1 / 40

Embedding Covert Channels into TCP/IP

Embedding Covert Channels into TCP/IP. S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005 Sweety Chauhan October 26, 2005. Overview. New and Significant

mya
Télécharger la présentation

Embedding Covert Channels into TCP/IP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Embedding Covert Channels into TCP/IP S.J. Murdoch, S. LewisUniversity of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005 Sweety Chauhan October 26, 2005

  2. Overview • New and Significant • Overview of Covert Channels • TCP/IP based Steganography • Detection of TCP/IP Steganography • Conclusion

  3. New and Significant • Proposed a scheme “Lathra” for encoding data in TCP/IP header not detected by warden • A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key

  4. Covert Channels • Communication in a non-obvious manner • Potential methods - to get information out of the security perimeter • Two Types: • Storage • Timing

  5. Types of Covert Channels

  6. Where is this relevant? • The use of covert channels is relevant in organizations that: • restrict the use of encryption in their systems • have privileged or private information • wish to restrict communication • monitor communications

  7. Network Covert Channels • Information hiding • placed in network headers AND/OR • conveyed through action/reaction • Goal - channel undetectable or unobservable • Network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted

  8. Taxonomy (I) • Network covert channels can be • Storage-based • Timing-based • Frequency-based • Protocol-based • any combination of the above

  9. Taxonomy (II) • Each of the above categories constitute a dimension of data • Information hiding in packet payload is outside the realm of network covert channels • These cases fit into the broader field of steganography

  10. 20-64 bytes 20-64 bytes 0-65,488 bytes IP Header TCP Header DATA This is Information Assurance Class TCP Source Port TCP Destination Port TCP/IP Header can serve as a carrier for a steganographic covert channel IP Source Address IP Destination Address Packet Header Hiding

  11. 0-44 bytes Fields that may be used to embed steganographic data IP Header

  12. 0-44 bytes Timestamp TCP Header

  13. Storage Based • Information is leaked by hiding data in packet header fields • IP identification • Offset • Options • TCP Checksum • TCP Sequence Numbers

  14. Timing Channels (I) • Information is leaked by triggering or delaying events at specific time intervals

  15. Timing Channels (II)

  16. Frequency Based (I) • Information is encoded over many channels of cover traffic • The order or combination of cover channel access encodes information

  17. Frequency Based (II)

  18. Protocol Based • Exploits ambiguities or non-uniform features in common protocol specifications

  19. Traditional Detection Mechanisms • Statistical methods • Storage-based • Data analysis • Time-based • Time analysis • Frequency-based • Flow analysis

  20. Threat Model • Passive Warden Threat Model • Active Warden Threat Model

  21. IP Covert Channel • IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers • For IP Networks: • Data hidden in the IP header • Data hidden in ICMP Echo Request and Response Packets • Data tunneled through an SSH connection • “Port 80” Tunneling, (or DNS port 53 tunneling) • In image files

  22. IP ID and TCP ISN Implementation • Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN • Due to their construction, these fields contain some structure • Partially unpredictable

  23. Detection of TCP/IP Steganography • Each operating system exhibits well defined characteristics in generated TCP/IP fields • can be used to identify any anomalies that may indicate the use of steganography • suite of tests • applied to network traces to identify whether the results are consistent with known operating systems

  24. IP ID Characteristics • Sequential Global IP ID • Sequential Per-host IP ID • IP-ID MSB Toggle • IP-ID Permutation

  25. TCP ISN Characteristics • Rekey Timer • Rekey Counter • ISN MSB Toggle • ISN Permutation • Zero bit 15 • Full TCP Collisions • Partial TCP Collisions

  26. Explicit Steganography Detection 12. Nushu Cryptography • encrypts data before including it in the ISN field • results in a distribution which is different from normally generated by Linux and so will be detected by the other TCP tests

  27. 13. TCP Timestamp • If a low bandwidth TCP connection is being used to leak information • a randomness test can be applied to the least significant bits of the timestamps in the TCP packets • If “too much“ randomness is detected in the LSBs → a steganographic covert channel is in use

  28. 14. Other Anomalies • unusual flags (e.g. DF when not expected, ToS set) • excessive fragmentation • use of IP options • non-zero padding • unexpected TCP options (e.g. timestamps from operating systems which do not generate them) • excessive re-ordering

  29. Results

  30. Detection-Resistant TCP Steganography Schemes • Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier • Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden

  31. Conclusion • TCP/IP header fields can be used as a carrier for a steganographic covert channel • Two schemes for encoding data with ISNs generated by OpenBSD and Linux • indistinguishable from those generated by a genuine TCP stack

  32. Future Work • Flexible covert channel scheme which can be used in many channels • Create a protocol for jumping between multiple covert channels • New schemes to detect different encoding mechanisms in TCP/IP Header fields

  33. References • Hide and Seek: An Introduction to Steganography, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003 • Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005

  34. Thanks a lot … For Your Presence

  35. Any Questions

  36. Homework Presentation Slides and Research Papers are available at : www.umbc.edu/~chauhan2/CMSC691I/

  37. Covert Channel Tools • SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege). • Loki (ICMP Echo R/R, UDP 53) • NT - Back Orifice (BO2K) plugin BOSOCK32 • Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands.

  38. Linux 2.0 ISN Generator

  39. Linux ISN and ID generator

  40. Open BSD ISN generator

More Related