PHY Covert Channels: Can you see the Idles?
description
Transcript of PHY Covert Channels: Can you see the Idles?
![Page 1: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/1.jpg)
1
PHY Covert Channels:Can you see the Idles?
Ki Suh LeeCornell University
Joint work with Han Wang, and Hakim Weatherspoon
첩자
Chupja
![Page 2: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/2.jpg)
2
첩자 (chupja)
![Page 3: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/3.jpg)
3
Network Covert Channels
• Hiding information– Through communication not intended for data transfer
![Page 4: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/4.jpg)
4
Network Covert Channels
• Hiding information– Through communication not intended for data transfer– Using legitimate packets (Overt channel)
• Storage Channels: Packet headers• Timing Channels: Arrival times of packets
![Page 5: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/5.jpg)
5
Network Covert Channels
• Hiding information– Through communication not intended for data transfer– Using legitimate packets (Overt channel)
• Storage Channels: Packet headers• Timing Channels: Arrival times of packets
![Page 6: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/6.jpg)
6
Goals of Covert Channels
• Bandwidth– How much information can be delivered in a second
• Robustness– How much information can be delivered without loss / error
• Undetectability– How well communication is hidden
![Page 7: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/7.jpg)
7
Goals of Covert Channels
• Bandwidth– How much information can be delivered in a second– 10~100s bits per second
• Robustness– How much information can be delivered without loss / error– Cabuk’04, Shah’06
• Undetectability– How well communication is hidden– Liu’09, Liu’10
Application
Transport
Network
Data Link
Physical
![Page 8: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/8.jpg)
8
Current network covert channels are implemented in L3~4 (TCP/IP) layers
and are extremely slow.
![Page 9: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/9.jpg)
9
Chupja: PHY Covert Channel
• Bandwidth– How much information can be delivered in a second– 10~100s bits per second
• Robustness– How much information can be delivered without loss / error– Bit Error Rate < 10%
• Undetectability– How well communication is hidden– Invisible to detection software
Application
Transport
Network
Data Link
PhysicalPhysical
-> 10s~100s Kilo bits per second
![Page 10: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/10.jpg)
10
Chupja is a network covert channel which is faster than priori art.
It is implemented in L1 (PHY),
robust and virtually invisible to software.
![Page 11: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/11.jpg)
11
Outline
• Introduction• Design• Evaluation• Conclusion
![Page 12: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/12.jpg)
12
Outline
• Introduction• Design– Threat Model– 10 Gigabit Ethernet
• Evaluation• Conclusion
![Page 13: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/13.jpg)
13
Threat Model
Application
Transport
Network
Data Link
Physical
Application
Transport
Network
Data Link
Physical
Application
Transport
Network
Data Link
Physical
Application
Transport
Network
Data Link
Physical
Sender Receiver
Passive Adversary
Commodity ServerCommodity NIC
![Page 14: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/14.jpg)
14
10 Gigabit Ethernet
• Idle Characters (/I/)
– Each bit is ~100 picosecond wide– 7~8 bit special character in the physical layer– 700~800 picoseconds to transmit– Only in PHY
Packet i Packet i+1 Packet i+2
Application
Transport
Network
Data Link
Physical
![Page 15: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/15.jpg)
15
• Interpacket delays (D) and gaps (G)
• Homogeneous packet stream
– Same packet size, – Same IPD (IPG), – Same destination
Terminology
IPG
Packet i Packet i+1
IPD
Packet i Packet i+1 Packet i+2
![Page 16: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/16.jpg)
16
Chupja: Design
• Homogeneous stream
• Sender
• Receiver
Packet i Packet i+1 Packet i+2
G - Ɛ G + Ɛ
D - Ɛ D + Ɛ
‘0’ ‘1’
Packet i Packet i+2
Gi Gi+1
Di Di+1
‘0’ ‘1’Packet i+1
Packet i Packet i+2
G G
D D
IPG IPGPacket i+1
![Page 17: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/17.jpg)
17
Chupja: Design
• With shared G– Encoding ‘1’: Gi = G + ε
– Encoding ‘0’: Gi = G - ε
Packet i Packet i+1 Packet i+2
G - Ɛ G + Ɛ
D - Ɛ D + Ɛ
‘0’ ‘1’
![Page 18: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/18.jpg)
18
Implementation
• SoNIC [NSDI ’13]
– Software-defined Network Interface Card– Allows control and access every bit of PHY
• In realtime, and in software
• 50 lines of C code addition
Application
Transport
Network
Data Link
Physical
![Page 19: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/19.jpg)
19
Outline
• Introduction• Design• Evaluation– Bandwidth– Robustness– Undetectability
• Conclusion
![Page 20: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/20.jpg)
20
Evaluation
• What is the bandwidth of Chupja?
• How robust is Chupja?
– Why is Chupja robust?
• How undetectable is Chupja?
![Page 21: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/21.jpg)
21
What is the bandwidth of Chupja?
![Page 22: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/22.jpg)
22
Evaluation: Bandwidth
• Covert bandwidth equals to packet rate of overt channel
0.01 0.1 0.5 1 3 6 91E+02
1E+03
1E+04
1E+05
1E+06
1E+07
1E+08
64B512B1024B1518B
Overt Channel Throughput (Gbps)
Cove
rt C
hann
el C
apac
ity (b
ps)
1518B 1Gbps81kbps
![Page 23: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/23.jpg)
23
How robust is Chupja?
