Covert Channels Demystified

Recently as a result of the release of the Spectre and Meltdown vulnerabilities/attacks as well as the new X.509 based data exfiltration and bot control method, the term ‘Covert Channel’ has been brought up a lot. While covert channels and their applications in malicious activity and software are not new by any means — with one of the earliest references being a 1993 DOD publication — It has come to my attention that many people, both in the general populous as well as in the information technology industry, are generally unsure as to what covert channels actually are and how malicious entities use them to exfiltrate data or control botnet clients. While the rudimentary explanations provided in the wake of the Spectre and Meltdown attacks provided a general understanding of the concept of covert channels as just that — covert means of transferring data — I believe a deeper understanding (and a better explanation) is necessary for the public to truly grasp the consequences and difficulties associated with these types of attacks. Furthermore, although in [my] perfect world a technical explanation would suffice, I understand that most people either don’t understand or don’t care about technical topics. As such — much like in my Spectre and Meltdown article — I will be explaining Covert Channel attacks as a concept as well as a few major examples of them through easy-to-understand analogies!

Preface

Firstly, let me preface my explanations by pointing out that throughout this article I will be giving both a technical definition/explanation as well as an easy-to-understand analogy so don’t lose hope if you start reading through the technical part and don’t understand something!

What Are Covert Channels?

A covert channel is defined as:

A type of computer attack that allows the communication of information by transferring objects through existing information channels or networks using the structure of existing medium to convey the data in small parts. This makes conveyance through a covert channel virtually undetectable by administrators or users. — Technopedia

Now for the analogy:

Bob and Alice are sitting in math class. Their teacher, Mrs. Admin, is handing out a test which both of them are very nervous about. While both Bob and Alice tried to study for the test, they find math to be extremely difficult and so they resorted to finding a way to cheat on the exam. Obviously, Bob and Alice can’t just openly share answers — Mrs. Admin would catch them! Instead, Bob and Alice devise a plan in which different hand, foot, and pencil positions indicate different numbers and letters. Now, with their system in place, Bob and Alice are able to easily share answers and collaborate on the exam. When Mrs. Admin grades the exam, she gives both Bob and Alice a 100 and has no idea that they actually cheated!

As you can see, Bob and Alice’s covert communications, which — to the untrained eye — seemed like nothing more than fidgetiness allowed them to transfer key information that led to their acing the exam!

Covert Channel Attack Examples

Now that we have a general understanding of what Covert Channels are, lets go through a number of real world examples and use-cases of malicious covert channel attacks.

Spectre and Meltdown

The first, and probably [currently] most recognizable covert channel attacks that we’ll go over are the Spectre and Meltdown attacks. 
While I already went over Spectre and Meltdown in a separate article, I only touched on the usage of Covert Channels in these attacks. Here, I’ll explain in more depth.

Here’s the technical explanation:

Both Spectre and Meltdown use a system’s page cache as their covert means of exfiltrating data. The page cache is a system that allows a processor to efficiently retrieve memory. Instead of having to re-map the system and search for data each time it wants to utilize it, once a processor ‘touches’ a piece of data once it is put into the cache and can be quickly and easily retrieved for future use. Furthermore, since cached data is readable and considered un-privileged, malware utilizing the spectre and meltdown attacks are able to read privileged information ‘accidentally’ (as a result of exploitation) with ease.

OK, that was a lot to take in. Since I already explained these attacks in my Spectre and Meltdown article, I’ll focus on providing explanations and analogies to the key pieces of information required to understand how data is exfiltrated by utilizing the system cache as a covert channel.

First, page caching

As explained above:

The page cache is a system that allows a processor to efficiently retrieve memory. Instead of having to re-map the system each time a piece of data needs to be retrieved, the processor will store information in the cache so that it can be quickly accessed.

Now, for the analogy:

Bob works in a warehouse. Every day, Bob needs to go around and locate certain items for processing and shipment. Whenever a new item is stored in the warehouse Bob has to search around for it until he finally finds it. Once Bob finds each object, he writes down exactly where the object is so that next time he needs to get it he doesn’t have to search the entire warehouse.

In this analogy, Bob’s reference sheet can be seen as the cache — information is put on it for easier future object access.

Next, lets go over privileged memory/instructions

A technical explanation of privileged memory and instructions is:

Privileged memory and instructions are memory locations and operations that work with the kernel. These operations/memory locations should never be accessed by user-land applications (applications the user can interact with directly).

For this analogy, we’ll continue with Bob and the warehouse:

Normally, Bob is only allowed to access and handle objects on the main floor of the warehouse, as the objects stored in the basement are for special, more secretive, clients and require a special certification to access. While Bob knows what objects are sent down there, he has no access to the basement and no knowledge of where in the basement these special objects are stored.

Now for the Spectre and Meltdown attacks

Seeing as this article is based on Covert Channels and not the details of the Spectre and Meltdown attacks, I won’t go too deep into their explanation. If you want to learn more about these attacks please read my other article.

The specter and Meltdown attacks work by tricking your computer into caching privileged memory and through miscalculated speculative execution, a lack of privilege checking in out-of-order execution, and the power of the page cache. Once privileged memory is accessed the processor caches the information and the processor is able to retrieve it from the cache, regardless of whether its privileged information or not.

