CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis...
-
Upload
phillip-richard -
Category
Documents
-
view
219 -
download
0
Transcript of CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis...
![Page 1: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/1.jpg)
CMSC 691I Clandestine Channels
Embedding Covert Channels into TCP/IP
S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom
7th Information Hiding Workshop, June 2005
Sweety ChauhanOctober 26, 2005
![Page 2: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/2.jpg)
CMSC 691I 2Clandestine Channels
Overview
New and Significant Overview of Covert Channels TCP/IP based Steganography Detection of TCP/IP Steganography Conclusion
![Page 3: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/3.jpg)
CMSC 691I 3Clandestine Channels
New and Significant
Proposed a scheme “Lathra” for encoding data in TCP/IP header not detected by warden
A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key
![Page 4: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/4.jpg)
CMSC 691I 4Clandestine Channels
Covert Channels
Communication in a non-obvious manner Potential methods - to get information out
of the security perimeter Two Types:
Storage Timing
![Page 5: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/5.jpg)
CMSC 691I 5Clandestine Channels
Types of Covert Channels
Storage Timing
Information conveyed by writing or abstaining
from writing
Information conveyed by the timing of events
Clock not needed Receiver needs clock
![Page 6: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/6.jpg)
CMSC 691I 6Clandestine Channels
Where is this relevant?
The use of covert channels is relevant in organizations that:
restrict the use of encryption in their systems
have privileged or private information wish to restrict communication monitor communications
![Page 7: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/7.jpg)
CMSC 691I 7Clandestine Channels
Network Covert Channels
Information hiding placed in network headers AND/OR conveyed through action/reaction
Goal - channel undetectable or unobservable Network watchers (sniffer, IDS, ..) will not be
aware that data is being transmitted
![Page 8: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/8.jpg)
CMSC 691I 8Clandestine Channels
Taxonomy (I)
Network covert channels can be Storage-based Timing-based Frequency-based Protocol-based any combination of the above
![Page 9: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/9.jpg)
CMSC 691I 9Clandestine Channels
Taxonomy (II)
Each of the above categories constitute a dimension of data
Information hiding in packet payload is outside the realm of network covert channels
These cases fit into the broader field of steganography
![Page 10: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/10.jpg)
CMSC 691I 10Clandestine Channels
Packet Header Hiding
IP Header TCP Header DATA
20-64 bytes 20-64 bytes 0-65,488 bytes
IP Source Address
IP Destination Address
TCP Source Port
TCP Destination Port
This is Information Assurance Class
TCP/IP Header can serve as a carrier for a steganographic covert channel
![Page 11: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/11.jpg)
CMSC 691I 11Clandestine Channels
IP Header
0-44bytes
Fields that may be used to embed steganographic data
![Page 12: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/12.jpg)
CMSC 691I 12Clandestine Channels
TCP Header
0-44bytes
Timestamp
![Page 13: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/13.jpg)
CMSC 691I 13Clandestine Channels
Storage Based
Information is leaked by hiding data in packet header fields
IP identification Offset Options TCP Checksum TCP Sequence Numbers
![Page 14: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/14.jpg)
CMSC 691I 14Clandestine Channels
Timing Channels (I)
Information is leaked by triggering or delaying events at specific time intervals
![Page 15: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/15.jpg)
CMSC 691I 15Clandestine Channels
Timing Channels (II)
![Page 16: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/16.jpg)
CMSC 691I 16Clandestine Channels
Frequency Based (I)
Information is encoded over many channels of cover traffic
The order or combination of cover channel access encodes information
![Page 17: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/17.jpg)
CMSC 691I 17Clandestine Channels
Frequency Based (II)
![Page 18: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/18.jpg)
CMSC 691I 18Clandestine Channels
Protocol Based
Exploits ambiguities or non-uniform features in common protocol specifications
![Page 19: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/19.jpg)
CMSC 691I 19Clandestine Channels
Traditional Detection Mechanisms
Statistical methods Storage-based
Data analysis
Time-based Time analysis
Frequency-based Flow analysis
![Page 20: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/20.jpg)
CMSC 691I 20Clandestine Channels
Threat Model
Passive Warden Threat Model Active Warden Threat Model
![Page 21: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/21.jpg)
CMSC 691I 21Clandestine Channels
IP Covert Channel
IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers
For IP Networks: Data hidden in the IP header Data hidden in ICMP Echo Request and Response Packets Data tunneled through an SSH connection “Port 80” Tunneling, (or DNS port 53 tunneling) In image files
![Page 22: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/22.jpg)
CMSC 691I 22Clandestine Channels
IP ID and TCP ISN Implementation
Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN
Due to their construction, these fields contain some structure
Partially unpredictable
![Page 23: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/23.jpg)
CMSC 691I 23Clandestine Channels
Detection of TCP/IP Steganography
Each operating system exhibits well defined characteristics in generated TCP/IP fields
can be used to identify any anomalies that may indicate the use of steganography
suite of tests applied to network traces to identify whether the
results are consistent with known operating systems
![Page 24: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/24.jpg)
CMSC 691I 24Clandestine Channels
IP ID Characteristics
1. Sequential Global IP ID
2. Sequential Per-host IP ID
3. IP-ID MSB Toggle
4. IP-ID Permutation
![Page 25: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/25.jpg)
CMSC 691I 25Clandestine Channels
TCP ISN Characteristics
5. Rekey Timer
6. Rekey Counter
7. ISN MSB Toggle
8. ISN Permutation
9. Zero bit 15
10. Full TCP Collisions
11. Partial TCP Collisions
![Page 26: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/26.jpg)
CMSC 691I 26Clandestine Channels
Explicit Steganography Detection
12. Nushu Cryptography encrypts data before including it in the ISN field results in a distribution which is different from
normally generated by Linux and so will be detected by the other TCP tests
![Page 27: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/27.jpg)
CMSC 691I 27Clandestine Channels
13. TCP Timestamp If a low bandwidth TCP connection is being used to
leak information a randomness test can be applied to the least
significant bits of the timestamps in the TCP packets
If “too much“ randomness is detected in the LSBs → a steganographic covert channel is in use
![Page 28: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/28.jpg)
CMSC 691I 28Clandestine Channels
14. Other Anomalies unusual flags (e.g. DF when not expected, ToS set) excessive fragmentation use of IP options non-zero padding unexpected TCP options (e.g. timestamps from
operating systems which do not generate them) excessive re-ordering
![Page 29: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/29.jpg)
CMSC 691I 29Clandestine Channels
Results
![Page 30: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/30.jpg)
CMSC 691I 30Clandestine Channels
Detection-Resistant TCP Steganography Schemes
Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier
Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden
![Page 31: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/31.jpg)
CMSC 691I 31Clandestine Channels
Conclusion
TCP/IP header fields can be used as a carrier for a steganographic covert channel
Two schemes for encoding data with ISNs generated by OpenBSD and Linux
indistinguishable from those generated by a genuine TCP stack
![Page 32: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/32.jpg)
CMSC 691I 32Clandestine Channels
Future Work
Flexible covert channel scheme which can be used in many channels
Create a protocol for jumping between multiple covert channels
New schemes to detect different encoding mechanisms in TCP/IP Header fields
![Page 33: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/33.jpg)
CMSC 691I 33Clandestine Channels
References1. Hide and Seek: An Introduction to Steganograp
hy, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003
2. Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005
![Page 34: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/34.jpg)
CMSC 691I 34Clandestine Channels
Thanks a lot …
For Your
Presence
![Page 35: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/35.jpg)
CMSC 691I 35Clandestine Channels
Any Questions
![Page 36: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/36.jpg)
CMSC 691I 36Clandestine Channels
Homework
Presentation Slides and Research Papers are available at :
www.umbc.edu/~chauhan2/CMSC691I/
![Page 37: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/37.jpg)
CMSC 691I 37Clandestine Channels
Covert Channel Tools
SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege).
Loki (ICMP Echo R/R, UDP 53) NT - Back Orifice (BO2K) plugin BOSOCK32 Reverse WWW Shell Server - looks like a HTTP
client (browser). App headers mimic HTTP GET and response commands.
![Page 38: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/38.jpg)
CMSC 691I 38Clandestine Channels
Linux 2.0 ISN Generator
![Page 39: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/39.jpg)
CMSC 691I 39Clandestine Channels
Linux ISN and ID generator
![Page 40: CMSC 691IClandestine Channels Embedding Covert Channels into TCP/IP S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding.](https://reader036.fdocuments.us/reader036/viewer/2022062804/56649db55503460f94aa6ef4/html5/thumbnails/40.jpg)
CMSC 691I 40Clandestine Channels
Open BSD ISN generator