computer lab assignment

master level response due 3/22/13

UMUCMonitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

CSEC 640

© UMUC 2012 Page 1 of 35

Contents
Topic 1: Analogy ……………………………………………………………………………………………………………… 2 

Analogy: Military Espionage …………………………………………………………………………………………… 2 
Topic 2: Module Introduction …………………………………………………………………………………………….. 4 
Topic 3: Covert Channels …………………………………………………………………………………………………. 5 

Covert Channels and Multilevel Security …………………………………………………………………………. 5 
Types of Covert Channels …………………………………………………………………………………………….. 7 

Topic 4: Covert Channel Characteristics …………………………………………………………………………… 11 
Transmission Cycle …………………………………………………………………………………………………….. 11 
Noise ………………………………………………………………………………………………………………………… 12 
Activity: Deducing Message Content …………………………………………………………………………….. 14 
Channel Capacity ……………………………………………………………………………………………………….. 19 

Topic 5: Covert Channel Application ………………………………………………………………………………… 21 
ICMP Covert Channel …………………………………………………………………………………………………. 21 
IP Covert Channel ………………………………………………………………………………………………………. 22 
TCP Covert Channel …………………………………………………………………………………………………… 24 
Application Covert Channel …………………………………………………………………………………………. 28 
Try This! ……………………………………………………………………………………………………………………. 31 

Topic 6: Summary………………………………………………………………………………………………………….. 33 
Glossary ……………………………………………………………………………………………………………………….. 34 

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

CSEC 640

© UMUC 2012 Page 2 of 35

Topic 1: Analogy

Analogy: Military Espionage

Covert Channels and Data Leakage
CSEC 640 – Module 6

Analogy: Military Espionage
Both government and private organizations employ measures to guard against data
theft, but attackers still manage to subvert communication channels in those
organizations. How can classified information be leaked from inside an organization
without being detected by firewalls or intrusion detection systems (IDSs)? How is an illicit
communication channel that facilitates data leakage established between two entities?

To understand how such covert communication channels are built, imagine two enemy
spies, a general and a soldier, who are not allowed to share confidential information with
each other but do so by creating a simple code that cannot be detected by observers.

The Who

Step 1
The general and the soldier are spies working for an enemy camp. The general has
access to confidential information that he is not allowed to share with the soldier.

Step 2
The military cybersecurity specialist monitors any communication between the general
and soldier to make sure that no classified information is passed from one to the other.

The Plot
The general wants to transmit a secret key for a military network device to the soldier.
The key is 101011010001. The general and the soldier agree on a code consisting of
two gestures, each of which signifies 0 or 1.

The Signal

Step 1
To transmit 1, the general brushes his hair. To the military cybersecurity specialist, the
general brushing his hair is a normal gesture. However, the soldier who is aware of the
code knows that the general is transmitting 1.

Step 2
To transmit 0, the general touches his glasses. To the military cybersecurity specialist,
the general touching his glasses is an ordinary action, but when the soldier sees the
general making that motion, he knows that the general is transmitting 0.

Step 3
Using a series of these two gestures, the general is able to transmit the secret key,
101011010001, to the soldier.

Analysis

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 3 of 35

The analogy of the general and the soldier demonstrates that it is possible to build covert
channels of communication and avoid detection by using existing innocent gestures.
Similarly, security policies of protected networks can be bypassed to build covert
channels using systems resources and processes.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 4 of 35

Topic 2: Module Introduction

A covert channel transmits information between two entities in a network using system
resources—such as Internet Protocol (IP) header fields or device status bits—that are
not intended for communication. To leak information, the sender accesses sensitive
information and covertly passes the information to the receiver by manipulating these
system resources.

This module covers classification of covert channels and important characteristics of
covert communication. This module also discusses how a covert channel can be
implemented using the Internet Control Message Protocol (ICMP), the Transmission
Control Protocol (TCP/IP), and the Hypertext Transfer Protocol (HTTP).

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 5 of 35

Topic 3: Covert Channels

Covert Channels and Multilevel Security

A covert channel is an unintended communication path through which two entities in the
system transmit information.

Covert channels pose threats to organizations or applications in which the main security
concern is to prevent illicit information flow or data leakage.

To counter the threat posed by covert channels, many organizations use multilevel
security (MLS) systems that allow data at different sensitivity levels to be simultaneously
stored and processed in a system.

What Is MLS?
The purpose of MLS is to avoid the unauthorized disclosure of information at a higher
security level to users assigned a lower security clearance.

Who Uses MLS?
Organizations such as military services, government agencies, and related defense
industries, which are privy to classified information, are the most interested in unearthing
covert channels.

How Is MLS Used?
The different types of data are labeled with security levels such as unclassified,
classified, secret, and top secret. Users can access data according to the security
clearance levels assigned to them.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 6 of 35

Two communication entities on two ends of a covert channel can be considered an
information sender and an information receiver.

In a MLS environment, a communication entity at a higher security level, referred to as
High, acts as an information sender. An entity at a lower security level, referred to as
Low, acts as an information receiver.

How Covert Channels Work

Trojan Horse
A typical scenario in an MLS system is that High has access to confidential information,
and it tries to leak the information to Low through a covert channel. For example, a
Trojan horse in an infected system tries to send confidential information to an outside
adversary.

Covert Channel
The Trojan horse sends confidential information through the covert channel.

Information Receiver
Low receives the confidential information from the covert channel.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 7 of 35

Topic 3: Covert Channels

Types of Covert Channels

There are two kinds of covert channels: covert storage channels and covert timing
channels.

