Covert Channels In Computer Networks
Written by Bedredin Celina and Clément.
In computer networking, Covert channels hide the communication or bypass any prevention mechanisms. In this way, any equipment listening to the network cannot detect the presence of a communication between two devices.
A very good example in real life is communication by blinking. Blinking is not a standard way of communication. However, captured US naval aviator Jeremiah Denton blinked out the “torture” secret message in Morse code while taking part in a propaganda video¹.
Covert channels are very useful to hide communications. And this can represent serious threats for computer networks. Data leaks can be hidden using these channels², firewalls bypassed, etc.
These hidden channels can be used to hide the real communication, while fake innocent data can be transmitted on the normal channel to appear normal. A simple scenario of this are trojans, serving as backdoors. These programs can continue doing their transmission which is innocent, and hide the malicious transmissions in covert channels.
Different ways of designing a covert channel
There are many different ways to operate a covert channel. They can be storage-based, where we use things/parts that are not intended to hold messages. We can use time, and then we can have advanced behavioral covert channels which can use both, or multiple protocols and systems to achieve the covert communication.
Storage-based covert channels
This involves hiding data in some unexpected portion of the message. In computer networking, the message is commonly encapsulated at each layer level of the OSI model. Logical pieces of information (forming the header) are added successively, so that following several protocols we ensure end to end data integrity. Two normal processes exchanging data over a network would succeed using a transport layer protocol such as UDP or TCP.
Headers are important because they hold the required information to establish and maintain communication. However some parameters are optional, others are important when sequencing a flow but they do not interfere with the fact that packets are going to be sent to the right person. Network architecture has been designed so that information is in the payload. Authentication, integrity, security is more or less achieved with the header.
So header fields are not intended for containing the message as much as to facilitate the functioning of the protocol. So nobody expects hidden messages to be in these sections !
Actually, there are no standards or rules when designing a covert channel. It involves choosing among a multitude of protocols, and all layers of the OSI model are concerned (ICMP packets at network layer, custom TCP or UDP headers at transport layer, HTTP cookies at application layer …).
For a better visualization of the power of covert channels, let’s take some examples: Using HTTP protocol, we could hide information inside cookies, user-agent, or add some header fields. TCP header is also a mine of fields that can store information: destination port, source port, TCP flag, etc.
We could just use ICMP echo and reply requests. A computer sends a ping request to a host machine but the payload contains exchanged information. This is an effective covert channel because nobody would expect that ICMP packets transport data.
According to [3], DNS tunneling is also a straightforward strategy when exfiltrating data. DNS is a protocol used to translate hostnames to ip addresses. And this can be used as a covert channel to send messages i.e. hacker sends hostname resolution “secretMessage.malware.com” and the AuthDNS “malware.com” will receive the message “secretMessage”. DNS covert channel are powerful covert communication channels which have been used before (as an example, one attack³ resulted in 56M credit cards theft from Home Depot in 2014)⁸ . DNS tunneling is hard to detect because there is a lot of traffic. Moreover, corrupted DNS resolutions are not straightforward, it requires the use of anomaly detection models.
Timing-based covert channels
Time is a parameter, it was used in morse code, so why not use it in packet based networks to create a covert channel ?! There is no modification of the packets, information is instead hidden by manipulating delays, intervals of time between two segments. For example, we could build a timing based channel transmitting bits according to the interval of time between two packets (i.e. 1000ms delay for a 0, and 500ms delay for a 1).
As we may have seen, actually there are no guidelines to create a covert channel. Very few solutions are publicly implemented. Information can be hidden at all levels of the OSI layer: in IP headers with TTL for example, by playing with source ports or with TCP segment sequence numbers, at application level by manipulating HTTP headers (data hidden in cookies for example), TCP flags, etc.
Behavior covert channels
The problem with covert channels is that there is no exhaustive list. And as long as we have the imagination to pass information with non common channels, we can create covert channels. So by mixing storage based, and timing based, complex behavior covert channels can be conceived.
Let’s create and intercept a simple TTL covert channel
So in order to really see a covert channel in real life and its use, we created a backdoor program. This backdoor listens to commands sent by the hacker in the covert channel, executes them and replies with the response in plaintext.
