COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING - - PowerPoint PPT Presentation

COVERT CHANNELS

ERIK TEWS <E.TEWS@UTWENTEL.NL>

▪ Lab on May 30th seems to be problematic for Delft ▪ Lab on May 31st seems to be problematic for Twente

14.05.2018 2

HOUSEKEEPLING

Systems Security – Covert Channels

Prepare to vote

30.04.2018

Voting is anonymous 1 2 Go to sh shakeq.com Log in with System

This presentation has been loaded without the Shakespeak add-in. Want to download the add-in for free? Go to http://shakespeak.com/en/free-download/.

For Delft: Will moving the lab from May 30th help you

A. Yes, to May 31st B. Yes, to June 1st C. No

# Votes: 8 Close d

The question will open when you start your session and slideshow.

Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.

For Delft: Will moving the lab from May 30th help you

Close d

Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.

A. B. C. Yes, to May 31st Yes, to June 1st No

25.0% 50.0% 25.0%

For Twente: Will movnig the lab from May 31st help you?

A. Yes, to May 30st B. Yes, to June 1st C. No

# Votes: 29 Close d

The question will open when you start your session and slideshow.

Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.

For Twente: Will movnig the lab from May 31st help you?

Close d

Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.

A. B. C. Yes, to May 30st Yes, to June 1st No

17.2% 27.6% 55.2%

A channel not intended for information transfer at all

14.05.2018 8

COVERT CHANNEL

Systems Security – Covert Channels

14.05.2018 9

CHANNELS FOR INFORMATION TRANSFER

Systems Security – Covert Channels

14.05.2018 10

WHAT WAS PROBABLY NOT INTENDED

Systems Security – Covert Channels

▪ There is an existing channel you are aware of ▪ Variations in that channel allow you to embed additional information ▪ You are not even aware that this channel exists

14.05.2018 11

TYPES OF COVERT CHANNELS

Systems Security – Covert Channels

Covert channels are „used“ by a (malicious) device or program to transmit information in a way that makes them hard to detect.

14.05.2018 12

COVERT CHANNELS VS. SIDE CHANNELS

Systems Security – Covert Channels

A side channel is more or less the unintentional leakage of information from a device or program that can be observed by an adversary.

▪ System state (load, global settings, shared resources) ▪ Network protocols ▪ Protocol features and freedom of choice ▪ Radio protocols ▪ Hidden transmissions in existing radio protocols ▪ Previously unknown transmission features ▪ Light ▪ Sound

14.05.2018 13

TYPICAL COVERT CHANNELS

Systems Security – Covert Channels

▪ Two docker containers running on a local system ▪ Both are isolated from each other ▪ Container 1 spawns a lot of processes ▪ Container 2 sees a high system load ▪ Can be used to communicate secrets across different security domains

14.05.2018 14

EXAMPLE SYSTEM LOAD

Systems Security – Covert Channels

▪ Many covert channels in the TCP/IP protocol family ▪ IP ▪ Header bits like “don’t fragment” ▪ TCP ▪ Window size and scaling, fragmentation behaviour ▪ HTTP ▪ Order of headers for HTTP request

14.05.2018 15

NETWORK PROTOCOLS

Systems Security – Covert Channels

GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: de,en-US;q=0.7,en;q=0.3 Cache-Control: max-age=0 Connection: keep-alive Host: www.spiegel.de Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: de,en-US;q=0.7,en;q=0.3 Connection: keep-alive Cache-Control: max-age=0 Host: www.spiegel.de Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 14.05.2018 16

HTTP EXAMPLE

Systems Security – Covert Channels

▪ Usually hard (that‘s almost the definition of a covert channel) ▪ When a reference transmission is available, a direct comparison is sometimes possible

14.05.2018 17

DETECTION

Systems Security – Covert Channels

▪ Leave everything as it is, just vary the timing ▪ Works very well for most packet switching based protocols ▪ Often difficult for circuit switching protocols ▪ Can be applied to TDMA based radio procols as well (more about this later on) ▪ Timing in the internet is affected by routers forwarding the traffic ▪ Effectively the transmission is a noisy channel and all methods known from information theory can be applied to compensate for the noise

14.05.2018 18

THE TIMING DOMAN

Systems Security – Covert Channels

▪ Pretty much everything here can be applied to radio protocols as well ▪ A cookbook for covert channels: ▪ Use the physical layer protocol of your choice ▪ Usually you find some error correction method in there as well as a checksum ▪ Exchange the checksum with something else of your choice ▪ Normal recovers will drop your packets since the checksum is invalid

14.05.2018 19

THE PHYSICAL LAYER

A PARADISE FOR COVERT CHANNELS

Systems Security – Covert Channels

▪ WiFi ▪ Various kinds of digital modulation ▪ Decoding and some procotol layers usually processed by the baseband ▪ Again a paradise for covert channels

14.05.2018 20

WIFI AND OTHER RADIO PROTOCOLS

Systems Security – Covert Channels

14.05.2018 21

DIGITAL MODULATION

4QAM

Systems Security – Covert Channels

14.05.2018 22

4QAM WITH NOISE

Systems Security – Covert Channels

14.05.2018 23

4QAM WITH NOISE

Systems Security – Covert Channels

14.05.2018 24

4QAM WITH NOISE

Systems Security – Covert Channels

14.05.2018 25

16QAM

Systems Security – Covert Channels

Source: https://commons.wikimedia.org/wiki/Category:Quantized_QAM

▪ Make your transmission indistinguishable from noise ▪ CDMA modulation ▪ Very low transmission power

14.05.2018 26

PROBLEM: YOU STILL SEE A TRANSMISSION

Systems Security – Covert Channels

▪ Remove all radio transmitters from your system

14.05.2018 27

HOW TO PREVENT SUCH COVERT CHANNELS

Systems Security – Covert Channels

Which devices in your computer can be used for radio transmissions?

