Embedding covert channels into tcp ip
Download
1 / 40

Embedding Covert Channels into TCP/IP - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on

Embedding Covert Channels into TCP/IP. S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005 Sweety Chauhan October 26, 2005. Overview. New and Significant

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Embedding Covert Channels into TCP/IP' - mya


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Embedding covert channels into tcp ip l.jpg

Embedding Covert Channels into TCP/IP

S.J. Murdoch, S. LewisUniversity of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005

Sweety Chauhan

October 26, 2005


Overview l.jpg
Overview

  • New and Significant

  • Overview of Covert Channels

  • TCP/IP based Steganography

  • Detection of TCP/IP Steganography

  • Conclusion


New and significant l.jpg
New and Significant

  • Proposed a scheme “Lathra” for encoding data in TCP/IP header not detected by warden

  • A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key


Covert channels l.jpg
Covert Channels

  • Communication in a non-obvious manner

  • Potential methods - to get information out of the security perimeter

  • Two Types:

    • Storage

    • Timing



Where is this relevant l.jpg
Where is this relevant?

  • The use of covert channels is relevant in organizations that:

    • restrict the use of encryption in their systems

    • have privileged or private information

    • wish to restrict communication

    • monitor communications


Network covert channels l.jpg
Network Covert Channels

  • Information hiding

    • placed in network headers AND/OR

    • conveyed through action/reaction

  • Goal - channel undetectable or unobservable

  • Network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted


  • Taxonomy i l.jpg
    Taxonomy (I)

    • Network covert channels can be

      • Storage-based

      • Timing-based

      • Frequency-based

      • Protocol-based

      • any combination of the above


    Taxonomy ii l.jpg
    Taxonomy (II)

    • Each of the above categories constitute a dimension of data

      • Information hiding in packet payload is outside the realm of network covert channels

      • These cases fit into the broader field of steganography


    Packet header hiding l.jpg

    20-64 bytes

    20-64 bytes

    0-65,488 bytes

    IP Header

    TCP Header

    DATA

    This is Information

    Assurance Class

    TCP Source Port

    TCP Destination Port

    TCP/IP Header can serve as a carrier for a steganographic covert channel

    IP Source Address

    IP Destination Address

    Packet Header Hiding


    Ip header l.jpg

    0-44

    bytes

    Fields that may be used to embed steganographic data

    IP Header


    Tcp header l.jpg

    0-44

    bytes

    Timestamp

    TCP Header


    Storage based l.jpg
    Storage Based

    • Information is leaked by hiding data in packet header fields

      • IP identification

      • Offset

      • Options

      • TCP Checksum

      • TCP Sequence Numbers


    Timing channels i l.jpg
    Timing Channels (I)

    • Information is leaked by triggering or delaying events at specific time intervals



    Frequency based i l.jpg
    Frequency Based (I)

    • Information is encoded over many channels of cover traffic

    • The order or combination of cover channel access encodes information



    Protocol based l.jpg
    Protocol Based

    • Exploits ambiguities or non-uniform features in common protocol specifications


    Traditional detection mechanisms l.jpg
    Traditional Detection Mechanisms

    • Statistical methods

    • Storage-based

      • Data analysis

  • Time-based

    • Time analysis

  • Frequency-based

    • Flow analysis


  • Threat model l.jpg
    Threat Model

    • Passive Warden Threat Model

    • Active Warden Threat Model


    Ip covert channel l.jpg
    IP Covert Channel

    • IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers

    • For IP Networks:

      • Data hidden in the IP header

      • Data hidden in ICMP Echo Request and Response Packets

      • Data tunneled through an SSH connection

      • “Port 80” Tunneling, (or DNS port 53 tunneling)

      • In image files


    Ip id and tcp isn implementation l.jpg
    IP ID and TCP ISN Implementation

    • Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN

    • Due to their construction, these fields contain some structure

      • Partially unpredictable


    Detection of tcp ip steganography l.jpg
    Detection of TCP/IP Steganography

    • Each operating system exhibits well defined characteristics in generated TCP/IP fields

      • can be used to identify any anomalies that may indicate the use of steganography

  • suite of tests

    • applied to network traces to identify whether the results are consistent with known operating systems


  • Ip id characteristics l.jpg
    IP ID Characteristics

    • Sequential Global IP ID

    • Sequential Per-host IP ID

    • IP-ID MSB Toggle

    • IP-ID Permutation


    Tcp isn characteristics l.jpg
    TCP ISN Characteristics

    • Rekey Timer

    • Rekey Counter

    • ISN MSB Toggle

    • ISN Permutation

    • Zero bit 15

    • Full TCP Collisions

    • Partial TCP Collisions


    Explicit steganography detection l.jpg
    Explicit Steganography Detection

    12. Nushu Cryptography

    • encrypts data before including it in the ISN field

    • results in a distribution which is different from normally generated by Linux and so will be detected by the other TCP tests


    Slide27 l.jpg

    13. TCP Timestamp

    • If a low bandwidth TCP connection is being used to leak information

    • a randomness test can be applied to the least significant bits of the timestamps in the TCP packets

    • If “too much“ randomness is detected in the LSBs → a steganographic covert channel is in use


    Slide28 l.jpg

    14. Other Anomalies

    • unusual flags (e.g. DF when not expected, ToS set)

    • excessive fragmentation

    • use of IP options

    • non-zero padding

    • unexpected TCP options (e.g. timestamps from operating systems which do not generate them)

    • excessive re-ordering



    Detection resistant tcp steganography schemes l.jpg
    Detection-Resistant TCP Steganography Schemes

    • Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier

    • Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden


    Conclusion l.jpg
    Conclusion

    • TCP/IP header fields can be used as a carrier for a steganographic covert channel

    • Two schemes for encoding data with ISNs generated by OpenBSD and Linux

      • indistinguishable from those generated by a genuine TCP stack


    Future work l.jpg
    Future Work

    • Flexible covert channel scheme which can be used in many channels

    • Create a protocol for jumping between multiple covert channels

    • New schemes to detect different encoding mechanisms in TCP/IP Header fields


    References l.jpg
    References

    • Hide and Seek: An Introduction to Steganography, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003

    • Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005


    Thanks a lot l.jpg
    Thanks a lot …

    For Your

    Presence



    Homework l.jpg
    Homework

    Presentation Slides and Research Papers are available at :

    www.umbc.edu/~chauhan2/CMSC691I/


    Covert channel tools l.jpg
    Covert Channel Tools

    • SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege).

    • Loki (ICMP Echo R/R, UDP 53)

    • NT - Back Orifice (BO2K) plugin BOSOCK32

    • Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands.