Covert Channels

1
CIT 380 Securing Computer Systems

• Covert Channels

2
Covert Channels

1. Covert Channels
2. Using Other Protocols
3. Hiding within a Protocol
4. Local Covert Channels
5. Defending against Covert Channels

3
Covert Channels

• Covert channel a path of communication that was
  not designed for such communication.
• IDS look for abnormal traffic
• Use traffic that already exists ping, DNS, HTTP.
• Avoid creating abnormal traffic patterns.
• Use encryption
• Avoids keyword detection by IDS.
• Prevents incident response from viewing data.

4
Using Other Protocols

• Use non-TCP/UDP protocols
• Dont show up on port scan.
• Dont show up on netstat on machine.
• Use standard protocols for other purposes
• DNS
• HTTP
• Reverse the direction of traffic
• Internal machine initiates covert channel.

5
Loki

• Tunnel shell using ICMP echo packets.
• Uses ICMP data for commands/responses.
• Uses Blowfish encryption algorithm.
• Loki2 can also tunnel via DNS lookups.
• Can swap between ICMP and DNS tunneling.
• Other ICMP shells, often use echo reply only
• icmp_backdoor
• sneaky-sneaky
• lyceum

6
TunnelShell

• Multi-protocol backdoor with evasion.
• ICMP standard ICMP shell.
• TCP uses only ACK packets to communicate,
  bypassing packet filters, and showing no port
  used on local machine.
• UDP UDP shell without binding port.
• IP IP without using a higher level protocol.
• Fragment uses fragmented IP packets.

7
WWW Shells

• Simple shells
• Web program that acts as a shell.
• ex CGI Telnet, PHP Shell
• Reverse WWW Shell
• Web client that checks server for commands.
• Use predefined or random time intervals.
• Looks like a browser surfing the web.
• HTTP request (shell prompt)
• GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdg
  xEdb1He7krj HTTP/1.0
• HTTP response (ls command)
• g5mAlfbknz

8
HTTP Tunnels

• Tunnel any protocol over HTTP
• Bypass firewalls.
• Most software supports proxies.
• Can use SSL for encryption.
• Malware embeds self in IE as a BHO, then uses
  HTTP to phone home with IEs permissions.
• GoToMyPC
• Commercial HTTP tunnel.
• Remote desktop access protocol like VNC.

9
TCP/IP Headers

• Requirements
• Headers must not be used by end systems.
• Headers must not be modified by routers.
• IP Headers
• IP Identification
• IP options (may be modified by routers)
• TCP Headers
• Sequence numbers
• Bits reserved for future use.
• TCP options (may be modified by routers)

10
Covert_TCP

• IP covert channel
• Insert one byte into IPID field of each packet.
• TCP sequence number channel
• Inserts one byte into sequence numbers.
• Sends SYN with encoded ISN.
• Server responds with RST to acknowledge.
• Each byte transferred requires two packets.

11
Covert_TCP

• TCP ACK number bounce channel
• Inserts one byte into the ACK number.
• Uses 3 hosts client, server, bounce server
• Operation
• Client SYN w/ encoded ISN, spoofing IP of
  server.
• Bounce server SYN/ACK or RST w/ encoded ISN1 to
  spoofed source IP (server)
• Server receives bounced packet, recovers byte
  from ISN.

12
Nushu

• Passive covert channel.
• Inserts data into TCP packets from other apps.
• Alters sequence numbers to contain data.
• Runs as a Linux kernel module.
• Receiver sniffs data off network.
• Receiver IP address not in any packets.
• Receiver must be at gateway where it can sniff
  all of the packets sent by Nushu.

13
Steganography

• A covert channel via data files.
• Share data files openly
• Use file sharing sites like Flickr.
• Use sites with photographs like Ebay.
• Hack another site and replace data files.
• Both sides must know
• Steganographic technique.
• Locations used to dump files.