![Page 24: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/24.jpg)
24
Boston
Cornell (Ithaca)
Cornell (NYC) NLR (NYC)
Chicaco
Cleveland
Sender Receiver
SW1 SW1
SW2 SW2
SW3 SW4
Sender Receiver
Evaluation Setup
• Small Network– Six commercial switches– Average RTT: 0.154 ms
• National Lambda Rail– Nine routing hops– Average RTT: 67.6ms– 1~2 Gbps External Traffic
![Page 25: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/25.jpg)
25
Evaluation: Robustness• Overt Channel at 1 Gbps (D = 12211ns, G=13738 /I/s)• Covert Channel at 81 kbps
?Sender Receiver
16 32 64 128 256 512 1024 2048 40960
0.1
0.2
0.3
0.4
0.5
0.6Small No Ext.Small Ext 3.6GNLR
Ɛ (/I/s)
BER
7.7% 2.8%
8.9%
![Page 26: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/26.jpg)
26
?
Evaluation: Robustness• Overt Channel at 1 Gbps (D = 12211ns, G=13738 /I/s)• Covert Channel at 81 kbps• Modulating IPGS at 1.6us scale (=2048 /I/s)
Sender Receiver
16 32 64 128 256 512 1024 2048 40960
0.1
0.2
0.3
0.4
0.5
0.6Small No Ext.Small Ext 3.6GNLR
Ɛ (/I/s)
BER
7.7% 2.8%
8.9%
![Page 27: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/27.jpg)
27
Why is Chupja robust?
![Page 28: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/28.jpg)
28
Evaluation: Why?
• Switches do not add significant perturbations to IPDs• Switches treat ‘1’s and ‘0’s as uncorrelated– Over multiple hops when there is no external traffic.– With external traffic
![Page 29: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/29.jpg)
29
Evaluation: Why?
• Switches do not add significant perturbations to IPDs• Switches treat ‘1’s and ‘0’s as uncorrelated– Over multiple hops when there is no external traffic.– With external traffic
Sender
Homogeneous1518B at 1 Gbps
Receiver Sender
Chupja (Ɛ = 256/I/s) 1518B at 1 Gbps
Receiver
![Page 30: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/30.jpg)
30
Evaluation: Why? • Switches do not add significant perturbations to IPDs• Switches treat encoded ‘0’ and ‘1’ as uncorrelated– Over multiple hops when there is no external traffic.
11345.066666711763.975757612182.884848512601.793939413020.70303030.000001
0.00001
0.0001
0.001
0.01
0.1
1
Interpacket Delayy (ns)
1 hop3 hop6 hop9 hop12 hop15 hop15 hop
D - Ɛ
90% in D - Ɛ ± 250ns
11345.0666667 11770.9575758 12196.8484848 12622.7393939 13048.6303030.000001
0.00001
0.0001
0.001
0.01
0.1
1
Interpacket Delay (ns)
1 hop3 hop6 hop9 hop12 hop90% in
D ± 250ns
Homogeneous stream Chupja stream ( Ɛ=256/I/s )
90% in D ± 100ns
90% in D – Ɛ ± 100ns D + Ɛ
![Page 31: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/31.jpg)
31
Evaluation: Why?
Boston
Cornell (Ithaca)
Cornell (NYC) NLR (NYC)
Chicaco
Cleveland
• Most of IPDs are within some range from original IPD– Even when there is external traffic.
Encoded ‘Zero’Encoded ‘One’
Sender Receiver
Ɛ (/I/s)(ns)
256(=204.8ns)
512(=409.6)
1024(=819.2)
2048(=1638.4)
4096(=3276.8)
BER 0.367 0.391 0.281 0.089 0.013
![Page 32: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/32.jpg)
32
Evaluation: Why?
• Switches do not add significant perturbations to IPDs• Switches treat ‘1’s and ‘0’s as uncorrelated– Over multiple hops when there is no external traffic.– With external traffic
?
Sender Receiver
1518B at 1 Gbps
With sufficiently large Ɛ, the interpacket spacing holds throughout
the network, and BER is less than 10%
![Page 33: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/33.jpg)
33
How undetectable is Chupja?
![Page 34: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/34.jpg)
34
Evaluation: Detection Setup
• Commodity server with 10G NIC– Kernel timestamping
NLRSender
Kernel timestamping
Receiver
NLRSender
SoNIC timestamping
Receiver
![Page 35: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/35.jpg)
35
Evaluation: Detection
1249 4901 8553 122051585719509231610.00001
0.01
10HOM
1024
4096
Interpacket Delay (ns)1249 4857 8465 12073156811928922897
0.00001
0.0001
0.001
0.01
0.1
1HOM
1024
4096
Interpacket Delay (ns)
• Adversary cannot detect patterns of Chupja
Kernel Timestamping SoNIC Timestamping
Ɛ = 1024
Ɛ = 4096
Ɛ = 1024
Ɛ = 4096
![Page 36: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/36.jpg)
36
Evaluation: Summary
• What is the bandwidth of Chupja?– 10s~100s Kilo bits per second
• How robust is Chupja?– BER < 10% over NLR
– Why is Chupja robust?• Sufficiently large Ɛ holds throughout the network
• How undetectable is Chupja?– Invisible to software
![Page 37: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/37.jpg)
37
Conclusion
• Chupja: PHY covert channel– High-bandwidth, robust, and undetectable
• Based on understanding of network devices– Perturbations from switches– Inaccurate endhost timestamping
• http://sonic.cs.cornell.edu & GENI (ExoGENI)!!!
첩자
![Page 38: PHY Covert Channels: Can you see the Idles?](https://reader035.fdocuments.us/reader035/viewer/2022062218/568163cb550346895dd50964/html5/thumbnails/38.jpg)
38
Thank you