Covert Storage Channel
A covert storage channel implicitly discloses information through the manipulation of one
or more resources in a storage location. Take the example of an organization that has
implemented a security policy specifying that High cannot communicate with Low in an
MLS system. In other words, Low cannot read the contents of the files owned by High.

However, the MLS system allows both to share a directory. High can take advantage of
this feature to transmit confidential information to Low.

Step 1

To transmit a bit 1, High creates a file called 1.txt in the shared directory.

Step 2

Low tries to create a file with the same name as the one created by High that is 1.txt in
the shared directory.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 8 of 35

Step 3

If the operating system displays an error message such as “the same file exists,” then
Low can deduce that High has transmitted bit 1 and that High’s intention is to transmit bit
1.

Step 4

If no error message appears, Low can deduce that High has transmitted bit 0 and that
High’s intention is to transmit bit 0.

Covert Timing Channel
A covert timing channel is an illicit communication path that a sender uses to signal
information to the receiver. This communication violates an existing security policy by
using system resources in such a way that this manipulation affects the response time
observed by the receiver.

Take the example of an organization in which three entities exist in a network
environment: High, Low, and the firewall on the High side. The TCP/IP packets are
exchanged between High and Low through the firewall. The goal of the firewall is to
prevent a leak of confidential information by making sure that High cannot send any
TCP/IP packet with payload to Low.

The security policy of the organization mandates:
1. TCP/IP packets with payload cannot be sent from High to Low. The only exception to

the rule is that High can send an acknowledgment (SYN-ACK) to Low.
2. Any packets can flow from Low to High.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 9 of 35

The images here show how a covert timing channel can be established while the above
security policy is being enforced by the firewall.

Step 1

The security policy ensures that High can send an acknowledgment (SYN-ACK) only
when a SYN packet sent by Low reaches High. The SYN-ACK packet does not have any
application payload. In order to leak confidential information to Low, High adds some
delay before executing transmission of the SYN-ACK packet.

Step 2

To transmit 1, High waits for some time and sends the SYN-ACK packet to Low.

Step 3

Low observes the delay in receiving the SYN-ACK packet from High and interprets that 1
has been transmitted.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 10 of 35

Step 4

When Low observes no delay, it knows that 0 has been transmitted.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 11 of 35

Topic 4: Covert Channel Characteristics

Transmission Cycle

The main characteristics of a covert channel include the transmission cycle, noise, and
capacity.

The transmission cycle of a covert channel includes the sender-receiver synchronization
(S-R) period, transmission period, and feedback period.

Reference: Son, J., & Alves-Foss, J. (2006). Covert timing channel analysis of rate monotonic real-time
scheduling algorithm in MLS systems. In proceedings of the IEEE Workshop on Information Assurance.

S-R Period
During the S-R period, a sender needs to notify a receiver that it is ready to transmit a
new symbol. For example, High may send a special packet to indicate that it is ready to
start the transmission.

However, no S-R period may be needed if a sender and a receiver have some previous
agreement that a new symbol will be transmitted after a predetermined interval of time.
For example, in the case of the general and the soldier, the two could have a prior
agreement that the general will start sending information to the soldier at 2 p.m.

Transmission Period
In the transmission period, the channel of communication is open and the symbols are
transmitted. For example, the general makes a gesture to transmit 1 or 0, and the soldier
observes his behavior.

Feedback Period
The feedback period is essential to ensure the continuous flow of reliable
communication. During this period, the solider acknowledges that he has understood the
message sent by the general by making another gesture. The feedback period, however,
can be omitted if the agreement says that the symbol can be sent every one minute.

After the general receives the acknowledgment, he is ready to send the next symbol.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 12 of 35

Topic 4: Covert Channel Characteristics

Noise

The communication channel, including a covert channel, is typically noisy in a real-world
application. In a noisy channel, messages sent by High to Low are mixed with messages
sent by other legitimate entities sharing the same resource.

An information sender cannot reliably transmit a symbol to a receiver through a noisy
channel. For instance, bit 1 can be converted to bit 0 during transmission because of
noise.

Therefore, attackers such as Trojan horses try to build less noisy covert channels to
reliably transfer data to external adversaries.

Reference: Son, J., & Alves-Foss, J. (2006). Covert timing channel analysis of rate monotonic real-time
scheduling algorithm in MLS systems. In proceedings of the IEEE Workshop on Information Assurance.

Noiseless Channel

High uses a set of available input symbols—X1 and X2—to transmit data through the
covert channel. Low observes a set of output symbols—Y1 and Y2—that are
transformed from the set of input symbols through the covert channel. In a noiseless
channel, Low can easily decode the message sent by High because only High and Low
use the channel.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 13 of 35

Noisy Channel

Noise can alter and affect the output observed by Low during the transmission of a
symbol. The behavior of a noisy channel may be nondeterministic in the sense that the
output observed by the receiver is no longer a function of the input symbol transmitted.

For example, in the diagram above, when the receiver observes the output symbol Y1, it
cannot reliably deduce which value—X1 or X2—was the input symbol transmitted by the
sender. Therefore, a noisy channel reduces the reliability of leaked data and is useful for
system security.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 14 of 35

Topic 4: Covert Channel Characteristics

Activity: Deducing Message Content

Introduction
Consider the protected network of a company that has been compromised by a Trojan
horse hiding in a computer. The intention of the Trojan horse, High, is to send a
message to an outside adversary, Low, if it is able to obtain classified information.

High can transmit a set of input symbols—X1, X2, X3, X4—to Low. Low can receive a
set of output symbols—Y1, Y2, Y3, Y4—from High. These output symbols are
transformed from the set of input symbols through the covert channel.

In order to show that there is no covert flow between High and Low, it should be
demonstrated that Low is not able to deduce with certainty anything about the activities
of High.

Reference: Son, J., & Alves-Foss, J. (2006). Covert timing channel analysis of rate monotonic real-time
scheduling algorithm in MLS systems. In proceedings of the IEEE Workshop on Information Assurance.

Workspace

Question 1: In the noisy channel shown in the image, which of the symbols transmitted
by High can be reliably deduced by Low? Note that “reliably deduced” means that Low
does not have to make any guess or inference about which input symbol has been sent
or not sent when it receives an output symbol.

Options:
a. X1
b. X2
c. X3
d. X4
e. All of the above
f. None of the above

Correct answer: Option f
Feedback:

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 15 of 35

Low cannot reliably deduce which input symbol has been transmitted by High. For
example, when Low receives Y1, it cannot deduce exactly which symbol has been
transmitted by High since any one of the input symbols—X1, X2, X3, and X4—could be
a cause of Y1. This reasoning applies to all output symbols: Y1, Y2, Y3, and Y4.

This type of noisy channel, from which no information can be deduced, is called a
nondeducible channel.

Question 2: Upon receiving an output symbol, which of the symbols transmitted by High
can be reliably deduced by Low? Note that “reliably deduced” means that Low does not
have to make any guess or inference about which input symbol has been sent or not
sent when it receives an output symbol.

Options:
a. X1
b. X2
c. X3
d. X4
e. All of the above
f. None of the above

Correct answer: Option c

Feedback:
Upon receiving Y3, Low can deduce that X3 has been transmitted by High. Upon
receiving Y1, Y2, or Y4, the receiver cannot deduce which symbol has been transmitted
by High since X1, X2, X3, and X4 could all be possible input symbols. However upon
receiving Y3, the receiver can pinpoint that X3 has been transmitted by High.

This also means High can transfer information through this noisy channel. This type of
noisy channel is called a positive-deducible channel.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 16 of 35

Question 3: Upon receiving an output symbol, which of the symbols transmitted by High
can have its identity reliably deduced by Low? Note that “reliably deduced” means that
Low does not have to make any guess or inference about which input symbol has been
sent or not sent when it receives an output symbol.

Options:
a. X1
b. X2
c. X3
d. X4
e. All of the above
f. None of the above

Correct answer: Option a

Feedback:
Upon receiving Y3, Low can reliably deduce that High has transmitted either X2, X3, or
X4. Equivalently, this means that High has not transmitted X1. Thus, Low, upon
receiving Y3, can reliably deduce that X1 has not been transmitted by High. Therefore,
this type of a channel is called a negative-deducible channel.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 17 of 35

Question 4: Upon receiving the output symbol Y4, which of the symbols transmitted by
High can be reliably deduced by Low? Note that “reliably deduced” means that Low does
not have to make any guess or inference about which input symbol has been sent or not
sent when it receives an output symbol.

Options:
a. X1 or X4
b. X2 or X3
c. X3 or X4
d. All of the above
e. None of the above

Correct answer: Option a

Feedback:
What Low can deduce from this channel is somewhat limited. For instance, upon
receiving Y4, Low can reliably deduce that either X1 or X4 has been transmitted. As
shown in the diagram, there are two arrows originating from X1 and X4 and ending at
Y4.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 18 of 35

Review
An analysis of noisy channels reveals that if the channel between the Trojan horse and
the adversary is nondeducible, then the adversary cannot reliably deduce the intention of
the Trojan horse. On the other hand, if the channel is positive-deducible, the adversary
can easily deduce the intention of the Trojan horse.

In this example, the Trojan horse and the outside adversaries can adopt strategies to
transmit data.

The normal mode of operation for the Trojan horse is to transmit either X1, X2, or X4.
When the Trojan horse is able to access some classified data and needs to signal the
adversary, it immediately changes its mode of operation and continues sending X3.

Meanwhile, the adversary ignores other symbols and waits until it observes Y3. Upon
observing Y3, it collects the classified information.

Further Challenges
What possible strategy can the Trojan horse use to transmit the information to the
adversary using a negative-deducible channel?

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 19 of 35

Topic 4: Covert Channel Characteristics

Channel Capacity

How can the vulnerability of a covert channel be measured? Is there any security metric
that can capture the severity of the vulnerability? Security researchers commonly use
Shannon’s information theory to quantify the amount of information transferred from the
information sender to the information receiver. The quantity of transmitted information is
called channel capacity.

Channel capacity can be defined as the maximum rate of reliable and accurate
information transmission through the channel.

The unit of channel capacity is bits/channel usage. For instance, 4 bits/channel usage
means that senders can transmit four bits through a channel every time they use the
channel.

From an information theory viewpoint, this also means that the sender can select one
symbol from 16 (= 24) different available input symbols and transmit the symbol to the
receiver.

The formula for Shannon’s channel capacity is:
C = log2n (bits/channel), where C is the channel capacity and n is the number of symbols
available. Note that the base of log function is also 2.

Try This

Question 1: A sender transmits a symbol from two different character sets, x1 and x2, to
a receiver through a channel without any error. What is the capacity of such a channel?

Options:
a. C = 6 bits/channel
b. C = 2 bits/channel
c. C = 5 bits/channel
d. C = 1 bit/channel

Log Table

x log2 x
1 0.000000
2 1.000000
3 1.584963
4 2.000000
5 2.321928
6 2.584963
7 2.807355
8 3.000000
9 3.169925

10 3.321928
16 4.000000

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 20 of 35

32 5.000000
x log2 x

64 6.000000
128 7.000000
256 8.000000
512 9.000000

1024 10.000000

Correct answer: Option d

Feedback:
Because the sender has two input symbols to choose from, n = 2. If we use the channel
capacity formula with n = 2, C = log2n (bits/channel) = 1 bit/channel. This answer is
intuitively obvious if we assume that x1 = 0 and x2 = 1. The sender can transmit only 0
or 1.

