peeping tom in the neighborhood keystroke eavesdropping on multi-user systems usenix 2009 kehuan...
TRANSCRIPT
![Page 1: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/1.jpg)
Peeping Tom in the Neighborhood
Keystroke Eavesdropping on Multi-User Systems
USENIX 2009Kehuan Zhang, Indiana University, BloomingtonXiaoFeng Wang, Indiana University,
Bloomington
![Page 2: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/2.jpg)
Agenda
2
OverviewAssumptionImplementationExperimentConclusion
![Page 3: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/3.jpg)
OverviewFor some command such as ps or top, they
need some information about the processThe virtual file system procfs, which discloses
such information, locates at /proc/<pid>/statOur attack take advantage of the stack
information of a process to infer keystrokes• Specially ESP 、 EIP
3
![Page 4: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/4.jpg)
Overview (cont.)
4
For some command such as ps or top, they need some information about the process
The virtual file system procfs, which discloses such information, locates at /proc/<pid>/stat
Our attack take advantage of the stack information of a process to infer keystrokes• Specially ESP 、 EIP
Fig. 1: The sketch of keystroke extraction and recognition
![Page 5: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/5.jpg)
AssumptionCapability to execute programMulti-core systemAccess to the victim’s informationAttacker can obtain some victim’s typing
sample as training data
5
![Page 6: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/6.jpg)
Implementation
6
Pattern extractionTrace loggingGet inter-timingKeystroke analysis
Fig. 1: The sketch of keystroke extraction and recognition
![Page 7: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/7.jpg)
Implementation
7
Pattern extractionTrace loggingGet inter-timingKeystroke analysis
Fig. 2: Steps about keystroke pattern extraction
![Page 8: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/8.jpg)
Implementation (cont.)
8
Pattern extractionTrace loggingGet inter-timingKeystroke analysis
Fig. 3: Steps about trace logging and getting inter-timing
![Page 9: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/9.jpg)
Implementation (cont.)
9
Pattern extractionTrace loggingGet inter-timingKeystroke analysis
Fig. 4: Steps about keystroke analysis
![Page 10: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/10.jpg)
Pattern extractionDeterministic program• Same input cause the same output, such as vim• Use strace to get all system call sequences, then
extract the difference• False positive check
Non-deterministic program• Same input could cause different outputs, almost
all GUI programs are non-deterministic• An instruction level analysis tool to the function gtk_main_do_event(event) to get it’s event
10
![Page 11: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/11.jpg)
Trace logging
11
Attacker’s shadow program keep monitor on /proc/<pid>/stat• That’s why we need multi-core system• However, the log won’t be complete
Avoid detection• Decrease the sample rate• Hide CPU usage
Fig. 3: Steps about trace logging and getting inter-timing
![Page 12: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/12.jpg)
Get inter-timing
12
Use Longest Common Subsequence (LCS) algorithm to compare log with pattern• Ignore ASLR by normalize ESP pattern
Use a time duration to get only consecutive keystroke pattern
Fig. 5: Pattern matching Fig. 6: Using time duration
![Page 13: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/13.jpg)
Keystroke analysis
13
Now, we have got inter-timing sequencesWe use Hidden Markov Model (HMM) to guess
what victim input and list 4500 candidates• N-Viterbi algorithm: use conditional probability• Average all probabilities• M-N-Viterbi algorithm: use conditional probability
Fig. 4: Steps about keystroke analysis
![Page 14: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/14.jpg)
ExperimentEnvironment• Intel Core 2 Duo E6700, 3GB RAM• Red Hat Linux Enterprise 4.0, Debian 4.0, and
Ubuntu 8.04Evaluation on three public server• A Linux workstation in a public machine room
(Server 1)• A web server of Indiana University that allows SSH
connections from its users (Server 2)• A server for students’ course projects (Server 3)• 72-hour monitoring on these servers that user
number range from 1 to 2414
![Page 15: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/15.jpg)
Experiment (cont.)
15
Fig. 11: CPU usage of three real world server during 72 hours
Fig. 10: Percentage of keystroke detected versus CPU usage
![Page 16: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/16.jpg)
Experiment (cont.)
16
Speculating passwords• Training: 15 training keys, each has 13 letters and
2 digits, totally 225 key pairs. We detect 45 inter-timings for each of these pairs from a user
• Evaluation: select 3 passwords from the space of all possible 8-bytes sequences formed by 15 characters. Our HMM output 4500 candidates
![Page 17: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/17.jpg)
Experiment (cont.)
17
Speculating passwords• Training: 15 training keys, each has 13 letters and 2
digits, totally 225 key pairs. We detect 45 inter-timings for each of these pairs from a user
• Evaluation: select 3 passwords from the space of all possible 8-bytes sequences formed by 15 characters. Our HMM output 4500 candidates
Fig. 7: Percentage of space to search before find the right password
![Page 18: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/18.jpg)
Experiment (cont.)
18
Guess English words• Training: use the word frequency of British
national corpus to compute transition probabilities
• Evaluation: random draw a word from 2103 known words with length 3 to 5, then type them
Fig. 8: Time distribution of letter pairs
![Page 19: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/19.jpg)
Experiment (cont.)
19
Guess English words• Training: use the word frequency of British
national corpus to compute transition probabilities
• Evaluation: random draw a word from 2103 known words with length 3 to 5, then type them
Fig. 8: Time distribution of letter pairs Fig. 9: Success rate on English word
![Page 20: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/20.jpg)
ConclusionInformation leak: one can get others’
keystrokes without any special permissionTrade-off between convenience and securityContribute for keystrokes detection and
extraction method on almost all distributions of Linux
20
![Page 21: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/21.jpg)
Future workMore precise detection method for non-
deterministic programsWay to detect keystrokes when system calls
are not immediately triggered by keystrokesBetter algorithm to identify English wordsUtilize more information to infer other events,
such as mouse moving
21
![Page 22: Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,](https://reader035.vdocument.in/reader035/viewer/2022062422/56649f2a5503460f94c441f5/html5/thumbnails/22.jpg)
The End