21C3 Schedule Release 1.1.7

21st Chaos Communication Congress
Lectures and workshops

Picture of Joanna Rutkowska Joanna Rutkowska
Day 2
Location Saal 1
Start Time 13:00 h
Duration 02:00
ID 176
Type Lecture
Track Hacking
Language english

Passive covert channels in the Linux kernel

Implementation and detection of kernel based backdoors and covert channels in Linux kernels

The presentation will describe the idea of passive covert channels (PCC). By passive covert channels, one means a specific kind of CC, which does not generate its own traffic. A PCC only changes some fields in the packets generated by a legitimate user (or processes) of the compromised host. For example, a PCC can be implemented as a kernel module which will change the Initial Sequence Number (ISN) in all (or only some) outgoing TCP connections. The new ISNs will carry the secret message, which could be, for example, the password sniffed by malicious software running on the compromised machine.

A passive covert channel will be very hard to detect, since the packets used for carrying the message are beyond any suspicion. The idea of a PCC seems very simple, but it must be carefully implemented so as to not disturb normal user operations. In the example implementation mentioned above, this means that the kernel module, which changes the ISN numbers for every outgoing SYN packet, must also change the ACK number for incoming packets back to the proper value and in addition not forget about changing later SEQ numbers in the consecutive outgoing packets belonging to the same TCP connection.

During the lecture, a quick overview of how packets are handled by the Linux kernel will be presented. The focus will be put on the new NAPI based kernels (>2.4.20 & 2.6). The detailed kernel execution path (network subsystem map) will be shown. This path is traversed when new packets come into the network interface and terminates when they reach the transport layer (as well as the opposite direction) or are forwarded to another host. After this, afew possibilities of how to insert on-the-fly packet changers (like a PCC) will be discussed.

The PCC idea will be demonstrated with proof-of-concept code that implements an ISN based TCP passive covert channel in the Linux kernel. The presented software can be very useful when it is combined with information gathering software, like a password sniffer. It also provides a simple protocol, which ensures the integrity of the transmitted messages as well as forcing retransmissions in the case of lost packets.

Finally, different approaches to detection will be discussed and will be supported by some live demos as well. The detection part of the presentation will include host based methods and also some ideas about building network based detectors. Host based detection issues will be closely related to the more general problem of detecting a system compromise.