Question 2: A sender accurately transmits a symbol from four different character sets—
X1, X2, X3, X4—to a receiver through a channel. What is the capacity of the channel?

Options:
a. C = 3 bits/channel
b. C = 2 bits/channel
c. C = 6 bits/channel
d. C = 7 bits/channel

Correct answer: Option b

Feedback:
The correct answer is C = log24 (bits/channel) = 2 bits/channel. The sender has four
input symbols to choose from; therefore, n = 4. If we use the channel capacity formula
given above with n = 4, C = log2n (bits/channel) = log24 = 2 bits/channel.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 21 of 35

Topic 5: Covert Channel Application

ICMP Covert Channel

How are covert channels established in real-life applications? Open Systems
Interconnection (OSI) layers, such as the application layer and TCP/IP and ICMP
protocols, can be exploited to establish a covert channel. This channel can bypass
packet filters, firewalls, and network sniffers.

The data field in an ICMP echo request or reply message is intended to record router
information or store timing records to calculate round-trip time. However, a covert
channel can be established by using the data field in an ICMP packet to carry
confidential data to an adversary.

Some operating systems and firewalls do not inspect the data field of an ICMP packet.
An ICMP packet can bypass packet filters or firewalls undetected. This data-carrying
capability of ICMP can be used to establish a covert channel. The length of the data field
is normally 24 or 56 bytes long. However, the protocol allows the data field to be much
longer, yielding a high channel capacity compared to that of a TCP/IP-based covert
channel.

Data
Some operating systems and firewalls do not inspect the data field of an ICMP packet.
Therefore, an ICMP packet can bypass packet filters or firewalls undetected.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 22 of 35

Topic 5: Covert Channel Application

IP Covert Channel

Many fields in an IP header that are optional (not used in active connections) can be
used to covertly transfer data. However, the fields that are modified by some network
devices, such as routers, are not appropriate for hiding and transferring data covertly.

One of the most appropriate choices for hiding data is a 16-bit identification (ID) field.
The ID field gives a unique identification number to identify the fragmented packets
during reassembly. The 16-bit ID field can be replaced by a mathematical product of the
ASCII value of the character to be encoded and transmitted.

Example of How Data Can Be Sent Using the IP Header

Step 1

Assume that a sender, High, wants to transmit P, which has an ASCII value of 80.
Step 2

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 23 of 35

The value 20480, which is the product of 80 and 256, is put in the ID field in an IP
header instead of 80 since the value 80 is too small for a 16-bit field and may look
suspicious to firewalls or network filters.

Step 3

High sends a SYN packet with the ID value of 20480 to Low.

Step 4

Low scans the SYN packet and derives the value of P by dividing 20480 by 256 without
engaging in a three-way TCP/IP handshake. In this way, a covert channel is established.

Reference: Rowland, C. (1997) Covert channels in the TCP/IP protocol suite. Peer-Reviewed Journal on the
Internet, 2(5).

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 24 of 35

Topic 5: Covert Channel Application

TCP Covert Channel

The TCP header offers more possibilities for covert communication channels than the IP
header. For example, TCP fields such as the sequence number, acknowledgment
number, source port, flags, and the TCP timestamp option can be used to establish a
covert channel.

There are two types of covert channels that exploit TCP fields to transfer data illicitly.

Sequence Number Field
Here is an example of how the sequence number field of TCP can be used to establish a
covert channel.

1. The client is a Trojan horse and the server is an outside adversary. The client who

wants to initiate a reliable TCP connection with a server selects an initial sequence
number (ISN). Note that the client is an information sender and the server is an
information receiver.

2. Now assume the client wants to send a character P, which has an ASCII value of 80,

to the server. The client encodes P by inserting 5242880, the product of 80 and
65536, in the sequence field. The value 65536 is chosen to make the ISN large and
realistic.

3. In the first step in a three-way handshake, the client sends the SYN packet with the

ISN to the server. The ISN serves as a medium for transmitting covert data.

4. The server receives the SYN packet and decodes P by dividing the value of the ISN

(5242880) by 65536. To send more characters, the client needs to transmit more
SYN packets with the encoded ISNs. The server just receives the SYN packets and
never engages in the three-way handshake process.

Reference: Rowland, C.H. (1997). Covert channels in the TCP/IP protocol suite. Peer-Reviewed Journal on
the Internet, 2(5).

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 25 of 35

Acknowledgment Number Field

Step 1

The ACK bounce method is used to establish a covert channel using the
acknowledgment field of the TCP protocol. For example, an information sender, High,
wants to send data to an information receiver, Low. High can use a third party, a bounce
server, to send the data without detection.

Step 2

High encodes the data stream into the ISN.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 26 of 35

Step 3

High spoofs the source IP address of the intended receiver and sends the SYN packet to
the bounce server.

Step 4

The bounce server responds to High with the acknowledgment number that is one
greater than the ISN the sender chooses.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 27 of 35

Step 5

In the final step, Low decodes the data sent by High.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 28 of 35

Topic 5: Covert Channel Application

Application Covert Channel

Introduction
The application layer offers many opportunities for creating a covert channel. Covert
data can reside either in the application protocol header or in the application payload
field.

The HTTP protocol gives an attacker much more freedom to create a covert channel
than the TCP/IP protocol suite does. Attackers can pass messages by using the CRLF
field of the HTTP protocol and by reordering the HTTP fields.