14
Local Covert Channels

• Binary coding
• At each time interval one bit is transferred.
• If condition true, then bit is 1, otherwise 0.
• CPU Usage
• Use 100 CPU to signal a 1.
• Disk Usage
• Create enormous file to signal a 1.
• File Locking
• Writer locks file to transfer a 1.
• If reader cannot lock file, it must be locked, so
  its a 1.

15
Covering your Covering Tracks

• Covert backdoors hide data from network.
• But process listings will show backdoors.
• How can you hide the backdoors?
• Alter process / command names.
• Use rootkit to hide processes.
• Embed backdoor in kernel mode rootkit.

16
Detecting Covert Channels

• Pattern matching
• Use snort or similar tool to match patterns in
  cleartext channels.
• Counting connections
• If backdoor creates a TCP connection for each
  command, an abormal of TCP flows exists.
• Timing analysis
• Analyze packet timing and data size to identify
  interactive sessions on unexpected ports/protos.
• Entropy analysis
• ICMP packets with entropy values of natural
  language may be covert channel, while entropy
  values of random data may indicate an encrypted
  covert channel.

17
Stopping Covert Channels

• Host-based security.
• Stop attackers from gaining access to install.
• Use stateful firewall
• Blocks ACK tunneling.
• Use firewall to limit outgoing data
• Stop ICMP echo replies.
• Should your db server be browing the web?

18
References

1. Matt Bishop, Introduction to Computer Security,
   Addison-Wesley, 2005.
2. Scott Campbell, Detecting Illicit ICMP
   Communication Channels, http//www.nersc.gov/sco
   ttc/papers/ICMP_Backdoor_Detection.html
3. daemon9, Project Loki, http//www.phrack.org/iss
   ues.html?issue49id6modetxt, Phrack, Vol 7,
   Issue 49, 1996.
4. daemon9, Loki 2 The Implementation,
   http//www.phrack.org/issues.html?issue51id6mo
   detxt, Vol 7, Issue 51, 1997.
5. Craig H. Rowland, Covert Channels in the TCP/IP
   Protocols Suite, http//www.firstmonday.org/issue
   s/issue2_5/rowland/, 1996.
6. Garfinkel, Simson, Spafford, Gene, and Schartz,
   Alan, Practical UNIX and Internet Security, 3rd
   edition, OReilly Associates, 2003.
7. Ed Skoudis, Counter Hack Reloaded, Prentice Hall,
   2006.
8. J. Christian Smith, Covert Shells,
   http//www.s0ftpj.org/docs/covert_shells.htm,
   2000.
9. van Hauser, Placing Backdoors through Firewalls
   (reverse www shell), http//freeworld.thc.org/pape
   rs/fw-backd.htm, 2000.

19
CIT 380 Securing Computer Systems

• Software Security

20
Topics

1. Why Software?
2. Vulnerability Databases
3. Buffer Overflows
4. Integer Overflows
5. Attack Techniques
6. Metasploit

21
The Problem is Software

• Malicious hackers dont create security holes
  they simply exploit them. Security holes and
  vulnerabilities the real root cause of the
  problem are the result of bad software design
  and implementation.
• John Viega Gary McGraw

22
Why is Software Security poor?

1. Security is seen as something that gets in the
   way of software functionality.
2. Security is difficult to assess and quantify.
3. Security is often not a primary skill or interest
   of software developers.
4. Time spent on security is time not spent on
   adding new and interesting functionality.

23
The Trinity of Trouble

• Complexity
• Continually increasing.
• Windows 3.1 (3mloc) to Windows XP (40mloc)
• Extensibility
• Plugins.
• Mobile code.
• Connectivity
• Network access.
• Wireless networking.

24
Software Complexity

• 5-50 bugs per/kloc8
• 5/kloc rigorous quality assurance testing (QA)
• 50/kloc typical feature testing

System Lines of Code
MS Word 95 2 million
MS Windows 3.1 3 million
Boeing 777 7 million
Space Shuttle 10 million
Netscape 17 million
MS Windows XP 40 million
25
Vulnerabilities

• Vulnerability A defect in software that allows
  security policy to be violated.
• Confidentiality
• Integrity
• Availability
• Ex Allowing users to create self-replicating
  objects on a game server.
• Exploit A program that exercises a vulnerability.

26
Vulnerability Databases

• Collect vulnerability reports.
• Vendors maintain databases with patches for their
  own software.
• Security firms maintain databases of
  vulnerabilities that theyve discovered.
• Well known vulnerability databases
• CERT
• CVE
• NVD
• OSVDB

27
Why Vulnerability Databases?

• Know about vulnerabilities to software that you
  have deployed so you can mitigate them.
• Learn about vulnerability trends. If a JPG
  library bug is discovered, does the same type of
  bug exist in GIF or PNG libraries?
• Learn about security problems to prevent when
  youre programming.

28
CVE Common Vulnerabilities and Exposures

• Problem Different researchers and vendors call
  vulnerabilities by different names.
• Solution CVE, a dictionary that provides
• A common public name for each vulnerability.
• A common standardized description.
• Allows different tools / databases to
  interoperate.

29
CVE-2002-1185

• Name CVE-2002-1185
• Status Entry
• Description Internet Explorer 5.01 through 6.0
  does not properly check certain parameters of a
  PNG file when opening it, which allows remote
  attackers to cause a denial of service (crash) by
  triggering a heap-based buffer overflow using
  invalid length codes during decompression, aka
  "Malformed PNG Image File Failure."
• References
• VULNWATCH20021211 PNG Deflate Heap Corruption
  Vulnerability
• BUGTRAQ20021212 PNG Deflate Heap Corruption
  Vulnerability
• EEYEAD20021211
• MSMS02-066
• XFie-png-bo(10662)
• BID6216
• OVALovalorg.mitre.ovaldef393

30
NVD National Vulnerability DB

• Collects all publicly available government
  vulnerability resources.
• HTML and XML output at http//nvd.nist.gov/
• Uses CVE naming scheme.
• Links to industry and govt reports.
• Provides CVSS severity numbers.
• Links to OVAL repository.

31
Buffer Overflows

• A program accepts too much input and stores it
  in a fixed length buffer thats too small.
• char A8
• short B

A A A A A A A A B B
0 0 0 0 0 0 0 0 0 3
gets(A)
A A A A A A A A B B
o v e r f l o w s 0
32
The Stack

• Stack is LIFO.
• Every function call allocates a stack frame.
• Return address is address where function was
  called from and will return to.

Function Arguments
Return Address
Buffer 1 (Local Variable 1)
Buffer 2 (Local Variable 2)
Writes go up
33
Smashing the Stack

• Program accepts input into local variable 1.
• Attacker sends too much data for buffer,
  overwriting the return address.
• Attacker data contains machine code for shell.
• Return address overwritten with address of
  machine code.
• When function returns, attackers code is
  executed.

Function Arguments
Pointer to machine code.
Machine code exec(/bin/bash)
Buffer 2 (Local Variable 2)
Writes go up
34
NOP Slide

• Attacker includes NOPs in front of executable
  code in case address isnt precise.
• If pointer points at NOPs, execution will
  continue to machine code.
• IDS attempt to detect buffer overflows by looking
  for long strings of NOPs (x90).

Function Arguments
Pointer to machine code.
NOP NOP NOP Machine code exec(/bin/bash)
Buffer 2 (Local Variable 2)
Writes go up
35
Arc Injection (return-into-libc)

• Arc injection transfers control to code that
  already exists in memory.
• Adds a new arc into programs CFG.
• Change return address to existing function.
• libc has functions to start a shell.
• Allows exploit even if stack non-executable.
• Sophisticated arc injection attacks create
  multiple stack frames to run multiple functions
  that are in memory.

36
Integer Overflow

• An integer overflow is when integer operations
  produce a value that exceeds the computers
  maximum integer value, causing the value to wrap
  around to a negative value or zero.

37
32-bit Integer Quiz

1. What two non-zero integers x and y satisfy the
   equation x y 0?
2. What negative integer (-x) has no corresponding
   positive integer (x)?
3. List two integers x and y, such that x y lt 0.