Bluetoothmicrop honeWiFi adapterspeakers Netcard, soundcard GPU # Messages: 0

Internet This text box will be used to describe the different message sending methods. TXT TXT The applicable explanations will be inserted after you have started a session.

14.05.2018 29

ALTERNATIVE RADIO TRANSMISSIONS

Systems Security – Covert Channels

▪ You can do similar things with light ▪ Very often, you do not find well controllable light transmitters in a PC ▪ But for low data rates, they are sufficient

14.05.2018 30

LIGHT

Systems Security – Covert Channels

▪ Again, sound is a paradise for covert channels ▪ There are many ways to create sound ▪ And there are many ways to receive sound ▪ Most methods from radio protocols apply to sound as well ▪ We assume we can hear sound, but that is not true

14.05.2018 31

SOUND

Systems Security – Covert Channels

▪ Our perception of sound depends on the frequencey and the intensity

• f the sound as well as other sounds we are hearing at the „same

moment“ ▪ Everything with a higher frequency that we can hear is called „ultrasonic“ ▪ Ultrasonic sound is a very nice covert channel

14.05.2018 32

HEARING

Systems Security – Covert Channels

▪ Speakers ▪ Frequency range is limited by: ▪ The sample rate of the connected audio device ▪ The frequency response curve of the speaker ▪ Capacitors ▪ (Bad) capacitors connected to high frequency power tend to produce sound ▪ The same sometimes for coils

14.05.2018 33

HOW TO CREATE SOUND

Systems Security – Covert Channels

▪ Microphone ▪ Again, limited by the response curve and the connected audio hardware ▪ Possibly the accelerometer

14.05.2018 34

HOW TO RECEIVE SOUND

Systems Security – Covert Channels

14.05.2018 35

RECEIVING SOUND WITH A DIGITAL CAMERA

Systems Security – Covert Channels

14.05.2018 36

OTHER THINGS THAT ARE SENSITIVE TO SOUND

Systems Security – Covert Channels

▪ Play audible sounds in your application but vary them ▪ Seems to work well ▪ Play very silent sound in the audible range ▪ Seems to be hard on Android ▪ Play sound in the ultrasonic range ▪ Also seems to work well, but take device characteristics into account

14.05.2018 37

A SOUND COVERT CHANNEL FOR SMARTPHONES

Systems Security – Covert Channels

“Inaudible Sound as a Covert Channel in Mobile Devices” by Luke Deshotels, North Carolina State University

14.05.2018 38

RECOMMENDED READING

Systems Security – Covert Channels

14.05.2018 39

SPECDROID

Systems Security – Covert Channels

▪ Android and iOS both require no special permissions to play sound ▪ There is no visual feedback when none audible sound is playing ▪ Access to the microphone usually requires special permissions

14.05.2018 40

A FEW NOTES ABOUT MOBILE DEVICE SECURITY

Systems Security – Covert Channels

▪ You get an Android app ▪ The app allows you to take notes and displays cute cat pictures from a server ▪ You are supposed to introduce a covert channel that exfiltrates the notes ▪ In the next step, you have to detect it

14.05.2018 41

YOUR ASSIGNMENT

Systems Security – Covert Channels

▪ Take the app ▪ Replace the 00 in the app name (the laucher icon) with your team number ▪ Implement a covert channel that exfiltrates the notes taken (it will be a 4 digit pin number) via network ▪ Submit the app (apk and source code) as well as the modified server and a short explanation in Canvas till May 27th

14.05.2018 42

ASSIGNMENT 1

Systems Security – Covert Channels

▪ I will run your submissions as well as the original app and record the network traffic ▪ The captures are then published on canvas ▪ You have to decide which captures are with covert channels and which one are the original app ▪ Submit till June 12th

14.05.2018 43

ASSIGNMENT 2

Systems Security – Covert Channels

▪ Modify the app so that it will exfiltrate the note via none audible sound ▪ Submit the app till June 12th ▪ I will then install the app on my phone in flight mode, enter a pin number, and you have to receive it with your laptop computer or phone ▪ Demos can be done after the Systems Security lab sessions

14.05.2018 44

ASSIGNMENT 3 (BONUS)

Systems Security – Covert Channels

▪ Written for Android in Kotlin (similar to Java) ▪ A simple GUI and a preferences dialog ▪ Background thread updates the images from the server every 5 seconds ▪ Simple HTTP get towards http://server:5000/randomcat is used

14.05.2018 45

THE APP

Systems Security – Covert Channels

14.05.2018 46

MAIN NETWORK ACTIVITY

Systems Security – Covert Channels try { // Get the URL of our randomcat server val url = URL(getUrl()) // Open an HTTP connection to that URL val urlConnection = url.openConnection() as HttpURLConnection try { // Try to decode a bitmap from the server response var bitmap = BitmapFactory.decodeStream(urlConnection.inputStream) // Update the activity with the new images. activity!!.runOnUiThread(UpdateImageRequest(bitmap, activity!!)) } catch (e: Exception) { Log.e("Network", "HTTP request failed for URL: " + url + " or download problem", e) } finally { urlConnection.disconnect() }

▪ Written in python using flask ▪ Comes with an images directory with many cute cat pictures ▪ Can be started with „docker-compose up“ on Docker systems

14.05.2018 47

THE SERVER

Systems Security – Covert Channels

14.05.2018 48

THE SERVER

Systems Security – Covert Channels

14.05.2018 49 Systems Security – Covert Channels

14.05.2018 50

LIVE DEMO

Systems Security – Covert Channels