Dienstag, 13. Dezember 2011

Summary of my recent Covert Channel Research

As posted a few weeks ago, I continued my research in the area of network covert channels. This posting aims on providing a short summary on the work I've done in the area within the last years.

Covert Channels are hidden communication channels and a part of the Information Hiding research. Lampson defined them as "not intended for information transfer at all" in 1973 in his paper "a note on the confinement problem". I skip the details and the context of multi-level security (MLS), especially the Bell-LaPadula model. However, covert channels can now be used to bypass censorship and thus can support the free expression of opinions but they can also be used by botnets (a good introduction is provided by Zander et al. in this journal article).

My early Work

In 2006, I developed a tool called "vstt" (very strange tunneling tool) capable of using multiple network protocols to transfer data to a destination system and able to accept input via socket or (named) Pipe on Unix-like operating systems. One of the very first steps, after playing around with some Linux/BSD SOCK_RAW codes and by experimenting with the available "tunneling" software from the hacking community, was to develop the idea of protocol hopping (i.e. a protocol switching covert channel). The first program capable to do such a protocol switching was "LOKI2" by daemon9 (phrack magazine, 1997). LOKI2 is based on a manual "/swapt" command that let the user switch between ICMP and UDP. In 2007 (exactly ten years later) I implemented the first "protocol hopping covert channel" in the tool "phcct" (cf. my Hakin9 article about it (in German), or my english Hakin9 article on another covert channel type ("protocol channels", see next section) that contains a small discussion of protocol hopping covert channels, or try Google Scholar). Phcct did not demand on a user's input anymore and switched the protocol automatically as well as on a transparent way.

However, the idea of protocol switching resulted in another, similar idea: the "protocol channel". A protocol channel is a covert channel based on the idea to transfer information not by adding a special content or time information to a network packet but by using a specified network protocol. Thus, the hidden information was represented by the network protocol itself. You can read more about that in my paper on protocol channels. A proof of concept code called "pct" (protocol channel tool) can be found here.

Covert Channels with Internal Control-Protocols

However, let us come back to the protocol hopping covert channels. These covert channels are protocol switching covert channels, as explained in a paper called "low-attention forwarding for mobile network covert channels" [pdf] I wrote together with my Ph.D. advisor. The paper initially put the old basis for the protocol hopping into the scientific context.

The idea is to build a hidden covert channel overlay network and let the peers/proxies of the overlay network communicate using different protocol hopping covert channels. The overlay network's goal is to minimize the raised attention by using protocols and areas within protocol headers that are unlikely to raise attention on a given link. This optimization depends on the context (each network is different) and can be optimized to minimize the overhead or to minimize the amount of transferred data. Also the forwarding between two hops/proxies within the covert overlay network can be optimized by producing as few data packets as possible for forwarding a hidden message and by caching the hidden information for a time t. In that paper we additionally proposed an upgradable covert channel overlay network based on version and capability information exchange using the covert channel's micro protocol.

The exchange of protocol information, state information and other kinds of management information between hidden covert channel peers is done by a covert channel-internal communication protocol, a so-called "micro protocol" as I already invented it in 2008 while I wrote my diploma thesis at the University of Applied Sciences in Kempten on my very early-stage thoughts about both, protocol hopping covert channels and protocol channels. A current summary on my work on micro protocols can be found (in German) in the proceedings of Doktorandenkolleg Ruhr (page 35). However, the previously mentioned paper on low-attention forwarding extends the knowledge of these micro protocols from my old diploma thesis by important ideas (such as combining multiple areas of the TCP/IP network stack and giving different network protocols different "weights"/linking them to different sets regarding to their detectability) and you can find all the details there.

At CMS 2013, we presented an approach to develop low-attention raising micro protocols by providing an systematic engineering approach for covert channel-internal control protocols based on formal grammar.

Additionally, one of my paper of mine covers the problem of traffic normalization (done with the previously mentioned micro protocols) that leads to a two-army-problem within the covert channel overlay network. This problem does not only apply for the kind of overlay network we proposed, but for other approaches (e.g. 'adaptable covert channels' by Yarochkin et al.), too. The work will appear under the title The Problem of Traffic Normalization Within a Covert Channel's Network Environment Learning Phase at the SICHERHEIT'12 conference.

Limitation, Detection, and Prevention of Covert Channels

In 2011, I also finished my Master's thesis (University of Applied Sciences in Augsburg) on the analysis of known means that were developed to limit, prevent or detect network covert channels as well as local covert channels. It is not possible to summarize all the results in this posting but I work on a new german book that will be published in Q3-2012 that includes *all* details of my Master's thesis too. However, some examples and a general introduction (in German) is available as a video of my Datenspuren 2011 talk.

In May 2012, we presented work on the limitation of the previously mentioned protocol switching covert channels that is available via open access (pdf): Steffen Wendzel, Jörg Keller: Design and Implementation of an Active Warden Addressing Protocol Switching Covert Channels, In Proc. 7th International Conference on Internet Monitoring and Protection (ICIMP 2012), Wagner, A. and Dini, P. (Eds.), pp. 1-6, IARIA, Stuttgart, 2012. The limitation system is based on the idea to delay protocol switches based on an Linux netfilter feature. Our paper received a best paper award at the ICIMP 12 conference. There is also an extended journal article of the paper available that discusses the topic in more detail (also available via open access): Preventing Protocol Switching Covert Channels.

In joint work, we could also show that it is feasible to detect protocol channels using a static formula as well as machine learning.

Covert Channels and Side Channels in Building Automation Systems

Last, but not least, we worked on the investigation of covert channels and side channels in building automation systems (BAS) and especially on covert channels in BACnet. An inter-operable BAS middleware was developed to limit covert storage and side storage channels in building automation systems by applying multi-level security (MLS). A paper addressing these hidden channels as well as the protection means was presented under the title Covert and Side Channels in Buildings and the Prototype of a Building-aware Active Warden at the first IEEE International Workshop on Security and Forensics in Communication Systems (SFCS 2012), Ottawa. A second paper on BACnet (see link above) was presented at the 3SL workshop.

Dynamic Routing in Covert Channel Overlay Networks

In joint work, we (especially P. Backs) developed a dynamic routing approach for covert channels in overlay networks for which I contributed the concept of "status updates", i.e., a means to minimize the size of micro protocol headers.

I have currently much more research in the queue and will publish information as soon as it passed the scientific peer-review processes.


2012-02-11: Added a few words about the BAS middleware paper (SFCS'12) and the traffic normalization paper (SICHERHEIT'12).

2012-06-18: Added new paper of the ICIMP 2012 conference.

2012-07-08: Added Protocol Channel Detection paper and link to BAS side/covert channel posting.

2012-01-15: Added our latest papers 3 related papers.

Keine Kommentare:

Kommentar veröffentlichen