| pdf |
Updated Friday 6th August, 2021
The insider threat is one of the most difficult to find. I thought I’d lay out some ways in which we’ve found side-channel attacks (CWE-514) in actual systems that we have evaluated. They include:
Developers often leave backdoors into a system. This is sometimes left-over debug access meant to speed up development (CWE-489). When these backdoors are deployed in the wild, they become attack vectors wielded to access and sneak data out of a system without any visibility in logs and access control mechanisms. But this article primarily deals with the intentional side channels:
Hard drive architectures and other removable media can be exploited to provide a side channel. Suppose that you want to send a sensitive file to a malicious entity, but you don’t want that file to show up in any filesystem scans or perfunctory data scans of the media. The data may be hidden outside of filesystem control. In *nix systems, the dd command can be used to hide data outside of the filesystem. Assuming the removable device is /dev/sdb (it doesn’t even have to be partitioned) and it has 1465149168 sectors, an attacker can run “dd of=/dev/sdb bs=512 skip=1465140001 < 'I am a sneaky little string!'” to sneak their message onto the hard drive. To retrieve the string, the recipient can simply “dd if=/dev/sdb bs=512 skip=1465140001 count=30” and retrieve the text.
This becomes especially hidden when:
Seemingly benign files can hide an attacker’s payload. Don’t believe me? Then take the PDF or HTML version of this tip and run the commands in Listing 1 against it in cygwin!
Jon Hood, ed. SwATips. https://www.SwATips.com/.