My current project: Sifr's Obfuscator

[skritch]

This afternoon, I made a major breakthrough in a project I've been working on since November: I found and eliminated a major bug in my code that's been bugging me for two months.

To explain the project, I'll provide a little background.

The background
At Black Hat 2003 (a computer security conference), Simple Nomad presented a program he whipped together called nCovert. nCovert can run in client or server mode. If you give the client an input file, it can send the contents of that input file to a remote machine running the code in server mode.

That's boring.

What's interesting about nCovert is that the data it sends is entirely embedded in the TCP sequence field of the TCP packet header.

That's mildly amusing.

Amusing, but somewhat trivial, from a security perspective, for the following reasons:

1) The data's sent from a single source IP, to a specific destination IP, which must be the receiving host (unless that host is on a non-switched network -- a rarity these days). That means it's easy to identify the traffic stream if you're looking for it.

2) The datastream is TCP-based, which means it's stateful. It's trivial to kill a TCP session from a firewall.

3) The datastream has a "fingerprint"; that is, it's fairly easy to pick out the packets hiding the data from other traffic. I.e., the hidden data is fairly obvious.


Simple Nomad and I talked about these and other issues at the end of his presentation, and it got me to thinking about how something like this could work, and work well.


The Project
So, while sitting at Arecibo National Observatory in November, at 3am, listening to the galaxy whiz past, I started working on what I call Sifr's Obfuscator, or SOB for short.

SOB fixes all the problems with nCovert, and adds several unique twists. It performs the same basic function -- it hides a data stream -- but it does so in a much more sophisticated manner.

First, SOB uses UDP, not TCP, so there is no stateful connection to monitor and stop.

Second, SOB sends every packet from a separate source IP; there is no single source IP to block. The packets seem to come from everywhere.

Third, SOB can send the traffic to a broadcast IP. Technically, this could be done with nCovert as well, but TCP packets sent to a broadcast IP are extremely odd, and easy to spot as anomalous. UDP packets sent to broadcast addresses are common.

Fourth, SOB intentionally generates a random number of "noise" packets in between each packet containing hidden data. These noise packets are indistinguishable from the packets containing the data, and thus it's impossible for an outside observer to know which packets contain data, and which don't.

Fifth, SOB uses an IP header field (IP_ID) to hide the data, rather than a TCP header. This is less likely to be monitored by firewalls and IDSes.

Sixth, SOB implements what amounts to packet sequencing in the UDP protocol (this is necessary to obtain the data from a series of packets that come from random source IPs).

There are some other niceties built into SOB, such as a general purpose packet sniffer, the ability to specify a source and/or destination port to facilitate passing the data through firewalls (e.g., using port 53), and so forth.

This is purely a proof-of-concept (written in C) to demonstrate various weaknesses in current security methods, and to further the field of research into covert channel communications on the Internet. I'll be submitting it to be presented at Black Hat 2004 shortly, at which point the code will be released.

Just thought people here might be interested in the things that I do to entertain myself in my free time.

 

[FLECOM]

why cant i get a job like yours? get me a job damnit...

as for your concept, i find it very interesting... realisticly UDP is normally ignored by most stuff...

but if my memory serves me correctly (which it usually does not) UDP dosent check that the packet arrived does it?

if so you would need some sort of way of checking that the entire stream arrived...

or maybe im just thinking of TFTP... dunno... meh


but what i find more interesting is that you are embedding the data in the headers? so then what data (if any) does the packet itself contain?

obviously the "proof of concept" concept is that with an application like this and maybe some decent encryption thrown in before the process you could in theory send a completely secure transmission through the internet becuase it would essentially be ignored by everything... firewalls, proxies etc...

that and with multiple sources and seemingly unrelated packets it would be nearly impossible to regenerate the stream without knowing exactly what order they go in...

especially if you add "noise" as you mentioned... the real issue would be the client communicating securely to the server with the hash or whatever descriptor the server needs in order to reconstruct the data stream and know what packets are "noise"

hence the software or the way it forms the streams/etc would need to be secure as you wouldent want it to be reverse-engineered...

i really love this stuff, i have spent many a night looking online at how many of histories best cryptography/stegonography (both of which im sure i mispelled ) mehtods, its amazing how effective many of them could be when you think about how you could convert them into digital forms

i think this has been my longest post ever

gonna re-read your post also... but definately keep us posted

 

[skritch]

Originally posted by FLECOM
why cant i get a job like yours? get me a job damnit...