Reference: Dyatlov, A., & Castro, S. (2003). Exploitation of Data Streams Authorized by a Network Access
Control System for Arbitrary Data Transfers: Tunneling and Covert Channels Over the HTTP Protocol.
Retrieved from http://www.gray-world.net/projects/papers/covert_paper.txt

CRLF Field
In the HTTP header, carriage return and line feed (CRLF) represents a sequence of
characters, CR and LF. These two special characters are used as the end-of-line (EOL)
marker for many Internet protocols, including HTTP. A parser of a Web server or client
browser splits the headers based on where the CRLF is found.

HTTP treats any number of consecutive linear white space characters, such as [CRLF],
space [Space], tab [Tab], as a single-space character.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 29 of 35

Here is an example of what a typical HTTP header looks like when a Web browser
sends an HTTP request to a Web server. An attacker can encode information using
these nonprintable characters and modify the header.

Modify HTTP Header
The attacker uses [Space] and [Tab] to represent 0 and 1. Thus, 0101 is encoded in the
second line of the HTTP header. Typically, when a firewall scans an HTTP packet and
inspects its header, it ignores any white space.

When the Web browser receives the packet, it parses the white space from the header
and decodes it to 0101. Thus, information is covertly transferred from the attacker to the
Web server.

Reference: Dyatlov, A., & Castro, S. (2003). Exploitation of Data Streams Authorized by a Network Access
Control System for Arbitrary Data Transfers: Tunneling and Covert Channels Over the HTTP Protocol.
Retrieved from http://www.gray-world.net/projects/papers/covert_paper.txt

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 30 of 35

Reordering of HTTP Header Field
An attacker can covertly transmit data to an outside adversary by modifying the order of
HTTP header fields. Here is an example of how HTTP header fields can be reordered.

Both the HTTP headers are legitimate and the GET / HTTP/1.1 line cannot be reordered.

Reference: Dyatlov, A., & Castro, S. (2003). Exploitation of Data Streams Authorized by a Network Access
Control System for Arbitrary Data Transfers: Tunneling and Covert Channels Over the HTTP Protocol.
Retrieved from http://www.gray-world.net/projects/papers/covert_paper.txt

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 31 of 35

Topic 5: Covert Channel Application

Try This!

Question: Which of the following HTTP headers can be used to create a 2-bit covert
channel?

Options:
a. Option A

b. Option B

c. Option C

Correct answer: Option c

Feedback for Option a:
Not quite.
To find out a number of input symbols to create a 2-bit covert channel, we can use the
channel capacity formula: C = log2n

Because C = 2, n is 4. This means that four input symbols are required to create a 2-bit
covert channel.

Only one symbol, either 0 or 1, can be generated from this HTTP header. Therefore,
only a half-bit covert channel can be constructed using this header.

Feedback for Option b:
Not quite.
To get the number of input symbols required to create a 2-bit covert channel, we can use
the channel capacity formula: C = log2n

Because C = 2, n is 4. This means four input symbols are required to create a 2-bit
covert channel.

Two symbols, 0 and 1, can be generated from this HTTP header. Therefore, only a 1-bit
covert channel can be constructed using this header.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 32 of 35

The following diagram shows one example of how the HTTP header is used to represent
two different input symbols to create a 1-bit covert channel.

Feedback for Option c:
That’s correct.
To get the number of input symbols required to create a 2-bit covert channel, we can use
the channel capacity formula: C = log2n

Because C = 2, n is 4. This means four input symbols are required to create a 2-bit
covert channel. The following diagram shows one example of how the HTTP header is
used to represent four different input symbols to create a 2-bit covert channel.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 33 of 35

Topic 6: Summary

We have come to the end of Module 6. The key concepts covered in this module are
listed below.

 A covert channel transmits information between two entities in a network using
system resources that are not intended for communication.

 In a multilevel security (MLS) environment, a communication entity at a higher
security level, referred to as High, acts as an information sender, and an entity at
a lower security level, referred to as Low, acts as an information receiver.

 Covert storage channels implicitly disclose information through the manipulation
of one or more objects. A covert timing channel manipulates system resources to
modify the response time observed by the receiver.

 The transmission cycle of a covert channel comprises the sender-receiver (S-R)
period, transmission period, and feedback period.

 Channel capacity can be defined as the maximum rate of reliable and accurate
information transmission through the channel. The formula for Shannon’s
channel capacity is: C = log2n (bits/channel), where n is the number of symbols
available.

 Open Systems Interconnection (OSI) layers such as the Internet Control
Message Protocol (ICMP), Transmission Control Protocol (TCP), Internet
Protocol (IP), and the application layer can be exploited to establish a covert
channel.

 Attackers can pass messages using the carriage return and line feed (CRLF)
field of the HTTP protocol and by reordering the HTTP fields.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 34 of 35

Glossary

Term Definition

Channel Capacity Channel capacity can be defined as the maximum rate of
reliable and accurate information transmission through the
channel.

CRLF CRLF represents a sequence of characters, carriage return
and line feed. CRLF is used as an end-of-line (EOL) marker
in the HTTP protocol.

Feedback Period During the feedback period, the receiver of a message
acknowledges the receipt of the message with a signal to
the sender.

Firewall A firewall is the hardware or software that prevents
unauthorized users from accessing a computer or a
network.

Hypertext Transfer
Protocol

Hypertext Transfer Protocol (HTTP) transmits Web pages to
clients.

Internet Control
Message Protocol

The Internet Control Message Protocol (ICMP) integrates
with the Internet Protocol (IP). It reports error, control, and
informational messages between a host and a gateway.

Internet Protocol Internet Protocol (IP) address is a numeric label that
identifies each device within a computer network that
communicates over the Internet.

MLS Systems Multilevel security (MLS) systems allow data at different
sensitivity levels to be simultaneously stored and processed
in a system.

