COVERT TIMING CHANNELS

USING HTTP CACHE HEADERS

Denis Kolegov, Oleg Broslavsky, Nikita Oleksov

Tomsk State University

Information Security and Cryptography Department

SEPTEMBER 8 - 13 EKATERINBURG

2014

Introduction

A covert channel is a path that can be used to transfer

information in a way not intended by the system's

designers (CWE-514)

HTTP is one of the most used Internet protocol so

detections of the covert channels over the HTTP is an

important research area

2

Example – HTTP Headers

3

Using steganography methods in header values

Suppose that

Then

“en” 0

“fr” 1

Accept-Language: en,fr 01

Accept-Language: fr,en 10

Accept-Language: en,fr,en,fr,en,en,en,en 0x50

Covert Channels’ Usage

4

• Implementation of prohibited information

flows in LBAC systems

• Retaining control in targeted browsers

• Timing attacks

• Botnet command and control

Types Of Covert Channels

5

TIME DEPENDENCE

• A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another (CWE-515)

• Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information (CWE-385)

DIRECTION

• Unidirectional – Client – server

– Server – client

• Bidirectional

Client-Server Covert Channels

6

Client-server covert channels are easier to implement, e.g.

covert storage channel via If-Range request header

GET / HTTP/1.1

Host: 162.71.12.43

If-Range: 120c7bL-32bL-4f86d4105ac62L

…

Hex-encoded data

Server-Client Covert Channels

7

Server-client channels are more complicated and most of

them are timing channels so it is more interesting to

research

Basic HTTP Cache Headers

8

RESPONSE (SERVER) HEADERS

• Last-Modified

• ETag

REQUEST (CLIENT) HEADERS

• If-Modified-Since

• If-Unmodified-Since

• If-Match

• If-Non-Match Request

Response

Last-Modified Response Header

9

Last-Modified HTTP header stores a date of the last web

entity’s modification

HTTP/1.1 200 OK

Server: nginx/1.1.19

Date: Wed, 02 Apr 2014 14:33:39 GMT

Content-Type: text/html

Content-Length: 124

Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT

Connection: keep-alive

(data)

Page request

Response

GET / HTTP/1.1

Host: 162.71.12.43

(other headers)

ETag Response Header

10

The ETag value is formed from the hex values of

HTTP/1.1 200 OK

Server: Apache/2.2.22 (Ubuntu)

Date: Wed, 02 Apr 2014 14:33:39 GMT

Content-Type: text/html

Content-Length: 124

ETag: 120c7bL-32bL-4f86d4105ac62L

Connection: keep-alive

(data)

Page request

Response

GET / HTTP/1.1

Host: 162.71.12.43

(other headers)

120c7bL-32bL-4f86d4105ac62L

file's inode size last-modified time (mtime)

Common Usage of Cache Request Headers

11

HTTP cache headers allows web-client not to download a

page if it hasn’t been changed since the certain time

Page request

Page has been changed

HTTP/1.1 200 OK (page data)

Page has not been changed

HTTP/1.1 304 OK (only headers)

GET / HTTP/1.1

Host: 162.71.12.43

If-Modified-Since:

Wed, 02 Apr 2014 14:33:39 GMT

(other headers)

GET / HTTP/1.1

Host: 162.71.12.43

If-None-Match:

120c7bL-32bL-4f86d4105ac62L

(other headers)

Common Usage of Cache Request Headers

12

Second pair of headers does the same as previous but

with logically inverse condition

Page request

Page has been changed

HTTP/1.1 412 OK (page data)

Page has not been changed

HTTP/1.1 200 OK (only headers)

GET / HTTP/1.1

Host: 162.71.12.43

If-Unmodified-Since:

Wed, 02 Apr 2014 14:33:39 GMT

(other headers)

GET / HTTP/1.1

Host: 162.71.12.43

If-Match:

120c7bL-32bL-4f86d4105ac62L

(other headers)

Covert Timing Channel Model

13

read writet

writet

p1 p2

read writet

read write

Internet

2 different threat models:

Web server is under

intruders’ control

message.txt -- read-only

some_page.html -- write-only

General Covert Channels Scheme

14

Page has not been

changed

HTTP

request

Received

‘0’

