1 / 14

Covert Channels in IPv6

Covert Channels in IPv6. Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin Syracuse University. PET 2005, Cavtat, Croatia May 31 st , 2005. Outline. IPv6 Overview Covert Channels Description

erikg
Télécharger la présentation

Covert Channels in IPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Covert Channelsin IPv6 Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin Syracuse University PET 2005, Cavtat, Croatia May 31st, 2005

  2. Outline • IPv6 Overview • Covert Channels Description • Active Wardens Analysis • Conclusions Lucena, Lewandowski, Chapin

  3. IPv6 Overview • Header structure has a fixed length: 40 bytes • Header does not present five of the fields from IPv4: header length, identification, flags, fragmentoffset, and checksum • A full implementation includes six headers: • Hop-by-hop Options • Routing • Fragment • Destination Options • Authentication (AH) • Encapsulating Security Payload (ESP) Lucena, Lewandowski, Chapin

  4. Covert Channels • Covert channel as a communication path that allows transferring information in a way that violates a security policy • Concerned only with network storage channels • Adversary model allows Alice and Bob to be or not be the same as the Sender and Receiver • A specification-based analysis of 22 covert channels Lucena, Lewandowski, Chapin

  5. Version (4 bits) Traffic Class (1 byte) Flow Label (20 bits) Payload Length (2 bytes) Next Header (1 byte) Hop Limit (1 byte) Source Address (16 bytes) Destination Address (16 bytes) IPv6 Header: Hop Limit • Setting an initial hop limit value and modifying it appropriately in subsequent packets Hop Limit (1 byte) Lucena, Lewandowski, Chapin

  6. h -  0 h +  1 IPv6 Header: Hop Limit • Alice sets an initial value, h , for the hop limit h Alice Bob Bandwidth:n packets, n – 1 bits • Alice signals a 0 decreasing by the hop count relatively to the previous packet • Alice signals a 1 increasing the same value by  Lucena, Lewandowski, Chapin

  7. Next Header (1 byte) Hop Limit (1 byte) Option Type (1 byte) Option Data Length (1 byte) Option Data (Variable length or specified in the Option Data length field) Next Header (1 byte) Hop Limit (1 byte) Option Type = C2 (1 byte) Option Data Length = 4 (1 byte) Jumbo Payload Length (4 bytes) Hop-by-Hop Options Header: Jumbograms • Using Jumbograms as means of covert communication in two ways: • Modifying an existing jumbogram length to append covert data • Converting a regular datagram into a jumbogram to fill in the extra bytes with hidden content Lucena, Lewandowski, Chapin

  8. C2 4 1011010101010111.. Hop-by-Hop Options Header: Jumbograms Alice Bob Bandwidth: Varies • Alice sets the payload length of the IPv6 header to 0 • Alice sets the option type of the Hop-by-Hop header to C2 • Alice sets the option data length of the Hop-by-Hop header to 4 Lucena, Lewandowski, Chapin

  9. Next Header (1 byte) Header Extension Length (1 byte) Routing Type = 0 (1 byte) Segment Left (1 byte) Reserved (4 bytes) Addresses (16 bytes each) Routing Header: Routing Type 0 • Fabricating “addresses” out of arbitrary data meaningful only to the covert communicating agents Lucena, Lewandowski, Chapin

  10. 4 0 2 10111001 10010011 … 10000001 11011001 … 8 0 2 10101111 00011110 … 01110010 00110111 … 10111001 10010011 … 10000001 11011001 … Routing Header: Routing Type 0 Alice Bob Bandwidth: Up to 2048 bytes/per packet • Alice takes inserts two fake addresses into the routing header • Alice modifies the header extension length field accordingly • Alice does not modify the original value of the segments left field Lucena, Lewandowski, Chapin

  11. Active Wardens • Stateless Active Warden • Knows the protocol syntax and semantics and attempts to verify them • “Sees” one packet at a time • Performs at two levels of diligence • Stateful Active Warden • Registers already-observed semantic conditions • Network-aware Active Warden • Is a stateful active warden • Is also a network topologist Lucena, Lewandowski, Chapin

  12. Conclusions • Provide awareness of the existence of at least 22 covert channels in IPv6 • Generate discussion toward harmful means of covert communication • Help to understand potential attacks that exploit IPv6 traffic to take appropriate countermeasures • Raise issues for considerations by implementors of IPv6 protocol stacks and firewalls • Introduce three types of active wardens: stateless, stateful, and network-aware Lucena, Lewandowski, Chapin

  13. Any Questions? Lucena, Lewandowski, Chapin

  14. Thank You All! Lucena, Lewandowski, Chapin

More Related