Kenton Born - Researcher, Programmer, Geek!

I caught myself studying the HTML 5 specification tonight and had to comment on section 1.7.1 (shown below):

1.7.1 How to read this specification

This specification should be read like all other specifications. First, it should be read cover-to-cover, multiple times. Then, it should be read backwards at least once. Then it should be read by picking random sections from the contents list and following all the cross-references.

It is nice to see that a few authors out there have a sense of humor. If I am going to spend my Friday night reading a specification, I would like it to have a little bit of humor in it :-)

I have been spending some time thinking about how to process pcap files ranging from a several Gigabytes to Petabytes in size. While tools such as Wireshark do some pretty fantastic analysis, they do not scale well. I quickly started thinking about some of the massive data processing architectures such as the Hadoop framework! I believe there may be a lot of potential in doing covert channel analysis of massive amounts of traffic by taking this type of approach This could be useful in analyzing past traffic when new exploits and covert channels are discovered.

When I was researching tools that attempt to accomplish this (favoring anything on the free side), I came across a tool called xtractor. However, this tool is limited to sizes up to only one Gigabyte. While I feel like they were on the right track, I was not sure about the limited flexibility of their web interface/CouchDB approach. I see a lot of potential in tailoring the HDFS/MapReduce/Hive projects to accommodate some really interesting calculations on enormous amounts of data in a distributed/clustered environment. While this will by no means provide real-time results, it will allow for historical data to be scanned for new threats much quicker than most processes that are currently in place.

One trick that must be dealt with involves how to appropriately split pcap files for efficiency in HDFS/MapReduce. Pcap files are not formatted in a way that a large file may be easily broken down into several pieces (although the new PcapNg format under development should help!). One idea I thought was interesting would be to extract data from packets at various sensors, inserting necessary information into an HBase table (perhaps organizing by flows, etc). HBase could then be used as the input into the MapReduce queries at a later time.

Really, I think there are many possible ways of combining the different Hadoop technologies into a structure that allows for much more powerful (and cheap) packet processing. Has anyone run into any other projects that successfully accomplish this?

I have one of those "this doesn't seem quite right" feelings about the way "sudo" escalates privileges in Linux. In Ubuntu, for instance, a user may preface a command with "sudo" in order to run a command as "root" (provided they can give the correct password). If the correct password is given, the user will be able to continue to use the "sudo" command in that tty (window) without a password until a length of time has passed without using it. The actual process that happens when you use a "sudo" command is as follows:

1 The user enters "sudo " in a tty
2) The OS will check for a file at /var/run/sudo/{username}/{tty}
3) If the file exists, it will check the timestamp on the file. If the modified timestamp is within the expiring limit, no password will be needed, and the modified timestamp is updated.
4) If the file does not exist or the modified timestamp is expired, it will ask for a password.
5) When the valid password is given, it will create the file (or update the modified timestamp)
6) The command will now be run with "root" privileges.

The files in /var/run/sudo/{username} all have permissions that only allowing root to read and write to them, so this should theoretically be safe. However, something to note is that the only important attribute of this file is the modified timestamp. Whether the file is created/modified by a simple touch command, or by simply piping random output to the file, sudo access will be granted to the user/tty corresponding to that particular file.

I see two scenarios on how this could be attacked by a non-privileged user:
a) The user runs a setuid binary that allows an output/log file to be specified without dropping privileges.
b) A race-condition can be set up where a binary writes to a fixed location, but the user, perhaps through a race-condition, creates a symlink from the fixed location to /var/run/sudo/{username}/{tty}.

In both cases and no matter what the output from the program was, it would update the timestamp on that particular file, and allow that user to run sudo commands without requiring the root password.

I think a simple fix to both of these issues would be to require a specific modification of the file at that location instead of a simple timestamp update. If nonsensical writing to the file did not grant access, both of these problems would go away. Thoughts?

Happy hunting :-)

I have been accepted to speak at Black Hat USA 2010! At the end of July, I will be traveling to Las Vegas to give a 70 minute presentation titled "PSUDP: A Passive Approach to Covert Network-Wide Communication".

