covert timing channels using http cache headers
DESCRIPTION
Covert timing channels using HTTP cache headers (Last-Modified and ETag) are investigated and implemented in browsersTRANSCRIPT
COVERT TIMING CHANNELS
USING HTTP CACHE HEADERS
Denis Kolegov, Oleg Broslavsky, Nikita Oleksov
Tomsk State University
Information Security and Cryptography Department
SEPTEMBER 8 - 13 EKATERINBURG
2014
Introduction
A covert channel is a path that can be used to transfer
information in a way not intended by the system's
designers (CWE-514)
HTTP is one of the most used Internet protocol so
detections of the covert channels over the HTTP is an
important research area
2
Example – HTTP Headers
3
Using steganography methods in header values
Suppose that
Then
“en” 0
“fr” 1
Accept-Language: en,fr 01
Accept-Language: fr,en 10
Accept-Language: en,fr,en,fr,en,en,en,en 0x50
Covert Channels’ Usage
4
• Implementation of prohibited information
flows in LBAC systems
• Retaining control in targeted browsers
• Timing attacks
• Botnet command and control
Types Of Covert Channels
5
TIME DEPENDENCE
• A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another (CWE-515)
• Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information (CWE-385)
DIRECTION
• Unidirectional – Client – server
– Server – client
• Bidirectional
Client-Server Covert Channels
6
Client-server covert channels are easier to implement, e.g.
covert storage channel via If-Range request header
GET / HTTP/1.1
Host: 162.71.12.43
If-Range: 120c7bL-32bL-4f86d4105ac62L
…
Hex-encoded data
Server-Client Covert Channels
7
Server-client channels are more complicated and most of
them are timing channels so it is more interesting to
research
Basic HTTP Cache Headers
8
RESPONSE (SERVER) HEADERS
• Last-Modified
• ETag
REQUEST (CLIENT) HEADERS
• If-Modified-Since
• If-Unmodified-Since
• If-Match
• If-Non-Match Request
Response
Last-Modified Response Header
9
Last-Modified HTTP header stores a date of the last web
entity’s modification
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Wed, 02 Apr 2014 14:33:39 GMT
Content-Type: text/html
Content-Length: 124
Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT
Connection: keep-alive
(data)
Page request
Response
GET / HTTP/1.1
Host: 162.71.12.43
(other headers)
ETag Response Header
10
The ETag value is formed from the hex values of
HTTP/1.1 200 OK
Server: Apache/2.2.22 (Ubuntu)
Date: Wed, 02 Apr 2014 14:33:39 GMT
Content-Type: text/html
Content-Length: 124
ETag: 120c7bL-32bL-4f86d4105ac62L
Connection: keep-alive
(data)
Page request
Response
GET / HTTP/1.1
Host: 162.71.12.43
(other headers)
120c7bL-32bL-4f86d4105ac62L
file's inode size last-modified time (mtime)
Common Usage of Cache Request Headers
11
HTTP cache headers allows web-client not to download a
page if it hasn’t been changed since the certain time
Page request
Page has been changed
HTTP/1.1 200 OK (page data)
Page has not been changed
HTTP/1.1 304 OK (only headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Modified-Since:
Wed, 02 Apr 2014 14:33:39 GMT
(other headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-None-Match:
120c7bL-32bL-4f86d4105ac62L
(other headers)
Common Usage of Cache Request Headers
12
Second pair of headers does the same as previous but
with logically inverse condition
Page request
Page has been changed
HTTP/1.1 412 OK (page data)
Page has not been changed
HTTP/1.1 200 OK (only headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Unmodified-Since:
Wed, 02 Apr 2014 14:33:39 GMT
(other headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Match:
120c7bL-32bL-4f86d4105ac62L
(other headers)
Covert Timing Channel Model
13
read writet
writet
p1 p2
read writet
read write
Internet
2 different threat models:
Web server is under
intruders’ control
message.txt -- read-only
some_page.html -- write-only
General Covert Channels Scheme
14
Page has not been
changed
HTTP
request
Received
‘0’
Page has been changed
Received
‘1’
Store new
header value
Covert Channels Using HTTP Cache
Headers
15
• Last-Modified header value
• Using If-Modified-Since header
• Using If-Unmodified-Since header
• ETag header value
• Using If-Match header
• Using If-None-Match header
Last-Modified based
ETag based
Last-Modified Based Channels
16
HTTP
request