Heh. We're not hiring; not for a while, anyway.

as for your concept, i find it very interesting... realisticly UDP is normally ignored by most stuff...

but if my memory serves me correctly (which it usually does not) UDP dosent check that the packet arrived does it?

if so you would need some sort of way of checking that the entire stream arrived...

You're right, there's no way to know whether a UDP packet arrived. That's one of the tradeoffs in using UDP vs. TCP. However, in this instance the improved security is worth the reduced reliability. The data can always be sent more than once to fill in any gaps. Alternately, I could incorporate a Gray Code into the datastream for checksumming purposes. This'd facilitate gap-filling on resends.

but what i find more interesting is that you are embedding the data in the headers? so then what data (if any) does the packet itself contain?

Very good question. I thought about this for a while, and decided the most devious method would be a UDP datagram payload of average, but randomly-varying length, full of random data. This means that the datagram payloads can't be used to distinguish the SOB traffic from other traffic, because their length is not significantly different from any other UDP traffic, and the contents contain no regular or repeating data that could be used to fingerprint the SOB packets.

obviously the "proof of concept" concept is that with an application like this and maybe some decent encryption thrown in before the process you could in theory send a completely secure transmission through the internet becuase it would essentially be ignored by everything... firewalls, proxies etc...

that and with multiple sources and seemingly unrelated packets it would be nearly impossible to regenerate the stream without knowing exactly what order they go in...

especially if you add "noise" as you mentioned... the real issue would be the client communicating securely to the server with the hash or whatever descriptor the server needs in order to reconstruct the data stream and know what packets are "noise"

hence the software or the way it forms the streams/etc would need to be secure as you wouldent want it to be reverse-engineered...

Exactly. In fact, a bit I didn't mention is that the receiving side must know the source IP of the first packet, and the initial offset for the sequencing data I embed in the UDP payload. That information can be communicated out-of-band, via phone or email, to the receiving party. Thus, the datastream itself contains no information signalling the start of the datastream. This is akin to a "one time pad" encryption scheme, where the keys are agreed upon ahead of time and distributed separately from the cyphertext.

i really love this stuff, i have spent many a night looking online at how many of histories best cryptography/stegonography (both of which im sure i mispelled ) mehtods, its amazing how effective many of them could be when you think about how you could convert them into digital forms

i think this has been my longest post ever

gonna re-read your post also... but definately keep us posted

Will do. I do much the same thing. You might also want to check out many of the books by Martin Gardner, particularly his Turing Omnibus books. Tons of short essays on various computational approaches to problems (such as Gray Code) that stimulate thought along these lines.

 

[FLECOM]

Originally posted by skritch
Heh. We're not hiring; not for a while, anyway.

damn!

Originally posted by skritch
You're right, there's no way to know whether a UDP packet arrived. That's one of the tradeoffs in using UDP vs. TCP. However, in this instance the improved security is worth the reduced reliability. The data can always be sent more than once to fill in any gaps. Alternately, I could incorporate a Gray Code into the datastream for checksumming purposes. This'd facilitate gap-filling on resends.

true... i think some sort of check system would be nessicary, becuase even if you were to send out each packet multiple times, this increases your broadcast time... which is never a good thing

Originally posted by skritch
Very good question. I thought about this for a while, and decided the most devious method would be a UDP datagram payload of average, but randomly-varying length, full of random data. This means that the datagram payloads can't be used to distinguish the SOB traffic from other traffic, because their length is not significantly different from any other UDP traffic, and the contents contain no regular or repeating data that could be used to fingerprint the SOB packets.

makes sence... only concern is you would have to make it random enough to be undetectable... but not so random that its suspicious... i dont know if that makes any sence... its 3:45am

