General Science and Philosophy


Covert Channel by Abusing X509 Extensions

Authors: Jason Reaves

Malicious actors in the world are using more ingenuity than ever for both data infiltration and exfiltration purposes, also known as command and control communications. In this paper I aim to describe a system that could be used to send or receive data from both a client and a server perspective utilizing research into x509 certificates specifically in areas where you can place arbitrary binary data into the certificate or utilizing them as a covert channel. While lots of attention is given to data infiltration and exfiltration techniques they are commonly done so after they’ve been used in an incident, making this area of cyber security very retroactive in a defensive posture. The aim in presenting this material is to demonstrate that we can take some lessons from the other areas of cyber security research, namely exploitation, and look at potential use cases in how malware authors could utilize technologies outside of their intended purposes to not only accomplish their goals but also end up bypassing common security measures in the process. Doing this sort of research can lead to more advances in defensive security postures by spurring discussions in the community on how a technique either does or doesn’t bypass security measures.

Comments: 11 Pages. Malware; x509 Certificate; SSL; TLS; Botnet; Security

Download: PDF

Submission history

[v1] 2018-01-02 14:00:13

Unique-IP document downloads: 9 times is a pre-print repository rather than a journal. Articles hosted may not yet have been verified by peer-review and should be treated as preliminary. In particular, anything that appears to include financial or legal advice or proposed medical treatments should be treated with due caution. will not be responsible for any consequences of actions that result from any form of use of any documents on this website.

Add your own feedback and questions here:
You are equally welcome to be positive or negative about any paper but please be polite. If you are being critical you must mention at least one specific error, otherwise your comment will be deleted as unhelpful.

comments powered by Disqus