Get new header value
Received ‘1’
If header value
changed
Store header value
Received ‘0’
Wait
n
seconds
then else
Last-Modified header value covert channel
Last-Modified:
Wed, 02 Apr 2014
14:33:39 GMT
Last-Modified Based Channels
17
Covert channel using If-Modified
If-Modified-Since:
Wed, 02 Apr 2014
14:33:39 GMT
If-Modified
request
Received ‘1’
If HTTP code
is “200”
Store header value
Received ‘0’
Wait
n
seconds then else
Last-Modified Based Channels
18
If-Unmodified
request
Received ‘1’
If HTTP code
is “412”
Store header value
Received ‘0’
Wait
n
seconds then else
Covert channel using If-Unmodified
If-Unmodified-Since:
Wed, 02 Apr 2014
14:33:39 GMT
ETag Based Channels
19
ETag header value covert channel
ETag:
120c7bL-32bL-
4f86d4105ac62L
HTTP
request
Get new header value
Received ‘1’
If header value
changed
Store header value
Received ‘0’
Wait
n
seconds
then else
ETag Based Channels
20
Covert channel using If-None-Match
If-None-Match:
120c7bL-32bL-
4f86d4105ac62L
If-None-Match
request
Received ‘1’
If HTTP code
is “200”
Store header value
Received ‘0’
Wait
n
seconds then else
ETag Based Channels
21
Covert channel using If-Match
If-Match:
120c7bL-32bL-
4f86d4105ac62L
If-Match
request
Received ‘1’
If HTTP code
is “412”
Store header value
Received ‘0’
Wait
n
seconds then else
Ways to Implement
In tons of possible ways we focus on
• Python – Socket library
• C++ – Boost ASIO library
• С – simple C socket library
We choose C due to its highest performance (among
these ways) and decent stability
First threat model is chosen because of minimal
requirements
22
Implementation
23
Send HTTP
request
Get host response
Write ‘1’ to output
If page has
been
modified
Store new header
Write ‘0’ to output
Sleep
N
seconds
then else
Issues
24
Issue Solution
Server-client synchronization Special synchronizing function
Different time of requests Dynamic sleep time
Lateness after sleep “Active” sleep
High CPU load with “active sleep” “Dynamic” and “active” sleep
combination
Some problems we solved during implementation
Issue 1
25
Necessity of synchronization “read” (web client) and “write”
(host) services
Solution:
Synchronizing function that does requests at a maximum
speed (without sleep)
Send HTTP
request
Get host response
If page has
been changed
then else
Issue 2
26
Different time of requests can break services
synchronization
Solution:
Dynamic sleep time equals to
(sleep_time – time took for request)
Calculate time
took for request
diff_time
Sleep
(sleep_time – diff_time) µs
Issue 3
27
Inaccurate sleep - after sleep (func usleep() is used) the
program can awake with 10-200μs lateness
Solution:
Use “active sleep” - calculation time difference between last
request and current moment while it is less than
sleep_time
Calc diff_time
If diff_time <
sleep_time
then else
Issue 4
28
High CPU load with “active sleep”
Solution:
Combine “active” and “dynamic” sleep
Calculate diff_time
If diff_time < CONST
then else
Sleep
(sleep_time – CONST – request_time)
where CONST is constant about 1000 µs (or less depending on PC
performance)
Advantages
29
ADVANTAGES OF COVERT TIMING CHANNELS WITH
FIRST INTRUDER MODEL
• Does not modify common HTTP request structure
• Does not require web-server modifications
• Any read-only activity on web page that is used by the
channel do not break its work
• Information flow looks like something refreshes a web
page every n seconds
Specification – Last-Modified 1st threat model
30
Sleep
time
Min start
sequence
Avg
sequence
Max
sequence Speed Accuracy
1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%
2 seconds 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87%
• Min start sequence – minimum number of bits passed
from the beginning of a conversation till the first mistake
• Avg and Max sequence – number of bits passed without
any mistakes in a row in average and at best
• Accuracy – percent of correctly transmitted bits
Specification – ETag 1st threat model
31
Sleep
time
Min start
sequence
Avg
sequence
Max
sequence Speed Accuracy
1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%
0.5
seconds 2400 bits 8142 bits 18123 bits 2 bit/s 99,5%
ETag contains mtime (last modified time with microsecond accuracy), so theoretical channel capacity is bigger than its practically possible one.