Parsing Parsing is the process in which an interpreter or compiler
checks the code for correct syntax and then builds a data
structure.

Shannon’s Information
Theory

Shannon’s information theory mathematically deals with the
fundamental limits of representation and transmission of
information.

Security Policy A security policy states in writing how a company plans to
protect its physical and information technology assets.

S-R period During the sender-receiver (S-R) period, a sender notifies a
receiver that it is ready to transmit a new symbol.

TCP/IP Transmission Control Protocol/Internet Protocol (TCP/IP) is
the communication protocol suite for the Internet.

Transmission Period During the transmission period, the channel of
communication between a sender and receiver is open to
transmit symbols.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 35 of 35

Term Definition

Trojan Horse A Trojan horse is a program in which malicious or harmful
code is hidden inside apparently harmless programming or
data in such a way that the Trojan horse can get control and
do its damage.

CONNECTING TO THE CYBERLAB VIRTUAL ENVIRONMENT

Note: A connection to the VPN must be established before following the instructions contained in this document.

Macintosh users are to complete instructions in Part 1B before completing instructions in Part 2

Windows Users should follow instructions in Part 2

PART 1B

These steps assume that a successful connection has been made to the VPN

Type
https://citrix.vcl.local

A.Click
I Understand the Risks
and then Click Add Exception

B.Verify that
Permanently store this exception
box is checked

Click on
Confirm Security Exception

C.Type in your username and password

D.Click Download to download the Citrix web client

E.Enter the local administrator credentials and click
Install Software

After successful installation, the screen below should appear

F.Click on the appropriate CSEC 600 level course icon

G.You should be redirected to the Virtual Computing Lab.

Continue from Part 2

NOTE: You must connect to the VPN before performing these next steps

PART 2: Connecting to the Virtual computing Lab

1.Type

https://csvcl.vcl.local/cloud/org/csec640

in your web browser.

Click “Continue to this website (not recommended)”

2.Type your username and password and click on Login

3.Click Add vApp from Catalog

4.Select CSEC640_Lab01 (or CSEC640_Lab02 depending on the lab exercise you are doing)

Click Next

5.Add your username to the Name field to uniquely identify your virtual image and Click Finish

6.Wait several minutes for the system to create all three virtual images. Once they are created the

status message will change from Creating to Stopped.

7.Click the Green Button to Start the virtual images.

8. Once started, the status message will change from Starting to Running. Double click the leftmost

virtual machine as it will be the VM you will logon to.

9. If prompted, click OK to the message prompting you to install the VMRC installation file

10. Download the VMRC installation file to your desktop, close all browsers and double click

the file to start the installation.

11. Complete the installation of the VMRC client, reopen your browser and continue accessing your

running virtual machine.

12. Allow any pop-ups if prompted

13. If presented with an invalid certificate, check “Always trust the host with this certificate”

14. The windows XP VM appears. Click on Send Ctrl+Alt+Del icon at the top right corner of the screen

You can identify it by moving your mouse pointer over the icons

Note: If your VM displays a black screen for an extended period, you can stop and then start the VM by clicking the red stop button (wait several seconds) and then click the green start button

15. Click OK at the warning message

16.The VM desktop should be presented.

Type a username of student1 with a password of Csec640 to logon

CONNECTING TO THE CYBERLAB VPN

Part 1: Connect to the Cyberlab VPN

1.Open your web browser

2.Type https://vpn.csvcl.net in the address bar

3.Click on “Continue to this website(not recommended)”

4.Select the appropriate heading under the Group section. Select OOB-anyconnect if you are a student

Type your username, your password and click Login

5.Click on Start Anyconnect to install the Cisco Anyconnect VPN Client

6.Click Allow

Note: Go to Part 1A if Web based installation is unsuccessful and you do not see the screen above

7.Click Yes to proceed and connect to the VPN

8.This indicates the VPN connection is established. Close the browser window

You can connect to the VPN subsequently by Clicking on StartAll ProgramsCisco AnyConnect VPN Client

PART 1A: Alternative Manual Installation

1.Click on the Start Anyconnect link

2.Click Download

3.Click on the underlined Windows 7/Vista 64/XP link

4.Click the drop down and arrow and select Save as

5.Select Desktop and click Save to save the anyconnect install file to your desktop.

6.Double –Click on the Cisco Anyconnect Installation file on your Desktop

7.Click Run

8.Click Next

9.Accept the terms in the License Agreement and Click Next

10.Wait as installation process runs

11.Click Finish.

12.You can access the Cisco VPN any other time by Clicking Start -> All Programs -> Cisco Anyconnect

13.Type in your assigned username and password to logon.

14.The logon screen will disappear if when you successfully connect to the VPN

15. To verify successful connection to the VPN, open a web browser and type https://csvcl.vcl.local/cloud/org/csec640 and you should see the screen below or a logon screen

16. Go to the CyberlabVMaccess640 document and continue with those instructions to access the virtual environment

CSEC 640: Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

Lab Exercise #2: Working with Snort & Wireshark for Intrusion Detection

Abstract:

This lab is intended to provide experience with the Snort and Wireshark programs.

Snort is a simple and powerful network monitoring agent. We will provide you with a packet trace and you will write snort rules to identify specific packet types.

I.
Tools required for this lab:

· Access to UMUC – VM machine with Snort and Wireshark installed.

· The packet trace, “snort.out”, available from the UMUC – VM site.

