« February 2010 | Main | September 2009 »
Sunday, October 11, 2009
Checking your Personal Firewall
A blog needs to be regularly update in order to find interested readers. I therefore made resolution to write an entry approximately each month. Let's see how long I can stick with it.
This idea might be already a bit outdated. At least I have seen fixes in some commercial products for this. It is also more of a possible attack and as such one should perform responsible disclosure. A personal firewall is a firewall protecting your PC, laptop, etc., but differently from regular firewalls it not only keeps evil from the Internet outside. It also checks traffic originating from your computer and is able to attribute this to specific applications. This comes in very handy for those applications that phone home to provide an enhanced user experience. The algorithm for most older personal firewalls was simple. They were a Berkeley packet filter (BPF) inspecting every incoming and outgoing packet against a list of rules. In order to determine the application sending a packet they walked the socket list in the kernel similar to "netstat -ano". The problem with this approach is simpe: some sockets your computer sends or listens on belong to other processes than the one causing the packet. Most notably the kernel performs some tasks for your processes. In former Windows 2000 times a good candidate was the DNS port (UDP 53). You could trick the kernel into sending and receiving via this port by using the gethostbyname() system call. All you need to do is to write your own DNS server and a rogue application can bypass the firewall by quering this server with names that encode the information you want to send. Using the firewall algorithm described above you would need to block all DNS traffic which blocks you from using the Internet.
This DNS attack seems to have been mostly fixed which makes me wonder if it ever has been exploited, but looking at my open ports I can still see several ports belonging to the kernel or system applications. Did they really catch every system call that causes a packet to be sent?