Maximum practical speed of the covert channels is about 1 bit per (2L+T) seconds, where L is HTTP latency between u2 and s1 and T is a time that is needed for auxiliary operations
Covert Channels in Browsers
Kenton Born “Browser-based covert data exfiltration”
DOMAIN NAME SYSTEM (DNS)
Query: “Where is some.domain.example.com?”
Response: “It is at 88.0.13.37!”
IT’S CLIENT-SERVER CHANNEL 32
some.domain.example.com
Subdomain Domain
bigbrother.watchingme.evil.com
Information Domain
Covert Channels in Browsers
DNS TUNNEL
IT’S SERVER-CLIENT CHANNEL
33
first.bit.evil.com
Information Domain
It is 66.45.234.2 NXdomain
Received 1 Received 0
Server-Client Browser Channel
Purpose: To implement covert timing channels using browser-side
technologies as JavaScript, AJAX and different HTML
features
34
Timing Channels in Browsers
Problems: • Lack of any “sleep” function
• Low accuracy of existing time management
functions
• Difficulties with synchronization of covert channel’s
server and client
So implementation of the used model is pointless, but it is
possible to implement covert channels in these restrictions
using second threat model (controlled web server)
35
Timing Channels in Browsers Use the same client-side model but in JavaScript
36 36
Send HTTP
request
Get host response
Write ‘1’ to output
If page
has been
modified
Store new header
Write ‘0’ to output
Sleep
N
seconds then else
setInterval
Timing Channels in Browsers Some refactoring of server-side model
37 37
Send new header value
If current
message bit
is ‘1’
Store header value
Send old header value
then else
WAIT for HTTP request
Issues
38
Issue Solution
Server-client synchronization Client visit special page to begin
conversation
End of message determination Client receive some special HTTP
code in response, e.g. 404 – Not
Found or 403 - Forbidden
Single client only communication Opening session that stores
transferring bit number for each
client
Specification 2nd threat model – controlled server
Browser based implementation of channels (client in
JavaScript)
39
Header Server
version
Average
HTTP
ping
Max HTTP
ping Speed
Max
sequence
Last-
Modified
Python 560.3 ms 1621.8 ms 0.53 bit/s
unlimited
PHP 508 ms 532.2 ms 0.58 bit/s
ETag
Python 560.3 ms 1621.8 ms 1.02 bit/s
unlimited
PHP 508 ms 532.2 ms 1.18 bit/s
Specification 2nd threat model – controlled server
Testing channels implementation in C with PHP server
Purpose: to make estimation of maximum speed
40
Header Network Average
HTTP ping Speed
ETag
Local host 0.55 ms 986 bit/s
Data center local
network 1.63 ms 845.65 bit/s
Local network 6.9 ms 295.69 bit/s
Internet 383.2 ms 4.89 bit/s
Proof of Concept
GitHub
– https://github.com/tsu-iscd/HttpCovertChannels
41
42
https://github.com/beefproject/beef
“BeEF allows the professional penetration tester to
assess the actual security posture of a target
environment by using client-side attack vectors.”
The Browser Exploitation Framework
Conclusions
43
Future work: implementation of the ETag based covert
timing channel as a BEEF module
writet Internet
44
Denis Kolegov
@dnkolegov
Oleg Broslavsky
@yalegko
Nikita Oleksov
@neoleksov