II.
Pre-lab Background:

Below is suggested background reading to help you complete the questions:

· Wireshark homepage

http://www.wireshark.org/

Specifically, the FAQ and the Documentation links:

·

http://www.wireshark.org/faq.html

·

http://www.wireshark.org/docs/

Snort homepage:

http://www.snort.org

Snort FAQ:

http://www.snort.org/snort/faq/

· Snort Overview:

https://www.procyonlabs.com/snort_manual/2.9/node2.html

(If the above link is broken, then google-search the following document:

Snort User Manual 2.9.0 by the Snort Project (published in Dec 2010) ).

· How to Write Snort Rules and Keep Your Sanity:

http://biblio.l0t3k.net/ids/en/snort-users-manual/chap2.html

·

http://searchsecurity.techtarget.com/tip/Modifying-and-writing-custom-Snort-IDS-rules

The “modifying and writing” snort rules document above is an especially helpful reference for writing the snort rules needed for this lab.

Step1. Read the step-by-step instructions in CyberlabVPNAccess640 to access VPN.

Step2. Read the step-by-step instruction in CyberlabVMAccess640 x to connect to VM.

III.
Lab Exercises: snort

3.1
Please complete the following exercises. You are required to submit a

lab write up containing answers to questions asked for each task.

Snort is similar to tcpdump, but has cleaner output and a more versatile rule language. Just like tcpdump, snort will listen to a particular interface, or read a packet trace from a file.

You will be using a previously captured tracefile (snort.out). Commonly security administrators are asked to look at a packet trace to analyze a recent attack. In this lab, we are going to examine this trace file within Wireshark and learn how to use Snort to read traces and to write new snort rules. The trace doesn’t contain a particular attack in progress, but instead several different distinct types of questionable packets.

Start Wireshark on your virtual machine from the start menu.

Next, click on the “Open” option under the “Files” header in the middle of the screen, and select “c:\snort\bin\snort.out” in the open dialog.

WireShark will display the packets in the trace file listed in rows in three panes. The top pane contains an overview of the trace file. The middle pane shows details for the particular selected row, with sections that expand or collapse for physical layer, data-link layer, network layer, and transport layer content. The pane at the bottom of the screen displays the raw data in a column of hexadecimal side-by-side a column of the data in ASCII format.

From the top pane we can easily identify ip address and protocol information. From the middle pane we can ‘drill down’ into the line that is selected in the top pane, to examine various flags within protocol headers, checksums, etc. In the bottom pane we can see the raw contents that are selected in the top pane, and whatever we have selected in the middle pane is highlighted in the bottom pane.

Let’s take a closer look at the bottom pane. Some suspicious material contains non-alphanumeric ASCII characters or binary content. In such cases it is helpful to view the corresponding hexadecimal representation of the contents.

Note in the above example (which is taken from a different trace file) on the right of the pane, we see various ASCII characters. The “.” indicators in the right-hand column identify either an ASCII period or binary data, while the alpha-numeric characters and other punctuation symbols in the right-hand column represent the raw data as ASCII characters. The values, to the left, represent the data in hexadecimal. Here in this trace, “00 C0 9F 34 9E AC”, represents the destination MAC address in the frame. The binary representation to the left shows that the first four bytes are represented by the hexadecimal characters “00 c0 9f 34”; here the hex characters “34” are part of the destination MAC address. At the end of the fourth row we see, to the right, the characters “SMB2”. The fourth row, as represented in hexadecimal, is: “fa 94 aa f1 00 00 00 00 00 86 ff 53 4d 42 32 00“. Note that the ASCII value for “S” is represented in hex as 53. “53 4d 42 32” is the hexadecimal representation of “SMB2”. If we wanted to identify these packet contents in a snort rule, we could look for binary content “fa 94 aa f1”, which is the first four bytes of the fourth row in hexadecimal, and we could also look for the ASCII content “SMB2”, which is found towards the end of the fourth row.

Scroll through the “c:\snort\bin\snort.out” trace file by using the scroll-bar in the top-pane that has the colored rows of network traffic. Select a line in the top pane. Click in the middle pane and select information in the middle pane. Notice the pane at the bottom of the screen. The highlighted contents correspond to what was selected in the middle pane.

Now let’s see how we can use this information in Snort.

For snort, we will be using the command-line. The last page of this document contains a DOS cheat sheet, which you may find helpful during this lab. Open up the command-line console from the start menu in your Cloud VM. Press “Start” then “Run…”, and then type “cmd.exe” in the entry box and click “ok.”

To enter the snort directory, type the following at the command prompt:

cd c:\snort\bin

You can always get a list of command line options by typing “snort –help”. A good set of command line arguments to pass snort in this lab is:

snort -r snort.out -P 5000 -c csec640.rules -e -X -v -k none -l log

Reading the help file, include in your lab write-up what each of those flags should do.

The intention of snort is to alert the administrator when any rules match an incoming packet.

Administrators can keep a large list of rules in a file, much like a firewall rule set, may be kept.

All the rules are generally about one line in length and follow the same format. Here’s an example:

log tcp any any -> 128.119.245.66 23 (msg: “telnet to www machine!”; sid:999;)

This rule tells snort to record (“log”) all packets destined to the telnet port on 128.119.245.66 and to include a user readable string. The sid is the Snort rule ID (a.k.a. Signature ID). You can use any sid number (sid:xxx) you wish to use for this exercise.

In general, all rules are of this form:

action protocol address port direction address port (rule option)

In our example, the action was “log”. We could simply write to a common alert file with the

command “alert”. The difference between log and alert is that each IP address gets its own log file for later analysis, while all alerts are stored in one common file.

The protocol field can be “tcp”, “udp”,or “icmp”. “Any” is not allowed. Addresses can be specified in CIDR notation, and ports can be given as ranges and with the “!” operator. The example below, (stolen from the documentation!), logs all packets to a range of machine not on ports 6000-6010.

log tcp any any -> 192.168.1.0/24 !6000:6010

The direction operator is either “->” or “<-"or "<>” for bi-directional traffic between two addresses. The rule options specify tasks to be performed if the addresses and protocols match.

