Embedding Covert Channels into TCP/IPOverviewNew and SignificantCovert ChannelsTypes of Covert ChannelsWhere is this relevant?Network Covert ChannelsTaxonomy (I)Taxonomy (II)Packet Header HidingIP HeaderTCP HeaderStorage BasedTiming Channels (I)Timing Channels (II)Frequency Based (I)Frequency Based (II)Protocol BasedTraditional Detection MechanismsThreat ModelIP Covert ChannelIP ID and TCP ISN ImplementationDetection of TCP/IP SteganographyIP ID CharacteristicsTCP ISN CharacteristicsExplicit Steganography DetectionSlide 27Slide 28ResultsDetection-Resistant TCP Steganography SchemesConclusionFuture WorkReferencesThanks a lot …Any QuestionsHomeworkCovert Channel ToolsLinux 2.0 ISN GeneratorLinux ISN and ID generatorOpen BSD ISN generatorCMSC 691I Clandestine ChannelsEmbedding Covert Channels into TCP/IPS.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005Sweety ChauhanOctober 26, 2005CMSC 691I 2Clandestine ChannelsOverviewNew and SignificantOverview of Covert ChannelsTCP/IP based SteganographyDetection of TCP/IP SteganographyConclusionCMSC 691I 3Clandestine ChannelsNew and SignificantProposed a scheme “Lathra” for encoding data in TCP/IP header not detected by wardenA message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret keyCMSC 691I 4Clandestine ChannelsCovert ChannelsCommunication in a non-obvious mannerPotential methods - to get information out of the security perimeterTwo Types:StorageTimingCMSC 691I 5Clandestine ChannelsTypes of Covert ChannelsStorage TimingInformation conveyed by writing or abstaining from writingInformation conveyed by the timing of eventsClock not needed Receiver needs clockCMSC 691I 6Clandestine ChannelsWhere is this relevant?The use of covert channels is relevant in organizations that:restrict the use of encryption in their systemshave privileged or private informationwish to restrict communicationmonitor communicationsCMSC 691I 7Clandestine ChannelsNetwork Covert ChannelsInformation hidingplaced in network headers AND/ORconveyed through action/reactionGoal - channel undetectable or unobservableNetwork watchers (sniffer, IDS, ..) will not be aware that data is being transmittedCMSC 691I 8Clandestine ChannelsTaxonomy (I)Network covert channels can beStorage-basedTiming-basedFrequency-basedProtocol-basedany combination of the aboveCMSC 691I 9Clandestine ChannelsTaxonomy (II)Each of the above categories constitute a dimension of dataInformation hiding in packet payload is outside the realm of network covert channelsThese cases fit into the broader field of steganographyCMSC 691I 10Clandestine ChannelsPacket Header HidingIP Header TCP Header DATA 20-64 bytes 20-64 bytes 0-65,488 bytesIP Source AddressIP Destination AddressTCP Source PortTCP Destination PortThis is Information Assurance ClassTCP/IP Header can serve as a carrier for a steganographic covert channelCMSC 691I 11Clandestine ChannelsIP Header0-44bytesFields that may be used to embed steganographic dataCMSC 691I 12Clandestine ChannelsTCP Header0-44bytesTimestampCMSC 691I 13Clandestine ChannelsStorage BasedInformation is leaked by hiding data in packet header fields IP identification Offset Options TCP Checksum TCP Sequence NumbersCMSC 691I 14Clandestine ChannelsTiming Channels (I)Information is leaked by triggering or delaying events at specific time intervalsCMSC 691I 15Clandestine ChannelsTiming Channels (II)CMSC 691I 16Clandestine ChannelsFrequency Based (I)Information is encoded over many channels of cover trafficThe order or combination of cover channel access encodes informationCMSC 691I 17Clandestine ChannelsFrequency Based (II)CMSC 691I 18Clandestine ChannelsProtocol BasedExploits ambiguities or non-uniform features in common protocol specificationsCMSC 691I 19Clandestine ChannelsTraditional Detection MechanismsStatistical methodsStorage-basedData analysisTime-basedTime analysisFrequency-basedFlow analysisCMSC 691I 20Clandestine ChannelsThreat ModelPassive Warden Threat ModelActive Warden Threat ModelCMSC 691I 21Clandestine ChannelsIP Covert ChannelIP allows fragmentation and reassembly of long datagrams, requiring certain extra headersFor IP Networks:Data hidden in the IP headerData hidden in ICMP Echo Request and Response PacketsData tunneled through an SSH connection“Port 80” Tunneling, (or DNS port 53 tunneling)In image filesCMSC 691I 22Clandestine ChannelsIP ID and TCP ISN ImplementationTwo fields which are commonly used to embed steganographic data are the IP ID and TCP ISNDue to their construction, these fields contain some structurePartially unpredictableCMSC 691I 23Clandestine ChannelsDetection of TCP/IP SteganographyEach operating system exhibits well defined characteristics in generated TCP/IP fieldscan be used to identify any anomalies that may indicate the use of steganographysuite of testsapplied to network traces to identify whether the results are consistent with known operating systemsCMSC 691I 24Clandestine ChannelsIP ID Characteristics1. Sequential Global IP ID2. Sequential Per-host IP ID3. IP-ID MSB Toggle4. IP-ID PermutationCMSC 691I 25Clandestine ChannelsTCP ISN Characteristics5. Rekey Timer6. Rekey Counter7. ISN MSB Toggle8. ISN Permutation9. Zero bit 1510. Full TCP Collisions11. Partial TCP CollisionsCMSC 691I 26Clandestine ChannelsExplicit Steganography Detection12. Nushu Cryptographyencrypts data before including it in the ISN fieldresults in a distribution which is different from normally generated by Linux and so will be detected by the other TCP testsCMSC 691I 27Clandestine Channels13. TCP TimestampIf a low bandwidth TCP connection is being used to leak informationa randomness test can be applied to the least significant bits of the timestamps in the TCP packetsIf “too much“ randomness is detected in the LSBs → a steganographic covert channel is in useCMSC 691I 28Clandestine Channels14. Other Anomaliesunusual flags (e.g. DF when not expected, ToS set)excessive fragmentationuse of IP optionsnon-zero paddingunexpected TCP options (e.g. timestamps from operating systems which do not generate them)excessive re-orderingCMSC 691I 29Clandestine ChannelsResultsCMSC 691I
View Full Document