CMSC 691I Clandestine Channels

Embedding Covert Channels into TCP/IP

S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom

7th Information Hiding Workshop, June 2005

Sweety ChauhanOctober 26, 2005

CMSC 691I 2Clandestine Channels

Overview

New and Significant Overview of Covert Channels TCP/IP based Steganography Detection of TCP/IP Steganography Conclusion

CMSC 691I 3Clandestine Channels

New and Significant

Proposed a scheme “Lathra” for encoding data in TCP/IP header not detected by warden

A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key

CMSC 691I 4Clandestine Channels

Covert Channels

Communication in a non-obvious manner Potential methods - to get information out

of the security perimeter Two Types:

Storage Timing

CMSC 691I 5Clandestine Channels

Types of Covert Channels

Storage Timing

Information conveyed by writing or abstaining

from writing

Information conveyed by the timing of events

Clock not needed Receiver needs clock

CMSC 691I 6Clandestine Channels

Where is this relevant?

The use of covert channels is relevant in organizations that:

restrict the use of encryption in their systems

have privileged or private information wish to restrict communication monitor communications

CMSC 691I 7Clandestine Channels

Network Covert Channels

Information hiding placed in network headers AND/OR conveyed through action/reaction

Goal - channel undetectable or unobservable Network watchers (sniffer, IDS, ..) will not be

aware that data is being transmitted

CMSC 691I 8Clandestine Channels

Taxonomy (I)

Network covert channels can be Storage-based Timing-based Frequency-based Protocol-based any combination of the above

CMSC 691I 9Clandestine Channels

Taxonomy (II)

Each of the above categories constitute a dimension of data

Information hiding in packet payload is outside the realm of network covert channels

These cases fit into the broader field of steganography

CMSC 691I 10Clandestine Channels

Packet Header Hiding

IP Header TCP Header DATA

20-64 bytes 20-64 bytes 0-65,488 bytes

IP Source Address

IP Destination Address

TCP Source Port

TCP Destination Port

This is Information Assurance Class

TCP/IP Header can serve as a carrier for a steganographic covert channel

CMSC 691I 11Clandestine Channels

IP Header

0-44bytes

Fields that may be used to embed steganographic data

CMSC 691I 12Clandestine Channels

TCP Header

0-44bytes

Timestamp

CMSC 691I 13Clandestine Channels

Storage Based

Information is leaked by hiding data in packet header fields

IP identification Offset Options TCP Checksum TCP Sequence Numbers

CMSC 691I 14Clandestine Channels

Timing Channels (I)

Information is leaked by triggering or delaying events at specific time intervals

CMSC 691I 15Clandestine Channels

Timing Channels (II)

CMSC 691I 16Clandestine Channels

Frequency Based (I)

Information is encoded over many channels of cover traffic

The order or combination of cover channel access encodes information

CMSC 691I 17Clandestine Channels

Frequency Based (II)

CMSC 691I 18Clandestine Channels

Protocol Based

Exploits ambiguities or non-uniform features in common protocol specifications

CMSC 691I 19Clandestine Channels

Traditional Detection Mechanisms

Statistical methods Storage-based

Data analysis

Time-based Time analysis

Frequency-based Flow analysis

CMSC 691I 20Clandestine Channels

Threat Model

Passive Warden Threat Model Active Warden Threat Model

CMSC 691I 21Clandestine Channels

IP Covert Channel

IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers

For IP Networks: Data hidden in the IP header Data hidden in ICMP Echo Request and Response Packets Data tunneled through an SSH connection “Port 80” Tunneling, (or DNS port 53 tunneling) In image files

CMSC 691I 22Clandestine Channels

IP ID and TCP ISN Implementation

Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN

Due to their construction, these fields contain some structure

Partially unpredictable

CMSC 691I 23Clandestine Channels

Detection of TCP/IP Steganography

Each operating system exhibits well defined characteristics in generated TCP/IP fields

can be used to identify any anomalies that may indicate the use of steganography

suite of tests applied to network traces to identify whether the

results are consistent with known operating systems

CMSC 691I 24Clandestine Channels

IP ID Characteristics

1. Sequential Global IP ID

2. Sequential Per-host IP ID

3. IP-ID MSB Toggle

4. IP-ID Permutation

CMSC 691I 25Clandestine Channels

TCP ISN Characteristics

5. Rekey Timer

6. Rekey Counter

7. ISN MSB Toggle

8. ISN Permutation

9. Zero bit 15

10. Full TCP Collisions

11. Partial TCP Collisions

CMSC 691I 26Clandestine Channels

Explicit Steganography Detection

12. Nushu Cryptography encrypts data before including it in the ISN field results in a distribution which is different from

normally generated by Linux and so will be detected by the other TCP tests

CMSC 691I 27Clandestine Channels

13. TCP Timestamp If a low bandwidth TCP connection is being used to

leak information a randomness test can be applied to the least

significant bits of the timestamps in the TCP packets

If “too much“ randomness is detected in the LSBs → a steganographic covert channel is in use

CMSC 691I 28Clandestine Channels

14. Other Anomalies unusual flags (e.g. DF when not expected, ToS set) excessive fragmentation use of IP options non-zero padding unexpected TCP options (e.g. timestamps from

operating systems which do not generate them) excessive re-ordering

CMSC 691I 29Clandestine Channels

Results

CMSC 691I 30Clandestine Channels

Detection-Resistant TCP Steganography Schemes

Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier

Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden

CMSC 691I 31Clandestine Channels

Conclusion

TCP/IP header fields can be used as a carrier for a steganographic covert channel

Two schemes for encoding data with ISNs generated by OpenBSD and Linux

indistinguishable from those generated by a genuine TCP stack

CMSC 691I 32Clandestine Channels

Future Work

Flexible covert channel scheme which can be used in many channels

Create a protocol for jumping between multiple covert channels

New schemes to detect different encoding mechanisms in TCP/IP Header fields

CMSC 691I 33Clandestine Channels

References1. Hide and Seek: An Introduction to Steganograp

hy, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003

2. Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005

CMSC 691I 34Clandestine Channels

Thanks a lot …

For Your

Presence

CMSC 691I 35Clandestine Channels

Any Questions

CMSC 691I 36Clandestine Channels

Homework

Presentation Slides and Research Papers are available at :

www.umbc.edu/~chauhan2/CMSC691I/

CMSC 691I 37Clandestine Channels

Covert Channel Tools

SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege).

Loki (ICMP Echo R/R, UDP 53) NT - Back Orifice (BO2K) plugin BOSOCK32 Reverse WWW Shell Server - looks like a HTTP

client (browser). App headers mimic HTTP GET and response commands.

CMSC 691I 38Clandestine Channels

Linux 2.0 ISN Generator

CMSC 691I 39Clandestine Channels

Linux ISN and ID generator

CMSC 691I 40Clandestine Channels

Open BSD ISN generator