Page has been changed

Received

‘1’

Store new

header value

Covert Channels Using HTTP Cache

Headers

15

• Last-Modified header value

• Using If-Modified-Since header

• Using If-Unmodified-Since header

• ETag header value

• Using If-Match header

• Using If-None-Match header

Last-Modified based

ETag based

Last-Modified Based Channels

16

HTTP

request

Get new header value

Received ‘1’

If header value

changed

Store header value

Received ‘0’

Wait

n

seconds

then else

Last-Modified header value covert channel

Last-Modified:

Wed, 02 Apr 2014

14:33:39 GMT

Last-Modified Based Channels

17

Covert channel using If-Modified

If-Modified-Since:

Wed, 02 Apr 2014

14:33:39 GMT

If-Modified

request

Received ‘1’

If HTTP code

is “200”

Store header value

Received ‘0’

Wait

n

seconds then else

Last-Modified Based Channels

18

If-Unmodified

request

Received ‘1’

If HTTP code

is “412”

Store header value

Received ‘0’

Wait

n

seconds then else

Covert channel using If-Unmodified

If-Unmodified-Since:

Wed, 02 Apr 2014

14:33:39 GMT

ETag Based Channels

19

ETag header value covert channel

ETag:

120c7bL-32bL-

4f86d4105ac62L

HTTP

request

Get new header value

Received ‘1’

If header value

changed

Store header value

Received ‘0’

Wait

n

seconds

then else

ETag Based Channels

20

Covert channel using If-None-Match

If-None-Match:

120c7bL-32bL-

4f86d4105ac62L

If-None-Match

request

Received ‘1’

If HTTP code

is “200”

Store header value

Received ‘0’

Wait

n

seconds then else

ETag Based Channels

21

Covert channel using If-Match

If-Match:

120c7bL-32bL-

4f86d4105ac62L

If-Match

request

Received ‘1’

If HTTP code

is “412”

Store header value

Received ‘0’

Wait

n

seconds then else

Ways to Implement

In tons of possible ways we focus on

• Python – Socket library

• C++ – Boost ASIO library

• С – simple C socket library

We choose C due to its highest performance (among

these ways) and decent stability

First threat model is chosen because of minimal

requirements

22

Implementation

23

Send HTTP

request

Get host response

Write ‘1’ to output

If page has

been

modified

Store new header

Write ‘0’ to output

Sleep

N

seconds

then else

Issues

24

Issue Solution

Server-client synchronization Special synchronizing function

Different time of requests Dynamic sleep time

Lateness after sleep “Active” sleep

High CPU load with “active sleep” “Dynamic” and “active” sleep

combination

Some problems we solved during implementation

Issue 1

25

Necessity of synchronization “read” (web client) and “write”

(host) services

Solution:

Synchronizing function that does requests at a maximum

speed (without sleep)

Send HTTP

request

Get host response

If page has

been changed

then else

Issue 2

26

Different time of requests can break services

synchronization

Solution:

Dynamic sleep time equals to

(sleep_time – time took for request)

Calculate time

took for request

diff_time

Sleep

(sleep_time – diff_time) µs

Issue 3

27

Inaccurate sleep - after sleep (func usleep() is used) the

program can awake with 10-200μs lateness

Solution:

Use “active sleep” - calculation time difference between last

request and current moment while it is less than

sleep_time

Calc diff_time

If diff_time <

sleep_time

then else

Issue 4

28

High CPU load with “active sleep”

Solution:

Combine “active” and “dynamic” sleep

Calculate diff_time

If diff_time < CONST

then else

Sleep

(sleep_time – CONST – request_time)

where CONST is constant about 1000 µs (or less depending on PC

performance)

Advantages

29

ADVANTAGES OF COVERT TIMING CHANNELS WITH

FIRST INTRUDER MODEL

• Does not modify common HTTP request structure

• Does not require web-server modifications

• Any read-only activity on web page that is used by the

channel do not break its work

• Information flow looks like something refreshes a web

page every n seconds

Specification – Last-Modified 1st threat model

30

Sleep

time

Min start

sequence

Avg

sequence

Max

sequence Speed Accuracy

1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%

2 seconds 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87%

• Min start sequence – minimum number of bits passed

from the beginning of a conversation till the first mistake

• Avg and Max sequence – number of bits passed without

any mistakes in a row in average and at best

• Accuracy – percent of correctly transmitted bits

Specification – ETag 1st threat model

31

Sleep

time

Min start

sequence

Avg

sequence

Max

sequence Speed Accuracy

1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%

0.5

seconds 2400 bits 8142 bits 18123 bits 2 bit/s 99,5%

ETag contains mtime (last modified time with microsecond accuracy), so theoretical channel capacity is bigger than its practically possible one.

Maximum practical speed of the covert channels is about 1 bit per (2L+T) seconds, where L is HTTP latency between u2 and s1 and T is a time that is needed for auxiliary operations

Covert Channels in Browsers

Kenton Born “Browser-based covert data exfiltration”

DOMAIN NAME SYSTEM (DNS)

Query: “Where is some.domain.example.com?”

Response: “It is at 88.0.13.37!”

IT’S CLIENT-SERVER CHANNEL 32

some.domain.example.com

Subdomain Domain

bigbrother.watchingme.evil.com

Information Domain

Covert Channels in Browsers

DNS TUNNEL

IT’S SERVER-CLIENT CHANNEL

33

first.bit.evil.com

Information Domain

It is 66.45.234.2 NXdomain

Received 1 Received 0

Server-Client Browser Channel

Purpose: To implement covert timing channels using browser-side

technologies as JavaScript, AJAX and different HTML

features

34

Timing Channels in Browsers

Problems: • Lack of any “sleep” function

• Low accuracy of existing time management

functions

• Difficulties with synchronization of covert channel’s

server and client

So implementation of the used model is pointless, but it is

possible to implement covert channels in these restrictions

using second threat model (controlled web server)

35

Timing Channels in Browsers Use the same client-side model but in JavaScript

36 36

Send HTTP

request

Get host response

Write ‘1’ to output

If page

has been

modified

Store new header

Write ‘0’ to output

Sleep

N

seconds then else

setInterval

Timing Channels in Browsers Some refactoring of server-side model

37 37

Send new header value

If current

message bit

is ‘1’

Store header value

Send old header value

then else

WAIT for HTTP request

Issues

38

Issue Solution

Server-client synchronization Client visit special page to begin

conversation

End of message determination Client receive some special HTTP

code in response, e.g. 404 – Not

Found or 403 - Forbidden

Single client only communication Opening session that stores

transferring bit number for each

client

Specification 2nd threat model – controlled server

Browser based implementation of channels (client in

JavaScript)

39

Header Server

version

Average

HTTP

ping

Max HTTP

ping Speed

Max

sequence

Last-

Modified

Python 560.3 ms 1621.8 ms 0.53 bit/s

unlimited

PHP 508 ms 532.2 ms 0.58 bit/s

ETag

Python 560.3 ms 1621.8 ms 1.02 bit/s

unlimited

PHP 508 ms 532.2 ms 1.18 bit/s

Specification 2nd threat model – controlled server

Testing channels implementation in C with PHP server

Purpose: to make estimation of maximum speed

40

Header Network Average

HTTP ping Speed

ETag

Local host 0.55 ms 986 bit/s

Data center local

network 1.63 ms 845.65 bit/s

Local network 6.9 ms 295.69 bit/s

Internet 383.2 ms 4.89 bit/s

Proof of Concept

GitHub

– https://github.com/tsu-iscd/HttpCovertChannels

41

42

https://github.com/beefproject/beef

“BeEF allows the professional penetration tester to

assess the actual security posture of a target

environment by using client-side attack vectors.”

The Browser Exploitation Framework

Conclusions

43

Future work: implementation of the ETag based covert

timing channel as a BEEF module

writet Internet

44

Denis Kolegov

dnkolegov@gmail.com

@dnkolegov

Oleg Broslavsky

ovbroslavsky@gmail.com

@yalegko

Nikita Oleksov

neoleksov@gmail.com

@neoleksov