Covert Channels in Cybersecurity

Written on December 19, 2019

My thoughts on the covert communications field, my opinion on the CSEC-750 course offered by RIT, and the outcomes of that class project.

UPDATE - Tuesday, Mar 10, 2020
I will present the paper and tool in:
 - Security B-Sides 2020, Rochester, New York. 
 - TECH TALK LIVE 2020, Lancaster, Pennsylvania. 

Before I start, I will mention my background in this field. Three months ago, I had no clue what does a covert channel mean. I thought it’s just a channel that is used for communication and is secure and not noisy. I thought it’s just a way of communication but with a fancy naming. But thankfully, that course changed my perspective. At the beginning of the course, we were required to read at least 13 different papers that implement different kinds of covert channels. I will list the papers below:

  • Covert Channels in the TCP/IP Protocol Suite By Craig H. Rowland.
  • USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB
  • Covert and Side Channels due to Processor Architecture
  • Covert Channels in Multiplayer First PersonShooter Online Games
  • Syntax and Semantics-PreservingApplication-Layer Protocol Steganography
  • 20 Years of Covert Channel Modeling and Analysis
  • A Note on the Confinement Problem
  • A Practical Approach to Identifying Storage and Timing Channels:Twenty Years Later
  • Covert Channels in the HTTP Network Protocol: Channel Characterizationand Detecting Man-in-the-Middle Attacks
  • Webpage Source Based Covert Channel
  • SSDP Covert Channel
  • The Perfect Dead Drop; The Use of Cyberspace for Covert Communications

Every paper gave me many very different ideas and perspectives about the subject. The course is designed in a way where students get introduced to all kinds of implementations. Implementations for channels using sections in protocols like ICMP, IPv4, IPv6, HTTP, Wireless protocols, and RFID. Other implementations make use of features like the cache on processors, keyboard keystrokes sounds, room lights, and other unexpected uses, and all these designs have amazed me.

Interesting Outcomes

It’s hard to summarize all the class dissections and papers I mentioned above, but I will mention the main point I liked about the class. What I found interesting about this new field is that every author offers an introduction to Covert Channels, and they define “Covert Channel” in different ways. Each author has it’s own definition. I noticed that even in the classroom, since “Covert Channels” don’t have a fixed definition, extended dissections result in the class, and the main reason almost every time is that we have different meanings for a Covert Channel. I think that is understandable due to the fact that it’s an unknown and vague field comparing it with other fields like cryptography, I think it has a good promising future, especially in this age where everyone “loves” Cybersecurity.

Covert Channel Using ISN TCP

In the second week, after reading almost five new papers, each student was challenged to reimplement a covert channel based on an old paper. Thus, I found this paper that talks about information stealing through a covert channel via abusing HTTP POST method. (reference) It was a strat forward idea that uses the Initial sequence numbers (ISN) in the Transmission Control Protocol (TCP) packets, particularly the SYN packets. I was only required to sniff for POST requests, get the body, convert it, append it to a list, then send each element in a sequence. To see the code: CC Using ISN TCP

Hidden in Plain Sight

Lastly, we divided into groups, and we were again challenged to implement a brand new idea and write about it, and if we are lucky, present it in a good conference. My group’s idea is creating covert communication channels using Twitter’s API. We struggled to come up with a new idea, and we changed it much time. We thought that an idea with a generic approach like this would be a good start since we don’t want to be restricted by other factors during the implementations. It’s just different covert communication channels that use Twitter’s API. These channels can be used in many use cases. Use cases we thought of, like using it in C2 implementations and targeted malware attacks to exfiltrate specific data. We wrote a paper that discusses our implementation, and this is the link if you are interested in reading it: Hidden in Plain Sight, Presentation slides. We have requested to present in Shmoocon and Security B-Sides Rochester to talk about the project, so let’s hope they like the talk :)

Conclusion

I didn’t expect that changing small details in some unutilized headers in IPv6 can lead to a severe breach that is hard to detect. I didn’t see the importance of this field and have always been saying, “Install a rootkit, and they will never find anything.”, which is totally wrong. Even a customized rootkit with new and unknown behavior, there would be some weak points where it can be detected, unlike covert channels where some incidents say they existed for years without being disclosed.

This class was very diversified and exciting. If you are an RIT student, I recommend taking this class. A lot of reading and a little bit of writing but it worths it. It will change at least some perspectives in your mind about the subject if you didn’t know that much about covert channels.