Covert Data Channels When Insiders Attack
Overview • Introduction • Covert Storage Channels • Covert Timing Channels • Channel Operation • Channel Detection • Discussion Ping Ping Ping Ping
Introduction • Altering otherwise normal network traffic to secretly transmit information
Covert Storage Channels • Data is written to and read from sections of network packets not intended for data transmission. • Altering packet payload data is usually considered subliminal instead of covert. • Use space in protocol headers
Covert Timing Channels • Alter the timing of otherwise legitimate network traffic to transmit data • Two types of timing channels: Active and Passive • IP Covert Timing Channels • Time-Replay Timing Channels • JitterBug
Channel Operation • Efficacy • Contention noise • Jitter • Speed • US Constitution • 7620 words, 45703 characters, 14298 zip • 1 Mbps line, 85 packets per second
Channel Detection • Similarity • Compressibility • Entropy
Discussion • How could IP spoofing be used with covert channels? • What protocols might be useable even on an extremely locked down network?
References  Gianvecchio, S. and Wang, H. 2007. Detecting covert timing channels: an entropy-based approach. In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA, October 28 - 31, 2007). CCS '07. ACM, New York, NY, pp. 307-316.  Cabuk, S., Brodley, C., and Shields, C. 2009. IP Covert Channel Detection. ACM Transactions on Information System Security, Volume 12, Issue 4 (Apr. 2009), pp. 1-29.  Thyer, J. 2008. Covert Data Storage Channel Using IP Packet Headers. Global Information Assurance Certification, Gold Certification, SANS Institute, pp. 1-53.