Originally posted by skritch
Exactly. In fact, a bit I didn't mention is that the receiving side must know the source IP of the first packet, and the initial offset for the sequencing data I embed in the UDP payload. That information can be communicated out-of-band, via phone or email, to the receiving party. Thus, the datastream itself contains no information signalling the start of the datastream. This is akin to a "one time pad" encryption scheme, where the keys are agreed upon ahead of time and distributed separately from the cyphertext.

ok definately a possibility... but then this would not be an automated process... which i guess is kinda of a good thing... but if somone figures out how to make is basically automated it would make one crazy trojan/virus... or worse... an app like this really could be extremely dangerous.. you might want to watch out some dudes in black suits

Originally posted by skritch
Will do. I do much the same thing. You might also want to check out many of the books by Martin Gardner, particularly his Turing Omnibus books. Tons of short essays on various computational approaches to problems (such as Gray Code) that stimulate thought along these lines.

i will look into it... cant wait for the next chapter in SOB hehe

 

[skritch]

Originally posted by FLECOM
ok definately a possibility... but then this would not be an automated process... which i guess is kinda of a good thing... but if somone figures out how to make is basically automated it would make one crazy trojan/virus... or worse... an app like this really could be extremely dangerous.. you might want to watch out some dudes in black suits

Heh. It'd be fairly simple to automate. For example, if it were embedded in a Trojan, you could have an email sent to the infected host a week before you want the traffic to be received. The email could be from the initial source IP (or, more trickily, could be, say, the address of the third hop as reflected by the Received: headers), and the body could simply be a literary quote with a numerical reference. The Trojan could find the email, get the IP and initial offset, and away it goes.

There're any number of other ways to automate it as well.


As for the MiB, that's why I'm going to present it at Black Hat: many of the people who go to that conference *are* the MiB. There's usually a large contingent from various 3-letter agencies, both publicly and secretly.

 

[FLECOM]

Originally posted by skritch
As for the MiB, that's why I'm going to present it at Black Hat: many of the people who go to that conference *are* the MiB. There's usually a large contingent from various 3-letter agencies, both publicly and secretly.

hehe, when you get picked up by one of the three letters, dont forget about the little guys that need work

 

[skritch]

Well, the code's now fully-functional, and I've started to write the paper and presentation for Black Hat 2004 (the call for papers goes out in a few weeks).

I've also notified Simple Nomad of sob's existence and the fact that his nCovert tool inspired it (and also that sob contains a bit of nCovert code).

With luck, it'll get accepted, and I'll have a free trip to Vegas in August.

 

[FLECOM]

Originally posted by skritch
Well, the code's now fully-functional, and I've started to write the paper and presentation for Black Hat 2004 (the call for papers goes out in a few weeks).

I've also notified Simple Nomad of sob's existence and the fact that his nCovert tool inspired it (and also that sob contains a bit of nCovert code).

With luck, it'll get accepted, and I'll have a free trip to Vegas in August.

hey take me with you

for... um... contributing to... umm... something

good luck

 

[resident_freq]

Skrich, first I want to say that you are one of the smartest people I see post around here on some subjects. The way this works is devious, malicious, and damn cool. I look at this from the standpoint of someone with training and experience in RF communications, and with those eyes I look at it and say 'now thats a good idea'. I've got to go to work, so I'll post some ideas when I get there on some things that might help disguise your traffic and/or help with data integrity. Maybe you've thought of them, maybe you haven't, but keep up the good work, Dr. Skritch.

 

[skritch]

Originally posted by resident_freq
I've got to go to work, so I'll post some ideas when I get there on some things that might help disguise your traffic and/or help with data integrity. Maybe you've thought of them, maybe you haven't, but keep up the good work, Dr. Skritch.

Part of the concept came from the frequency-hopping paradigm we're seeing more and more in wireless communications.

I look forward to hearing your ideas! By the way, I'm not a doctor; I left grad school before defending my dissertation. No job market and a thesis that proves the founder of your field faked the data in his seminal works are recipes for a short, unhappy career.

 

[FLECOM]

mmm sounds likfe fun on that one

ironicly i use a FH wireless network here at home... security by obscurity? hehe...

since nobody has 802.11 FH hardware anymore (since its painfully slow ~700kbps) i never worry about my wireless network

its a BayNetworks 650 Wireless Access Point and a BayNetworks 650 Wirless PC Card

 

[Schmoman]

senior unix system admin eh? i bet you're the janitor.

 

[skritch]

Originally posted by Schmoman
senior unix system admin eh? i bet you're the janitor.

I'm sorry; did someone defecate in your eggs this morning?

I guess I shouldn't mention I'm THE senior unix sysadmin there, then, either.

Your jealousy doesn't wear well on you.

But, since you doubt me, here: http://www.seti.org/ao_11_03/index.php?id=34

That's one of the Arecibo Diary entries I wrote while at Arecibo in November. Notice the title next to my name. Now notice the website it's on.

 

[FLECOM]

Originally posted by skritch
Arecibo

goldeneye was a good movie

 

[Snugglebear]

We need to turn that thing into a death ray. It's just not as cool sitting there all passive. Either that or stick a pringles can up at the top and try sending an 802.11 signal to the ISS.

 

[skritch]

Originally posted by Snugglebear
We need to turn that thing into a death ray. It's just not as cool sitting there all passive. Either that or stick a pringles can up at the top and try sending an 802.11 signal to the ISS.

Well, it does have an enormous Klystron mounted in the Gregorian that's the world's most powerful radar transmitter.

Given the safety precautions necessary when it's turned on, it's safe to say it's already got a death ray.

I've got a picture of me next to it, somewhere (one of our staff was director of Arecibo for about 20 years, and he gave me a full walking tour of the suspended platform in the winter of 2002.)

Its hard to judge the scale of the Gregorian and the platform when you look at it in pictures. The dish is over 300m across, and the Gregorian itself is about the height of a 6-story building. (The Gregorian is that ball-shaped thing dangling beneath the platform, on the azimuth arm).

 

[ipconfig /all]

Originally posted by skritch
But, since you doubt me, here: http://www.seti.org/ao_11_03/index.php?id=34

That's one of the Arecibo Diary entries I wrote while at Arecibo in November. Notice the title next to my name. Now notice the website it's on.

That's too funny. You just post a link to a web site article and claim that it's you.

I'm not flaming you but it is pretty funny.

I'm the President & CEO of Cisco Systems. But, since you will probably doubt me, here: http://newsroom.cisco.com/dlls/tln/exec_team/chambers/
Notice the title next to my name. Now notice the website it's on. You will see that I am clearly the CEO of Cisco.

See how easy that is.

 

[skritch]

Originally posted by ipconfig /all
That's too funny. You just post a link to a web site article and claim that it's you.

I'm not flaming you but it is pretty funny.

I'm the President & CEO of Cisco Systems. But, since you will probably doubt me, here: http://newsroom.cisco.com/dlls/tln/exec_team/chambers/
Notice the title next to my name. Now notice the website it's on. You will see that I am clearly the CEO of Cisco.

See how easy that is.

Anyone with half a brain can verify that's my real name. I do not go out of my way to conceal it. In this very post, there are at least three methods for verifying my actual name.

 

[ipconfig /all]

Originally posted by skritch
Anyone with half a brain can verify that's my real name. I do not go out of my way to conceal it. In this very post, there are at least three methods for verifying my actual name.

I must have 40% of a brain or you're over embellishing just a bit. I think it's a combination of both.

 

[skritch]

Originally posted by ipconfig /all
I must have 40% of a brain or you're over embellishing just a bit. I think it's a combination of both.

I'll give you hints for each:

1) domain registrar
2) website content
3) Web browser status bar and AIM.

I refuse to justify myself to you further. If you don't want to believe I hold the title I do at the organization for which I work, I have no obligation to prove it to you.

 

[ipconfig /all]

Originally posted by skritch
I refuse to justify myself to you further. If you don't want to believe I hold the title I do at the organization for which I work, I have no obligation to prove it to you.

I just thought it was funny that you point to a web site to prove your identity to a person (who is probably not going to use any of the three methods for verifying your ID) because the guy called you a janitor.

You don't need to prove your identity here. It's all in the quality of your posts. In several of your posts here, you seem to feel the need to point out who you are, where you work and how old you are; you get very offended when anybody qestions your credentials. WHY?

A man of your age and education should know how to relax, roll with the punches and have confidence in yourself.

 

[PHUNBALL]

Originally posted by ipconfig /all
I just thought it was funny that you point to a web site to prove your identity to a person (who is probably not going to use any of the three methods for verifying your ID) because the guy called you a janitor.

You don't need to prove your identity here. It's all in the quality of your posts. In several of your posts here, you seem to feel the need to point out who you are, where you work and how old you are; you get very offended when anybody qestions your credentials. WHY?

A man of your age and education should know how to relax, roll with the punches and have confidence in yourself.

I AGREE and also don't see the point of the defensive posture that arises every time this happens. Why do you care so much that people know who you are and what you do for a living? You are not the first, last, or only Unix Admin to walk this Earth...

 

[skritch]

Ah, I see. This is where all the people who've lost arguments to me crawl out of the woodwork and take potshots.

Go right ahead. It'll fall on deaf ears, lads.

 

[Schmoman]

Originally posted by skritch
Ah, I see. This is where all the people who've lost arguments to me crawl out of the woodwork and take potshots.

Go right ahead. It'll fall on deaf ears, lads.

Hello again SETI janitor. How goes your pursuit in search for extra-terresterial lifeforms on the bottom of the bathroom floor? People who display their merit online in the form of Sr. whatever probably don't get the stuff out of life that they really want...

Admit it, either the radiation from your transmitters got to you, or you're probably a one time shot who thinks he's bigtime.

 

[versello]

Originally posted by Schmoman
Hello again SETI janitor. How goes your pursuit in search for extra-terresterial lifeforms on the bottom of the bathroom floor? People who display their merit online in the form of Sr. whatever probably don't get the stuff out of life that they really want...

Admit it, either the radiation from your transmitters got to you, or you're probably a one time shot who thinks he's bigtime.

ahaha!

 

[FLECOM]

Originally posted by ipconfig /all
I'm the President & CEO of Cisco Systems. But, since you will probably doubt me, here: http://newsroom.cisco.com/dlls/tln/exec_team/chambers/

eeewww.... why him?

 

[RichardParry]

please keep on topic !

 

[ipconfig /all]

Originally posted by FLECOM
eeewww.... why him?

I thought using Bill Gates was too unbelievable and Mark C Langston (my second choice) was already being used in this thread, so I picked John Chambers.

I figured that since Chambers and Langston probably have the same net worth, it was a good choice to use in the example.

Originally posted by skritch
It'll fall on deaf ears, lads.

There you go kiddo, roll with the punches!!

please keep on topic !

I thought this is on topic. By definition, I figured "Sifr's Obfuscator" was a post compiled by skritch to confuse people about the identity of Mark C Langston. But what the hell do I know, I have less than half a brain.

 

[ChappyChaps11]

What would you be using this technology for? I mean dont get me wrong it seems great and all but it sounds like a virus to me. Or at least, likely to be the future of viruses if this information was to fall into a hackers lap

 

[Gertrude]

Originally posted by ChappyChaps11
What would you be using this technology for? I mean dont get me wrong it seems great and all but it sounds like a virus to me. Or at least, likely to be the future of viruses if this information was to fall into a hackers lap

This kind of thing has been around for quite some time, and Its not really anything new that the bad guys don't know already about. skritch is just adding in some extra functionality. Search google for "covert channel" and you should find some interesting information on the subject . Using these types of tools can aid in gettting data in or out of a network to bypass a firewall, or escape the detection of a IDS.

 

[Wrench00]

Cool Concept

 

[Qualm]

Maybe this is a tangent and belongs in a new thread, maybe not:

I've been thinking about what my firewalls do and how they do it and therefore how good they'd be at stopping something like SOB. I believe, and I may be wrong about this, that the average firewall user (corporations) don't have much to worry about in terms of penetrations from outside, since the program still has to find a way to get UDP traffic in to be picked up by the SOB program.

An SPI firewall like iptables running on a Linux box could block everything unsolicited coming in simply by blocking all UDP ports except those absolutely necessary (which leads to my main question, see below). Most SPI firewalls are configured to do exactly that. But most don't block anything originating or part of a converation originating from the internal side of the firewall. Therefore, since an SPI firewall is just as bad at stopping any other conversation originating from inside, so I don't see that SOB has any real advantage over any other trojan that might be running on the inside of an SPI firewall. I know that's not really it's main purpose (to succeed more often than other methods), just an observation.

A per-program policy-oriented firewall like MS ISA server should be able to stop traffic in both directions because the SOB program isn't approved, right?

My main question is this:

If the SOB program is set to use a common UDP port that is in fact open on the firewall, wouldn't it conflict with whatever legitimate program is already using that port? The only reason you'd open a specific UDP port is to that traffic could be serviced (perhaps on that box, perhaps forwarded).

What happens to packets arriving on a socket serviced by more than one program? Is it even possible to run a program which uses a socket already in use by another program? Or is that blocked by the OS or something else?

- Qualm

 

[skritch]

Originally posted by Qualm
Maybe this is a tangent and belongs in a new thread, maybe not:

I've been thinking about what my firewalls do and how they do it and therefore how good they'd be at stopping something like SOB. I believe, and I may be wrong about this, that the average firewall user (corporations) don't have much to worry about in terms of penetrations from outside, since the program still has to find a way to get UDP traffic in to be picked up by the SOB program.

An SPI firewall like iptables running on a Linux box could block everything unsolicited coming in simply by blocking all UDP ports except those absolutely necessary (which leads to my main question, see below). Most SPI firewalls are configured to do exactly that. But most don't block anything originating or part of a converation originating from the internal side of the firewall. Therefore, since an SPI firewall is just as bad at stopping any other conversation originating from inside, so I don't see that SOB has any real advantage over any other trojan that might be running on the inside of an SPI firewall. I know that's not really it's main purpose (to succeed more often than other methods), just an observation.

A per-program policy-oriented firewall like MS ISA server should be able to stop traffic in both directions because the SOB program isn't approved, right?

My main question is this:

If the SOB program is set to use a common UDP port that is in fact open on the firewall, wouldn't it conflict with whatever legitimate program is already using that port? The only reason you'd open a specific UDP port is to that traffic could be serviced (perhaps on that box, perhaps forwarded).

What happens to packets arriving on a socket serviced by more than one program? Is it even possible to run a program which uses a socket already in use by another program? Or is that blocked by the OS or something else?

- Qualm

The source and destination port can be specified. E.g., port 53, where it is common to see UDP traffic for DNS requests.

The normal use of SOB is to send the traffic to a broadcast address; thus, the packets don't need to go directly to the receiving host.

Further, the receiving code listens promiscuously, so there's no need to bind to a port.

Also, SOB was developed based on the concept of a separate firewall and receiving host (as is found in most non-consumer environments). It's not designed to be run on the firewall itself (though it could be). Any system that requires pre-authorization for a binary before it'll allow a binary to execute would, in fact, stop the receiver from running. But then, it'll stop lots of other malware from running, too, so that's not surprising.

However, SOB requires root/administrator access on both the receiving and sending side to run anyway, so anyone with that kind of access could disable such programs.

 

[foreignkid]

I'm not really sure, but I think that the OS wouldnt let a program use a port if another program was using it. Port numbers are how the OS decides which program to send an incoming packet to i think.

 

[skritch]

Originally posted by foreignkid
I'm not really sure, but I think that the OS wouldnt let a program use a port if another program was using it. Port numbers are how the OS decides which program to send an incoming packet to i think.

The receiving code listens promiscuously; it doesn't need to bind to a port.