Protocol Channels

Proto col Channels Steffen W endzel ∗ Kempten Univ ersit y of Applied Science 2009-07 -26 Abstract Co vert channel tec hniques are used by attac kers to transfer data in a w a y prohibited by the securit y p olicy . There are tw o main categories of cov ert channels: timing channels and storage channels. This pap er introduces a new storage c hannel technique called a pr oto c ol channel . A protocol channel switc hes one of at least tw o proto cols to send a bit combi- nation to a destination. The main goal of a proto col c hannel is that p ack- ets containing cov ert information look equal to all other packets within a netw ork, what mak es a proto col c hannel h ard to detect. Keywords: p rotocol channel, cov ert c hannel, data hiding Proto col Channels F or attac kers, it is usual to transfe r differen t kinds of hidden information trough hac ked or p ublic netw orks. The solution for this task can be to u se a netw ork cov ert channel technique lik e they are well know n since years. There are currently tw o different t yp es of co vert channels, so called stor age channels (which include hidden information in attributes of transfered n etw ork p ac kets) and timi ng channels (whic h make u se of the timings of sent pack ets to transfer h idden informati on) [Owens02 ]. A new storage channel tec hnique called a “protocol channel” includ es hidd en in- formation only in the header part of proto cols that sp ecify an embedded p rotocol (e.g. the fi eld “Ether Type” in Eth ernet, the “Protocol” v alue in PPP , the “Next H eader” v alue in IPv6 or the source/destination p ort of TCP and UDP). F or instance, if a pro- tocol channel w ould u se the tw o protocols ICMP and ARP , while ICMP means th at a 0 bit was transfered and ARP means th at a 1 bit w as transfered, then the pack et com bination sent to transfer the bit combinatio n “0011” wo uld b e ICMP , ICMP , AR P , ARP . A protocol channel must not conta in an y other information that identifies the channel. It is also imp ortant t hat a proto col channel only uses usual proto cols of the given n etw ork. An algorithm to identify suc h usual proto cols for adaptive co vert channels (proto col h opping co vert channels) w as introduced by [Y ADALI08]. The h igher t h e num ber of av ailable proto cols for a protocol channel, the higher amount of information can b e transfered within one pack et since more states are a v ailable. Giv en th e ab o ve example, tw o different states are av ailable, what represents ∗ swendzel (at) ploetner- it (dot) de, www.wendzel .de 1 1 bit p er pack et. If the attack er could use four different p rotocols, a pac ket would represent tw o bits. Short bit combinatio ns do not allo w h igh cov ert channel transfer rates but are enough to transfer sniffed passwords or other tiny information. Sp ecially if the at- tac ker uses some compressing algorithm (like conv erting 7 bit AS CII input to a 6 bit representa tion of the most imp ortant printable c haracters), th e need for a high trans- fer rate decreases. The proof of concept code “p ct” u ses a minimalized 5 bit ASCI I encod ing and a 6th bit as a parity bit. Problems Since a p rotocol c hannel only contai ns one or tw o ( u sually n ot more) bits of hidden information p er pac ket, it is not p ossibly to include reliability information (like an ACK flag or a sequen ce num ber). If a normal packet, that do es not b elong to the protocol c hannel, would be accepted by the receiv er of a proto col channel, t h e whole channel would b ecome desy ncronized. It is not possibly to identify packe ts which (not) b elong t o t h e protocol channel if they use one of the proto cols exploited by the protocol channel. Another problem is the defragme ntation as wel l as the loss of pack ets. If a pack et is getting fragmented, the receiver receives it tw o times what means that th e bit combi- nation w ould b e used t wice and the receiver-side bit combination would b e d estro yed. The c hannel w ould end u p desy n cronized in this case t oo. The receiver could chec k for pack ets that include the “More F ragments” flag of IPv4 as a solution for this problem. Lost pac kets create a hole in the bit com bination what results in th e same desyncronization problem. Conclusion Protocol channels provide attack ers a new wa y to send hidden information t hrough netw orks. Even if a detection by netw ork security monitoring systems is p ossible – e.g. b ecause of unusual proto cols used b y the attack er – a regeneration of the hidden data is as goo d as imp ossible since it would n eed information ab out the transfered data t yp e, the w a y the sent proto col com binations are interpreted ( e.g. big-end ian or little-endian) and a recording of all sen t pac kets to enable a regeneration of a c hannel’s input. References [OWE NS02] M. Owens: A Discussion of Cov ert Channels and Steganography , SANS Institute, 2002. [Y ADALI08] F. Y aro chkin, S.-Y. Dai, C.-H. Lin, Y. Hu ang, S.-Y. K uo: T ow ards Adaptive Co vert Communication System, D ep. of Electrical Engineer- ing, National T aiw an Universit y , 2008. 2