Covert Data Channels

1
Covert Data Channels

• When Insiders Attack

2
Overview

• Introduction
• Covert Storage Channels
• Covert Timing Channels
• Channel Operation
• Channel Detection
• Discussion

Ping
Ping
Ping
Ping
3
Introduction

• Altering otherwise normal network traffic to
  secretly transmit information

4
Covert Storage Channels

• Data is written to and read from sections of
  network packets not intended for data
  transmission.
• Altering packet payload data is usually
  considered subliminal instead of covert.
• Use space in protocol headers

5
(No Transcript)
6
Covert Timing Channels

• Alter the timing of otherwise legitimate network
  traffic to transmit data
• Two types of timing channels Active and Passive
• IP Covert Timing Channels
• Time-Replay Timing Channels
• JitterBug

7
(No Transcript)
8
Channel Operation

• Efficacy
• Contention noise
• Jitter
• Speed
• US Constitution
• 7620 words, 45703 characters, 14298 zip
• 1 Mbps line, 85 packets per second

Channel Type Data Type Minutes
Timing Text 72
Timing Zip 22
Storage Text 9
Storage Zip 3
9
Channel Detection

• Similarity
• Compressibility
• Entropy

10
(No Transcript)
11
(No Transcript)
12
Discussion

• How could IP spoofing be used with covert
  channels?
• What protocols might be useable even on an
  extremely locked down network?

13
References

• 1 Gianvecchio, S. and Wang, H. 2007. Detecting
  covert timing channels an entropy-based
  approach. In Proceedings of the 14th ACM
  Conference on Computer and Communications
  Security (Alexandria, Virginia, USA, October 28 -
  31, 2007). CCS '07. ACM, New York, NY, pp.
  307-316.
• 2 Cabuk, S., Brodley, C., and Shields, C. 2009.
  IP Covert Channel Detection. ACM Transactions on
  Information System Security, Volume 12, Issue 4
  (Apr. 2009), pp. 1-29.
• 3 Thyer, J. 2008. Covert Data Storage Channel
  Using IP Packet Headers. Global Information
  Assurance Certification, Gold Certification, SANS
  Institute, pp. 1-53.

14
(No Transcript)