For example, here’s a snort rule to catch all ICMP echo messages:

alert icmp any any -> 192.168.10.2 any (msg:”ping detected”; itype:8; sid:999;)

You should be in the “c:\snort\bin” directory. Open up “c:\snort\bin\csec640.rules” in the editor by entering the following in the command prompt (assuming that you are in the c:\snort\bin directory):

edit csec640.rules

Enter the rule listed above, which alerts on icmp type 8 packets. Save and then Exit the editor by using your mouse to click the File menu and Save, then click the File menu and Exit, or with your keyboard press “Alt-F” “s” followed by “Alt-F” “x”.

Now run snort so that it uses this rule file.

snort -r snort.out -P 5000 -c csec640.rules -e -X –v –k none -l log

To take a look at the results which were written to c:\snort\bin\log\alert.ids, type the following command (assuming that you are in c:\snort\bin directory):

edit log\alert.ids

In your write up include the output of this command.

Note that within a snort rule, several options can be listed inside the parentheses. Each option must end with a semicolon, even if there is only one option. Other useful options include, “content”, “flags”, “ipoption”. More are listed in the “writing snort rules” document.

3.2
Complete and Submit Questions 1-4 to the instructor

Question 1 [10 %]

What does each of the flags in this snort command line do?

snort -r snort.out -P 5000 -c csec640.rules -e -X -v –k none -l log

Question 2 [60% – 10% for each of 6 snort rules]

There are several distinct packet signatures in the packet trace file. In the trace file, there are 30 packets total. Your task is to create 6 new snort rules that will uniquely identify the 6 different packet signatures. One snort rule is already shown as an example (i.e., alert icmp any any -> 192.168.10.2 any (msg:”ping detected”; itype:8; sid:999;)).
Since you were already provided with the example snort rule, you need to

“comment out” that the example rule in the csec640.rules file by putting the “#” at the beginning of the line in front of the word “alert”.
Look though the packet trace to identify the other rules. Look for more general signatures where you can, however, be careful not to write signatures that are too general (e.g., no 3 “any”s in a single rule). Part of the intent of the lab is to learn how to write effective rules. It is easy to write a rule that matches all IP datagrams regardless of content, but this would be a very ineffective rule at detecting anomalous or malicious activity.

Include in your write up the 6 additional rules you have created as well as the c:\snort\bin\log\alert.ids output (you may screen-capture the alert output and include it in the report). The alert output file is appended each time snort has output, so you want to erase the alert file by typing


del C :\snort\bin\log\alert.ids
before each snort run while experimenting with different rules. Be sure to include a descriptive message (“msg” and “sid:xxx”) with each alert. In addition, briefly explain each rule you write.

The report should include the following information:

Rule #1:

· Snort alert rule you’ve created.

· Explain how rule #1 works.

· Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #1.

Rule #2:

· Snort alert rule you’ve created.

· Explain how rule #2 works.

· Snort alert output: the result obtained from c:\snort\bin\log\alert.ids by running rule #2.

Repeat for (Rule #3 – Rule #6)

Please test each rule individually and comment on any previous rules that you have successfully tested. This allows you to test each rule for better troubleshooting.

The rules you write may be instructive, but not the most useful for a real system.

3.3
Gimmiv.A Analysis

Read the analysis at the below links:

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html

Question 3 [20%]

The threat expert links above describes Gimmiv.a as:

“….it could technically be classified as a network-aware trojan that employs functionality of a typical RPC DCOM network-aware worm to attack other hosts in the network.”

Describe “in your own words” your interpretation of the above quote. Focus on the behavior and explain how the code could impact a network. Explain in a few paragraphs what techniques you may use to detect the above threat caused by Gimmiv.a. You will likely have to do research to explain this sufficiently. What snort rule(s) should you use to prevent (or detect) the above threat?

Question 4 [10%]

You learned a covert channel in Week 6. Do you think IDS like Snort can easily detect a covert channel? For example, can you write an effective set of Snort rules to prevent any information leak through a covert channel? Explain your answer in detail.

Note: When you save the lab report, label it as: Firstname_LastName_Lab2.xxx (xxx is a file extension (e.g., doc, docx, or PDF)).

DOS CHEAT SHEET

COMMANDLINE:

EXPLANATION:

.

current directory

..

parent directory (up one directory)

../

parent directory (up one directory)

*

zero or more of any characters

?

any one character

dir directory_to_view
list directory to_view

cd directory_to_go_to
change to directory_to_go_to

copy source_file dest_file
copy source_file to dest_file

ren old_name new_name
rename file from old_name to new_name

move dir1\file1 dir2\file2
move dir1\file1 to dir2\file2

edit /R file1

view file1 (read only)

edit file1

edit file1

del delete one or more files

Examples:

dir

list current directory

dir .

list current directory

dir ..

list parent directory

dir *rules

list current directory where name ends w/ “rules”

dir log

list current directory where name=”log”

cd

change to default user directory

cd ..

change to parent directory

cd c:\snort\bin

change to the bin directory in c:\snort

copy csec.rules csec.rules.orig
make backup copy in current directory

ren alert alert1

rename “alert” file to “alert1” in same directory

move log\alert log2\alert1
move “alert” file in “log” directory to “alert1” in “log2” directory

edit /R csec.rules

view the file “csec.rules” from the current directory read-only

edit csec.rules

open the file “csec.rules” from the current directory for editing

edit /R log\alert*

view file starting with “alert” in the log directory

Still stressed with your coursework?
Get quality coursework help from an expert!