This presentation analyzes a novel approach to covert communication over DNS by introducing PSUDP, a program demonstrating passive network-wide covert communication. While several high-bandwidth DNS tunnel implementations are freely available, they all use similar strategies. Storage channels are created in DNS requests by encoding data in subdomain labels, while responses take many forms such as TXT, NULL, and CNAME resource record types to complete the bi-directional link. However, these tunnels may be detected when examining subdomains and irregular resource records in responses. Additionally, these tunnels only provide communication through the active generation of traffic.

The method and tool discussed in this presentation allows a network of computers to participate in passive covert communication by piggy-backing on legitimate network DNS traffic. While low-bandwidth passive tunnels have been built using techniques such as timing channels and field manipulation, no passive high-bandwidth DNS tunnels exist. A novel approach is used to provide significantly higher bandwidth in network-wide covert communication by manipulating legitimate DNS traffic. It is also shown how, in certain scenarios, this method may be used for both covert data exfiltration and as a replacement for existing DNS tunnels. Additionally, it will be shown how a similar method can be applied to many other protocols, not being limited to DNS traffic.

In addition to PSUDP, this presentation will briefly cover a few other recent projects I have worked on in DNS tunnel creation and detection. Firstly, I will show how bi-directional DNS tunnels may be created using a browser and fine-grained JavaScript manipulation. Secondly, I will show my work in detecting DNS tunnels using n-gram frequency analysis.

UPDATE:
Get the presentation, paper, and source code here!

Linux fanboys, this one's for you!

Objective: Install and play my 12 year old copy of Starcraft 1

Problem: Windows 7, despite having its "compatibility mode" nonsense, could not properly display the game after installation.

Solution: While I didn't have the new system set up for dual-boot yet, I did have a few Linux virtual machines set up through VirtualBox. I quickly became intrigued by the thought of running Starcraft through "wine", the Windows emulation software for Linux.

The irony: I am using Windows 7 to run a virtual instance of Linux so that I can emulate Windows in order to play a game that is incompatible with Windows 7!

Did it work? Beautifully :-)

If you work on the "wine" program, I tip my hat to you...

I am just finishing up at the Cyber Security and Information Intelligence Research Workshop (CSIIRW) that is held at Oak Ridge National Laboratory every year. The event went well, and had many interesting speakers from Lockheed, Dell, Google, and various government agencies. My presentation over NgViz went well, but I will likely delay further work on this tool until I have the chance to explore PSUDP further, a tool I am creating for a conference down the road. I am exploring some interesting ideas on creating passive network wide communication channels, and it has been very promising so far. There will be more to come on this!

I will have two papers included in the proceedings of the 9th Annual Security Conference in Las Vegas, Nevada. The first paper is a study on using n-gram frequency analysis to detect several of the most common DNS tunnels. The second paper describes a novel method of exfiltrating data over DNS that requires no additional software or privileges. After the presentations take place, I will post more thoroughly about both of them.

I also have several very interesting projects in the works that I think will blow this stuff away.

On the detection side, I am working on two tools: one that provides visualizations and comparisons of DNS traffic against a legitimate "fingerprint" of typical DNS traffic, and one tool that attempts to detect unsual DNS traffic in real-time. This will include character frequency analysis, and "unusual" packet formations.

On the other end, I am working on a "new breed" of DNS tunnel that is starting to show some real potential. While I am not going into much detail on it now, I hope to submit it to Black Hat 2010 sometime in April.

I have updated several links under the "Projects" menu, so feel free to jump over and check them out!

The two primary additions are the "JForlan" tool I have been working on for Dr. Stoughton, and a character frequency analysis tool I am creating (primarily for the purpose of studying DNS tunnels further, but it has other really interesting uses).

For screenshots and more information about the tools, please use the following links:

http://www.kentonborn.com/jforlan

http://www.kentonborn.com/cfa

I recently collected a list off the 1,000,000 most visited domain names for the month. At this point, I couldn't resist comparing how often different words showed up in domain names compared to others.

Let's see some results!

Anyone else not particularly optimistic about the direction our society is headed?

The actual reason for collecting the domain names was to run n-gram frequency analysis on domains/subdomains. Eventually, this will be used to prove or disprove their usefulness in detecting covert communication in domain names (i.e. DNS Tunnels). However, that is a post for another time :-D

I was selected for the Windows 7 launch party, so I have been able to play with a free copy of Windows 7 Ultimate a bit ahead of its official release.

I suppose things like this should have been expected...

Windows 7 really does go that much further than the rest of the operating systems!