38
Quiz Answers

• 65536 65536 0
• or 256 16777256 0
• or any x y 232
• 2. -2147483648
• 2147483647 1 -2147483648

39
Are Integer Overflows Important?

• Broward County November 2004 election
• Amendment 4 vote was reported as tied.
• Software from ESS Systems reported a large
  negative number of votes.
• Discovery revealed that Amendment 4 had passed by
  a margin of over 60,000 votes.

40
Fuzz Testing

• Black-box input based testing technique.
• Uses random data.
• Easily automated.
• If application crashes or hangs, it fails.
• Results of 1995 study9.
• 15-43 of utilities from commerical UNIX systems
  failed.
• 9 of Linux utilities failed.
• 6 of GNU utilities failed.
• 50 of X-Windows utilities failed.

41
Attack Trees

• Decompose threats into individual, testable
• conditions using attack trees.
• Attack Trees
• Hierarchical decomposition of a threat.
• Root of tree is adversarys goal in the attack.
• Each level below root decomposes the attack into
  finer approaches.
• Child nodes are ORed together by default.
• Special notes may indicate to AND them.

42
Attack TreesGraph Notation

• Goal Read file from password-protected PC.

43
Attack TreesText Notation

• Goal Read message sent from one PC to another.
• 1. Convince sender to reveal message.
• 1.1 Blackmail.
• 1.2 Bribe.
• 2. Read message when entered on senders PC.
• 1.1 Visually monitor PC screen.
• 1.2 Monitor EM radiation from screen.
• 3. Read message when stored on receivers PC.
• 1.1 Get physical access to hard drive.
• 1.2 Infect user with spyware.
• 4. Read message in transit.
• 1.1 Sniff network.
• 1.2 Usurp control of mail server.

44
Metasploit

• Modular exploit system
• Exploit collection over 100 exploits.
• Payloads machine code to run
• Command line and web interfaces.
• Payloads
• Bind shell opens shell backdoor on port.
• Reverse shell send shell back to attacker.
• Windows VNC remote desktop access.
• Create user add new administrative user.

45
Using Metasploit

• Select an exploit
• use exploit_name
• Enter the target
• set RHOST ip_address_of_target
• Select the payload
• set payload payload_name
• set LHOST ip_address_of_your_host
• Run
• exploit

46
Advantages of Metasploit

• Ease of use
• One interface to many exploits.
• Flexibility
• Can choose whatever payload you need.
• Faster development time
• Payloads already written.
• Reliability
• Framework and payloads are well tested.

47
Uses of Metasploit

• Vulnerability verification
• Scanners report possible vulnerabilities.
• Metasploit will give you remote access.
• IDS/IPS testing
• Test IDS/IPS with real exploit code.
• Penetration testing
• Easy to develop custom exploits for pen testing.
• Convincing management
• Remote access is more convincing than a report.

48
References

1. Matt Bishop, Introduction to Computer Security,
   Addison-Wesley, 2005.
2. Simson Garfinkel, Gene Spafford, and Alan
   Schartz, Practical UNIX and Internet Security,
   3rd edition, OReilly Associates, 2003.
3. Mark Graff and Kenneth van Wyk, Secure Coding
   Principles Practices, OReilly, 2003.
4. Greg Hoglund and Gary McGraw, Exploiting
   Software How to Break Code, Addison-Wesley,
   2004.
5. Michael Howard, David LeBlanc, and John Viega, 19
   Deadly Sins of Software Security, McGraw-Hill
   Osborne, 2005.
6. Michael Howard, David LeBlanc, Writing Secure
   Code, 2nd edition, Microsoft Press, 2003.
7. Michael Howard and Steve Lipner, The Security
   Development Lifecycle, Microsoft Press, 2006.
8. Gary McGraw, Software Security, Addison-Wesley,
   2006.
9. John Viega and Gary McGraw, Building Secure
   Software, Addison-Wesley, 2002.
10. David Wheeler, Secure Programming for UNIX and
    Linux HOWTO, http//www.dwheeler.com/secure-progra
    ms/Secure-Programs-HOWTO/index.html, 2003.