An update on Protocol hopping covert channels
At last year's Blackhat US 2007, the dominant discussion was around Joanna Rutkowska and Alex Tereshkin's "New Blue Pill" vs. Peter Ferrie, Nate Lawson, and Tom Ptacek's VT-x Rootkit Detection techniques. This included some follow-up material on the Matasano blog including Side-Channel Detection Attacks Against Unauthorized Hypervisors and some confusion by Rich Mogull which led to You Can Detect Hypervised Rootkits Even if You're Virtualized. Joanna's rebuttal to the Matasano bloggage can be found in Virtualization Detection vs. Blue Pill Detection on her blog.
But what about covert channels on the network?
Surely, Ptacek and Rutkowska are both overly familiar with the issues applied at that layer -- Ptacek having authored Insertion, Evasion, and Denial of Service, with Rutkowska providing code for NUSHU - passive covert channel engine for Linux 2.4 kernels.
Many claim that network covert channels can be made undetectable; others might argue that like system rootkits -- certain techniques can always make covert activity visible to prying eyes.
Last November, Richard Bejtlich analyzed the Protocol Hopping Covert Channel Tool, written by Steffen Wendzel. Using tools such as Wireshark, tcpdump, Argus, and tcpflow -- Richard demonstrates how the PHCC tool (phcct) can be categorically identified.
Richard did agree with one commenter that if the PHCC tool properly encrypted traffic -- that the analysis would be inconclusive. So why was the proof-of-concept crippled?
A recent comment to Richard's post on PHCC comes from the author of the tool itself (Steffan Wendzel). In the comment, he writes:
Nevertheless I still think PHCC are very hard to detect using encryption (I don't plan to add encryption to this explicity called "simple" proof of concept code) and an improved micro protocol message ID field (see updated part of the paper). I also think that collecting _all_ data in a network is a too huge amount of data propably nobody will take care about (which company will pay the forensics that will investigate the garbage data?) But you're right: The detection of the PHCC implemented by phcct is easy to detect but it wasn't the target to do something different in this proof of concept code.
However, thanks to Richard's post and corrections -- Steffan updated his paper on Protocol Hopping Covert Channels, but noted that he doesn't have time to correct the tool itself. In this case, having the correct information documented is more important than having a more reliable exploit tool. Some would argue that, "There's no point in rubbing salt into an open wound" (one of my favorite quotes on the issue of anti-forensics).
blog comments powered by Disqus