1 / 23

Covert Channel Creation through VPN

Covert Channel Creation through VPN. Prepared by Isakov Yehiel Under Supervision of Dr. Gabi Nakibly. What is a covert channel ?. Definition A :

rubymoore
Download Presentation

Covert Channel Creation through VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Covert Channel Creation through VPN Prepared by Isakov Yehiel Under Supervision of Dr. Gabi Nakibly

  2. What is a covert channel ? • Definition A: Covert channel is a mechanism by which a process at a high security level leaks information to a process at a low security level that would otherwise not have access to it (usually not intended for information transfer at all). • Definition B: Any information channel that can be exploited by a process to transfer information in a manner that violates the systems security policy (U.S. Department of Defense).

  3. … or simply speaking … • There are Alice, Bob and warden Wendy (in simpler schematics there is noWendy). • A is trying to communicate with B through a shared resource R (file / network channel / CPU) while being watched by W. • Sometimes there are more entities that just make noise. • How can B filter the noise ?!

  4. Project Setting • There is a computer network with more than a one computer (naturally ). • All of the communication from this network passes through VPN Gateway (which works using FCFS algorithm). • One of the computers is compromised (has a Trojan Horse T). Tis trying to establish a covert communications channel with Peer that sits on the channel that VPN Gateway transmits.

  5. Project Setting (cont.) • Detection computer D is between VPN and P:checks all of outgoing communications from the Network and “cuts” the outgoing communications if senses something fishy … • Peer receives not only the packets that Trojan sends: it has to filter out Trojan’s packets from the noise. • Since VPN encrypts packet contents Trojan can only manipulate packet sizes and PIATs

  6. Project Setting (Schematics)

  7. Existing methods • There are not much! Actually, there are none within the given project settings. • It is due to unique setting of the problem. • For example, most of the existing noisy covert channels in network use protocol fields (like TTL, Options in TCP/IP). • One can not do that in this case.

  8. Existing methods (cont.) • However, existing examples in CPU and file system are interesting, though not relevant. • For more information see the literature review document (to be released soon). • It also contains an example of a “burst channel” that eventually develops into a method (all in review document).

  9. Method Selection • PIATs are very sensitive to network status. Complex maintenance technique is needed in order to keep PIATs consistent in transitions. • On the other hand sizes remain the same all the time (do not change in transitions). • Therefore we’ll choose communication through “smart” packet size selections.

  10. Method I • Learn normal communications. • Define m keys • Select two hashing functions f and g and a natural number • To send “1” for the ith time generate packets of sizes and send them to Peer through VPN.

  11. Method I (cont.) • To send “0” for the ith time generate packets of sizes and send the to Peer through VPN. • PIATs for sending sequences for “1” and “0” are set according to learned PIATs. • In order to decode the message Peer (that also has the keys and the functions) simply reconstructs the original sequence.

  12. Some implementation details • Hashing algorithm is based upon Knuth’s hashing method for small numbers: • Key creation algorithm makes sure that the keys are “random” and suite the learned packet size distribution (but do not come from it! Details in literature review).

  13. Analysis • Error probability is very low: • Suppose that normal communication rate is CR bits per second. Assume that every source transmits with the same rate. If there are N sources then Trojan must transmitСR/N bits per second.

  14. Analysis (cont.) • In order to transmit “1” Trojan must transmit at most and for “0” - • Denote M as maximum between those two values. • Therefore Trojan’s optimal trans. rate is:

  15. Method II • Number theory based. • While learning count packets with special sizes – Pythagorean Squares and 1-pseudo Pythagorean Squares. • Find such packet ratios (number of special packets / total number of packets). • Generate PSList and 1PseudoPSList (one contains PSes from min to max, the other – 1-Pseudo PSes).

  16. Method II • If Trojan wants to transmit “1” it sends k 1-pseudo PS sized squares from 1PseudoPSList. • If Trojan wants to transmit “0” it sends m 1-pseudo PS sized squares from PSList. • k and m are determined during learning process. They are set in such manner that Peer will detect the according ration changes and it will be an indication of transmission.

  17. Analysis • Error probability is: • transmission rate analysis is the similar to Method I analysis. • Method II was not implemented yet!

  18. Analysis (cont.) • Determining how Peer will see k and m impact is not simple. That is what sets back the implementation. Channel works only in noiseless setting. • One way is to check rates at certain time windows and determine how noise affects the “special” packets distribution. • Final implementation will follow the literature review document.

  19. Execution Results • Method I: 1. Works without noise, 0% error in transmission. 2. Works with 50% noise, 0% error in transmission. 3. Assumption: very noise-proof and robust. • Method II: 1. Works without noise, 0% error in transmission. 2. Doesn’t work in noisy environments … yet …

  20. Execution Results (cont.) • A reminder … doesn’t work yet …

  21. Conclusions • Developing an algorithm for a cover channel creation under so many constraints is difficult. • Method I provides a simple and robust method for solving this problem. • It defines a “non-statistical” sample property. • Method II continues with the same notion (although needs some refinement).

  22. Conclusions (cont.) • Non-statistical properties are sometimes easy to define, but difficult to implement (like in Method II case). • Detection is almost impossible for a certain channels based on such approach. • Non-statistical properties use “difficult” (almost NP-hard) properties to define pattern.

  23. The End Thanks for your time I hope you enjoyed the lecture 

More Related