Wednesday, June 10, 2009

Covert Channel Possibilities!

The IT network and security community often thinks of covert channels in terms of what has already been detected. A good example is Loki, and other ICMP variants. However, we should not forget that IP, TCP, UDP, and ICMP headers and payloads contain opportunities to hide data in storage channels.

Header and application payload fields that can potentially be used for covert storage channels include the IP Identification field (16-bits), the TCP Initial Sequence Number (32-bits), the DNS identification field (16-bits), the TCP timestamp option (32-bits x 2), a portion (or all) of the source IP address, a TCP or UDP source port (16-bits) just to name a few.

Some of these fields are deliberately (and highly) randomized during certain normal protocol transactions. Thus, if we combine storage of covert data with symmetric key encryption, and nicely crafted bogus payload, we can yield a highly effective and hard to detect channel.

When doing protocol and intrusion analysis, we should be careful to look at packet timing, and uni-directional versus bi-directional nature of protocol transactions. You never know when you might be witnessing a covert storage or timing channel at work, and you might never really discover the content.

No comments: