Passive covert channels in the Linux kernel

Implementation and detection of kernel based backdoors and covert channels in Linux kernels

Joanna Rutkowska

Playlists: '21c3' videos starting here / audio / related events

The presentation will describe the idea of passive covert channels (PCC). By passive covert channels, one means a specific kind of CC, which does not generate its own traffic. A PCC only changes some fields in the packets generated by a legitimate user (or processes) of the compromised host. For example, a PCC can be implemented as a kernel module which will change the Initial Sequence Number (ISN) in all (or only some) outgoing TCP connections. The new ISNs will carry the secret message, which could be, for example, the password sniffed by malicious software running on the compromised machine.