 sees a high system load ▪ Can be used to communicate secrets across different security domains Systems Security – Covert Channels 14 14.05.2018

  15. NETWORK PROTOCOLS ▪ Many covert channels in the TCP/IP protocol family ▪ IP ▪ Header bits like “don’t fragment” ▪ TCP ▪ Window size and scaling, fragmentation behaviour ▪ HTTP ▪ Order of headers for HTTP request Systems Security – Covert Channels 15 14.05.2018

  16. HTTP EXAMPLE GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: de,en-US;q=0.7,en;q=0.3 Cache-Control: max-age=0 Connection: keep-alive Host: www.spiegel.de Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: de,en-US;q=0.7,en;q=0.3 Connection: keep-alive Cache-Control: max-age=0 Host: www.spiegel.de Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Systems Security – Covert Channels 16 14.05.2018

  17. DETECTION ▪ Usually hard (that‘s almost the definition of a covert channel) ▪ When a reference transmission is available, a direct comparison is sometimes possible Systems Security – Covert Channels 17 14.05.2018

  18. THE TIMING DOMAN ▪ Leave everything as it is, just vary the timing ▪ Works very well for most packet switching based protocols ▪ Often difficult for circuit switching protocols ▪ Can be applied to TDMA based radio procols as well (more about this later on) ▪ Timing in the internet is affected by routers forwarding the traffic ▪ Effectively the transmission is a noisy channel and all methods known from information theory can be applied to compensate for the noise Systems Security – Covert Channels 18 14.05.2018

  19. THE PHYSICAL LAYER A PARADISE FOR COVERT CHANNELS ▪ Pretty much everything here can be applied to radio protocols as well ▪ A cookbook for covert channels: ▪ Use the physical layer protocol of your choice ▪ Usually you find some error correction method in there as well as a checksum ▪ Exchange the checksum with something else of your choice ▪ Normal recovers will drop your packets since the checksum is invalid Systems Security – Covert Channels 19 14.05.2018

  20. WIFI AND OTHER RADIO PROTOCOLS ▪ WiFi ▪ Various kinds of digital modulation ▪ Decoding and some procotol layers usually processed by the baseband ▪ Again a paradise for covert channels Systems Security – Covert Channels 20 14.05.2018

  21. DIGITAL MODULATION 4QAM Systems Security – Covert Channels 21 14.05.2018

  22. 4QAM WITH NOISE Systems Security – Covert Channels 22 14.05.2018

  23. 4QAM WITH NOISE Systems Security – Covert Channels 23 14.05.2018

  24. 4QAM WITH NOISE Systems Security – Covert Channels 24 14.05.2018

  25. 16QAM Source: https://commons.wikimedia.org/wiki/Category:Quantized_QAM Systems Security – Covert Channels 25 14.05.2018

  26. PROBLEM: YOU STILL SEE A TRANSMISSION ▪ Make your transmission indistinguishable from noise ▪ CDMA modulation ▪ Very low transmission power Systems Security – Covert Channels 26 14.05.2018

  27. HOW TO PREVENT SUCH COVERT CHANNELS ▪ Remove all radio transmitters from your system Systems Security – Covert Channels 27 14.05.2018

  28. Which devices in your computer can be used for radio transmissions? Bluetoothmicrop Netcard, honeWiFi GPU soundcard adapterspeakers Internet This text box will be used to describe the different message sending methods. # Messages: 0 TXT TXT The applicable explanations will be inserted after you have started a session.

  29. ALTERNATIVE RADIO TRANSMISSIONS Systems Security – Covert Channels 29 14.05.2018

  30. LIGHT ▪ You can do similar things with light ▪ Very often, you do not find well controllable light transmitters in a PC ▪ But for low data rates, they are sufficient Systems Security – Covert Channels 30 14.05.2018

  31. SOUND ▪ Again, sound is a paradise for covert channels ▪ There are many ways to create sound ▪ And there are many ways to receive sound ▪ Most methods from radio protocols apply to sound as well ▪ We assume we can hear sound, but that is not true Systems Security – Covert Channels 31 14.05.2018

  32. HEARING ▪ Our perception of sound depends on the frequencey and the intensity of the sound as well as other sounds we are hearing at the „same moment“ ▪ Everything with a higher frequency that we can hear is called „ultrasonic“ ▪ Ultrasonic sound is a very nice covert channel Systems Security – Covert Channels 32 14.05.2018

  33. HOW TO CREATE SOUND ▪ Speakers ▪ Frequency range is limited by: ▪ The sample rate of the connected audio device ▪ The frequency response curve of the speaker ▪ Capacitors ▪ (Bad) capacitors connected to high frequency power tend to produce sound ▪ The same sometimes for coils Systems Security – Covert Channels 33 14.05.2018

  34. HOW TO RECEIVE SOUND ▪ Microphone ▪ Again, limited by the response curve and the connected audio hardware ▪ Possibly the accelerometer Systems Security – Covert Channels 34 14.05.2018

  35. RECEIVING SOUND WITH A DIGITAL CAMERA Systems Security – Covert Channels 35 14.05.2018

  36. OTHER THINGS THAT ARE SENSITIVE TO SOUND Systems Security – Covert Channels 36 14.05.2018

  37. A SOUND COVERT CHANNEL FOR SMARTPHONES ▪ Play audible sounds in your application but vary them ▪ Seems to work well ▪ Play very silent sound in the audible range ▪ Seems to be hard on Android ▪ Play sound in the ultrasonic range ▪ Also seems to work well, but take device characteristics into account Systems Security – Covert Channels 37 14.05.2018

  38. RECOMMENDED READING “Inaudible Sound as a Covert Channel in Mobile Devices” by Luke Deshotels, North Carolina State University Systems Security – Covert Channels 38 14.05.2018

  39. SPECDROID Systems Security – Covert Channels 39 14.05.2018

Recommend


More recommend