The covert channel used is in the IP header. It uses the TTL as the covert channel. One TTL value corresponds to one character. Thus we have a bandwidth of 1 character per packet. Below you can see a demo of this covert channel, in which we recover the name of the backdoored machine by executing “cat /proc/sys/kernel/hostname” on the victims machine from the attackers machine.
So the attacker is sending the commands via the TTL, and you can see how the command corresponds in decimal to the values sent :
Now if we listen to the network with Wireshark we can see the following:
And when we see what is inside the UDP streams we never see the content of the covert channel, only the fake innocent messages, and magically the response to our command that is transmitted from the victim to the attacker:
Right: The response of the executed command in the UDP stream (victim -> attacker)
But in the end it should not be forgotten that TTL serves a purpose. So any covert channel that is routed (and the TTL value changed), should compensate for this or packets may loop or be discarded. Furthermore this covert channel can be deduced if the TTL value distribution is too different from the standard TTL distribution⁶.
Finally in our demo, we do not encrypt our covert channel. And if this channel is deducted, everything can be read. So by inferring Kerckhoffs’s principle, there is no “security through obscurity”. If this channel would be encrypted, it would be much more difficult to be sure that it is really a covert channel, and even if it is found, the information stays secret !
Conclusion : Detecting Covert Channels
If we have a large network, it is complicated to look at everything and deduce one communication that is covert. Imagine trying to identify two people who are communicating via blinking in a concert hall ! In real life, we have the same situation, in which we want to detect covert channels in a large network (thousands of computers).
A covert channels aim is to bypass firewalls or intrusion detection systems, that is why they are crafted with great attention, so attackers can initiate an invisible communication. Network intrusion detection systems are limited in the sense that it can only detect covert channels that are already known.
For simple covert channels such as covert channels hidden in IP,TCP,UDP headers we can look if there is too much variation. For time based covert channels, we can try to see if there are 2 repeating periods. This could be practical for a binary temporal covert channel.
For more complex methods, recent researches tend to concentrate on machine learning algorithms where these trained models try to detect anomalies from normal traffic. According to [5], “The k-NN model demonstrated the highest precision rate at 98% detection of a given covert channel and with a low false positive rate of 1%”. However, for such training, there are some limitations, first the notion of normal traffic is not easy to define, or to have enough varied benign traffic data. Second, systems stay dependent on human intervention. Finally, covert channels can be simple, or complicated, thus it is very difficult to block every possible custom covert channel.
In a nutshell: we can communicate with much more than words in standard payloads. This can happen, and it is not easy to detect or block !
[1] Andersen, P. (2018, July 09). Blinking Eyes Send a Morse Code Message. Retrieved from https://thewonderofscience.com/phenomenon/2018/7/9/blinking-eyes-send-a-morse-code-message
[2] Blasco, J. (2015, May 15). Real world examples of malware using DNS for exfiltration and C&C channels. Retrieved from https://www.youtube.com/watch?v=UVYnVELzJk4&ab_channel=Kaspersky
[3]Nadler, A. (2017, September 21). Introduction to DNS data exfiltration. Retrieved from https://blogs.akamai.com/2017/09/introduction-to-dns-data-exfiltration.html
[4]Brown, E., Yuan, B., Johnson, D., & Lutz, P. (2010, January). Covert channels in the HTTP network protocol: Channel characterization and detecting man-in-the-middle attacks. Retrieved from https://www.researchgate.net/publication/228450721_Covert_channels_in_the_HTTP_network_protocol_Channel_characterization_and_detecting_man-in-the-middle_attacks
[5]Chourib, M. (2019, July). Detecting Selected Network Covert Channels Using Machine Learning. Retrieved from https://hal.archives-ouvertes.fr/hal-02460864/document
[6] Zseby, T., Vázquez, F. I., Bernhardt, V., Frkat, D., & Annessi, R. (2016, February 11). A Network Steganography Lab on Detecting TCP/IP Covert Channels. Retrieved from https://ieeexplore.ieee.org/document/7405338
[7] Wireshark. Retrieved from https://www.wireshark.org/
[8] Johnston, C. (2014, September 19). Home Depot: 56 million credit cards compromised. Retrieved from https://www.theguardian.com/business/2014/sep/19/home-depot-56m-credit-card-numbers-compromised
