cmsc 691iclandestine channels embedding covert channels into tcp/ip s.j. murdoch, s. lewis...
TRANSCRIPT
CMSC 691I Clandestine Channels
Embedding Covert Channels into TCP/IP
S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom
7th Information Hiding Workshop, June 2005
Sweety ChauhanOctober 26, 2005
CMSC 691I 2Clandestine Channels
Overview
New and Significant Overview of Covert Channels TCP/IP based Steganography Detection of TCP/IP Steganography Conclusion
CMSC 691I 3Clandestine Channels
New and Significant
Proposed a scheme “Lathra” for encoding data in TCP/IP header not detected by warden
A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key
CMSC 691I 4Clandestine Channels
Covert Channels
Communication in a non-obvious manner Potential methods - to get information out
of the security perimeter Two Types:
Storage Timing
CMSC 691I 5Clandestine Channels
Types of Covert Channels
Storage Timing
Information conveyed by writing or abstaining
from writing
Information conveyed by the timing of events
Clock not needed Receiver needs clock
CMSC 691I 6Clandestine Channels
Where is this relevant?
The use of covert channels is relevant in organizations that:
restrict the use of encryption in their systems
have privileged or private information wish to restrict communication monitor communications
CMSC 691I 7Clandestine Channels
Network Covert Channels
Information hiding placed in network headers AND/OR conveyed through action/reaction
Goal - channel undetectable or unobservable Network watchers (sniffer, IDS, ..) will not be
aware that data is being transmitted
CMSC 691I 8Clandestine Channels
Taxonomy (I)
Network covert channels can be Storage-based Timing-based Frequency-based Protocol-based any combination of the above
CMSC 691I 9Clandestine Channels
Taxonomy (II)
Each of the above categories constitute a dimension of data
Information hiding in packet payload is outside the realm of network covert channels
These cases fit into the broader field of steganography
CMSC 691I 10Clandestine Channels
Packet Header Hiding
IP Header TCP Header DATA
20-64 bytes 20-64 bytes 0-65,488 bytes
IP Source Address
IP Destination Address
TCP Source Port
TCP Destination Port
This is Information Assurance Class
TCP/IP Header can serve as a carrier for a steganographic covert channel
CMSC 691I 11Clandestine Channels
IP Header
0-44bytes
Fields that may be used to embed steganographic data
CMSC 691I 12Clandestine Channels
TCP Header
0-44bytes
Timestamp
CMSC 691I 13Clandestine Channels
Storage Based
Information is leaked by hiding data in packet header fields
IP identification Offset Options TCP Checksum TCP Sequence Numbers
CMSC 691I 14Clandestine Channels
Timing Channels (I)
Information is leaked by triggering or delaying events at specific time intervals
CMSC 691I 15Clandestine Channels
Timing Channels (II)
CMSC 691I 16Clandestine Channels
Frequency Based (I)
Information is encoded over many channels of cover traffic
The order or combination of cover channel access encodes information
CMSC 691I 17Clandestine Channels
Frequency Based (II)
CMSC 691I 18Clandestine Channels
Protocol Based
Exploits ambiguities or non-uniform features in common protocol specifications
CMSC 691I 19Clandestine Channels
Traditional Detection Mechanisms
Statistical methods Storage-based
Data analysis
Time-based Time analysis
Frequency-based Flow analysis
CMSC 691I 20Clandestine Channels
Threat Model
Passive Warden Threat Model Active Warden Threat Model
CMSC 691I 21Clandestine Channels
IP Covert Channel
IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers
For IP Networks: Data hidden in the IP header Data hidden in ICMP Echo Request and Response Packets Data tunneled through an SSH connection “Port 80” Tunneling, (or DNS port 53 tunneling) In image files
CMSC 691I 22Clandestine Channels
IP ID and TCP ISN Implementation
Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN
Due to their construction, these fields contain some structure
Partially unpredictable
CMSC 691I 23Clandestine Channels
Detection of TCP/IP Steganography
Each operating system exhibits well defined characteristics in generated TCP/IP fields
can be used to identify any anomalies that may indicate the use of steganography
suite of tests applied to network traces to identify whether the
results are consistent with known operating systems
CMSC 691I 24Clandestine Channels
IP ID Characteristics
1. Sequential Global IP ID
2. Sequential Per-host IP ID
3. IP-ID MSB Toggle
4. IP-ID Permutation
CMSC 691I 25Clandestine Channels
TCP ISN Characteristics
5. Rekey Timer
6. Rekey Counter
7. ISN MSB Toggle
8. ISN Permutation
9. Zero bit 15
10. Full TCP Collisions
11. Partial TCP Collisions
CMSC 691I 26Clandestine Channels
Explicit Steganography Detection
12. Nushu Cryptography encrypts data before including it in the ISN field results in a distribution which is different from
normally generated by Linux and so will be detected by the other TCP tests
CMSC 691I 27Clandestine Channels
13. TCP Timestamp If a low bandwidth TCP connection is being used to
leak information a randomness test can be applied to the least
significant bits of the timestamps in the TCP packets
If “too much“ randomness is detected in the LSBs → a steganographic covert channel is in use
CMSC 691I 28Clandestine Channels
14. Other Anomalies unusual flags (e.g. DF when not expected, ToS set) excessive fragmentation use of IP options non-zero padding unexpected TCP options (e.g. timestamps from
operating systems which do not generate them) excessive re-ordering
CMSC 691I 29Clandestine Channels
Results
CMSC 691I 30Clandestine Channels
Detection-Resistant TCP Steganography Schemes
Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier
Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden
CMSC 691I 31Clandestine Channels
Conclusion
TCP/IP header fields can be used as a carrier for a steganographic covert channel
Two schemes for encoding data with ISNs generated by OpenBSD and Linux
indistinguishable from those generated by a genuine TCP stack
CMSC 691I 32Clandestine Channels
Future Work
Flexible covert channel scheme which can be used in many channels
Create a protocol for jumping between multiple covert channels
New schemes to detect different encoding mechanisms in TCP/IP Header fields
CMSC 691I 33Clandestine Channels
References1. Hide and Seek: An Introduction to Steganograp
hy, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003
2. Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005
CMSC 691I 34Clandestine Channels
Thanks a lot …
For Your
Presence
CMSC 691I 35Clandestine Channels
Any Questions
CMSC 691I 36Clandestine Channels
Homework
Presentation Slides and Research Papers are available at :
www.umbc.edu/~chauhan2/CMSC691I/
CMSC 691I 37Clandestine Channels
Covert Channel Tools
SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege).
Loki (ICMP Echo R/R, UDP 53) NT - Back Orifice (BO2K) plugin BOSOCK32 Reverse WWW Shell Server - looks like a HTTP
client (browser). App headers mimic HTTP GET and response commands.
CMSC 691I 38Clandestine Channels
Linux 2.0 ISN Generator
CMSC 691I 39Clandestine Channels
Linux ISN and ID generator
CMSC 691I 40Clandestine Channels
Open BSD ISN generator