In continuation with Bob’s Warehouse analogy:

One day, Bob noticed a couple of new employees, Sammy Spectre and Matthew Meltdown, started working in the warehouse’s organization department (the department that classifies and stores all the objects the warehouse takes in). On their first day, Sammy and Matthew begin to classify a bunch of objects that are supposed to be secret as general purpose and they end up getting put on the main floor. Although Bob knows what item classifications are and are not supposed to be put on the main floor, it’s not his job to stock the warehouse — he just writes down their location and processes orders. Now that these secret objects are on the main floor, Sammy and Matthew can sell them to buyers at the higher price of secrecy without the burden of processing through the basement. Once orders are put in for these secret objects, Bob looks at his reference sheet, goes to where they’re located, and sends them off.

Summary

Now that we’ve gone through the Spectre and Meltdown attacks, we can easily see how Bob has become a Covert Channel. Once the Spectre and Meltdown exploits touch privileged memory they are put into the cache where Bob can quickly grab them, process them, and send them out to the malicious buyer.

Social Media as Covert Channels

Often, malicious entities will use social media and other public websites as covert channels. Through these sites bot commands and information can easily and secretly be communicated. Some major websites used as covert channels include Reddit, Twitter, and Facebook.

Lets take a look at how a social media account could be used as a covert channel. While this example won’t be as technical as the previous Spectre and Meltdown explanation nor the following Covert Channels through DNS explanation, web based covert channels are widely used and understanding them is extremely important for the continued development of anti-malware techniques.

Matthew Malicious is a malware writer who has written a malicious program that he intends to use to perform Distributed Denial of Service Attacks (Large attacks in which a malicious entity floods a network with requests by using thousands of infected machines). Although Matthew understands that he needs a way to control these bots he doesn’t want there to be anything linking a client back to a specific command and control server. Instead, Matthew makes a twitter account that he uses to posts bot instructions on. These instructions, which can look like normal tweets or gibberish, are read by the bots and commands are translated out of them. Every so often, Matthew posts a command tweet that tells the bots to follow a different twitter account. Now, Matthew can control his bots without anyone figuring out exactly whose behind the attack.

In this example, Matthew’s use of Twitter as a covert channel allows him to control his bots without the use of a centralized command and control server. Many pieces of malware might also use social media accounts or other websites to exfiltrate data from machines as well. While these types of attacks can be caught with some searching, to the untrained eye or weak firewall the network traffic that malware using these types of covert channels generates will look like normal, every day, social media usage.

Covert Channel through DNS

Now that we’ve gone through system and web based covert channels, lets turn our attention to network based covert channel attacks. Network based covert channel attacks come in many forms — from the old ICMP Covert Channel Attack to the more recent X.509 Certificate Covert Channel — however, utilizing DNS as a Covert Channel has been a widely used and popular attack among malware creators.

What is DNS?

Here’s the technical explanation:

The Domain Name System (DNS) helps users to find their way around the Internet. Every computer on the Internet has a unique address — just like a telephone number — which is a rather complicated string of numbers. It is called its “IP address” (IP stands for “Internet Protocol”). IP Addresses are hard to remember. The DNS makes using the Internet easier by allowing a familiar string of letters (the “domain name”) to be used instead of the arcane IP address. So instead of typing 207.151.159.3, you can type www.internic.net. It is a “mnemonic” device that makes addresses easier to remember. — ICANN

Now for the analogy:

Bob needs a plumber. Unfortunately, Bob lives before the internet so he can’t just ‘google’ a plumber, he has to search for a phone number. Bob opens up a phone book and searches through to find the phone number for a plumber. He then puts the phone number into his rolodex along with the plumber’s name and information so that he doesn’t have to search again. Bob realizes that although the phone number is linked directly to the plumber, without the plumber’s name and information, he would never know which card was the right one!

DNS is the same as Bob’s rolodex, while Amazon’s IP address is linked directly to their website, if we didn’t have the domain name (amazon.com) we would never remember how to get there!

How can DNS be used as a Covert Channel?

A technical explanation:

A DNS record stores information relating to the website/server it’s being hosted on. While under normal conditions DNS records will only serve up website information, records can be configured to serve arbitrary text. Furthermore, while network administrators will normally block certain internet services or connections, DNS queries and responses are almost never blocked as DNS queries are necessary for resolving domain names. A malicious DNS record could be set up on a server that a piece of malware can query and the information returned can be processed and used to control the malicious client without the use of a centralized command and control server.

Now for the analogy:

Matthew Malicious wants Bob to use his plumbing service rather than Peter Plumber’s plumbing service. To trick Bob into using his service, Matthew Malicious posts his number in the phone book with an advertisement that looks almost identical to Peter Plumber’s. Bob, in his rush to get the toilet fixed, sees the malicious advertisement and puts Matthew’s information in his rolodex rather than Peter’s . Now, Matthew is Bob’s go-to plumber rather than peter.

Conclusion

Covert channels are attacks that can utilize well known, fully functional, technologies to send or receive information covertly. These attacks, which span every niche of information technology (Systems, Networks, Websites, etc.) are easy to exploit, difficult to detect, and can have massive impacts on their victims. It is extremely important that the general populous (as well as those within IT) understand these forms of attacks in order to increase vigilance and push the boundary of our ability in terms of defense and mitigation.

I hope that this article gave you a better understanding of Covert Channel attacks, their consequences, and the difficulties associated with them.