400 likes | 753 Views
Embedding Covert Channels into TCP/IP. S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005 Sweety Chauhan October 26, 2005. Overview. New and Significant
E N D
Embedding Covert Channels into TCP/IP S.J. Murdoch, S. LewisUniversity of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005 Sweety Chauhan October 26, 2005
Overview • New and Significant • Overview of Covert Channels • TCP/IP based Steganography • Detection of TCP/IP Steganography • Conclusion
New and Significant • Proposed a scheme “Lathra” for encoding data in TCP/IP header not detected by warden • A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key
Covert Channels • Communication in a non-obvious manner • Potential methods - to get information out of the security perimeter • Two Types: • Storage • Timing
Where is this relevant? • The use of covert channels is relevant in organizations that: • restrict the use of encryption in their systems • have privileged or private information • wish to restrict communication • monitor communications
Network Covert Channels • Information hiding • placed in network headers AND/OR • conveyed through action/reaction • Goal - channel undetectable or unobservable • Network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted
Taxonomy (I) • Network covert channels can be • Storage-based • Timing-based • Frequency-based • Protocol-based • any combination of the above
Taxonomy (II) • Each of the above categories constitute a dimension of data • Information hiding in packet payload is outside the realm of network covert channels • These cases fit into the broader field of steganography
20-64 bytes 20-64 bytes 0-65,488 bytes IP Header TCP Header DATA This is Information Assurance Class TCP Source Port TCP Destination Port TCP/IP Header can serve as a carrier for a steganographic covert channel IP Source Address IP Destination Address Packet Header Hiding
0-44 bytes Fields that may be used to embed steganographic data IP Header
0-44 bytes Timestamp TCP Header
Storage Based • Information is leaked by hiding data in packet header fields • IP identification • Offset • Options • TCP Checksum • TCP Sequence Numbers
Timing Channels (I) • Information is leaked by triggering or delaying events at specific time intervals
Frequency Based (I) • Information is encoded over many channels of cover traffic • The order or combination of cover channel access encodes information
Protocol Based • Exploits ambiguities or non-uniform features in common protocol specifications
Traditional Detection Mechanisms • Statistical methods • Storage-based • Data analysis • Time-based • Time analysis • Frequency-based • Flow analysis
Threat Model • Passive Warden Threat Model • Active Warden Threat Model
IP Covert Channel • IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers • For IP Networks: • Data hidden in the IP header • Data hidden in ICMP Echo Request and Response Packets • Data tunneled through an SSH connection • “Port 80” Tunneling, (or DNS port 53 tunneling) • In image files
IP ID and TCP ISN Implementation • Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN • Due to their construction, these fields contain some structure • Partially unpredictable
Detection of TCP/IP Steganography • Each operating system exhibits well defined characteristics in generated TCP/IP fields • can be used to identify any anomalies that may indicate the use of steganography • suite of tests • applied to network traces to identify whether the results are consistent with known operating systems
IP ID Characteristics • Sequential Global IP ID • Sequential Per-host IP ID • IP-ID MSB Toggle • IP-ID Permutation
TCP ISN Characteristics • Rekey Timer • Rekey Counter • ISN MSB Toggle • ISN Permutation • Zero bit 15 • Full TCP Collisions • Partial TCP Collisions
Explicit Steganography Detection 12. Nushu Cryptography • encrypts data before including it in the ISN field • results in a distribution which is different from normally generated by Linux and so will be detected by the other TCP tests
13. TCP Timestamp • If a low bandwidth TCP connection is being used to leak information • a randomness test can be applied to the least significant bits of the timestamps in the TCP packets • If “too much“ randomness is detected in the LSBs → a steganographic covert channel is in use
14. Other Anomalies • unusual flags (e.g. DF when not expected, ToS set) • excessive fragmentation • use of IP options • non-zero padding • unexpected TCP options (e.g. timestamps from operating systems which do not generate them) • excessive re-ordering
Detection-Resistant TCP Steganography Schemes • Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier • Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden
Conclusion • TCP/IP header fields can be used as a carrier for a steganographic covert channel • Two schemes for encoding data with ISNs generated by OpenBSD and Linux • indistinguishable from those generated by a genuine TCP stack
Future Work • Flexible covert channel scheme which can be used in many channels • Create a protocol for jumping between multiple covert channels • New schemes to detect different encoding mechanisms in TCP/IP Header fields
References • Hide and Seek: An Introduction to Steganography, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003 • Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005
Thanks a lot … For Your Presence
Homework Presentation Slides and Research Papers are available at : www.umbc.edu/~chauhan2/CMSC691I/
Covert Channel Tools • SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege). • Loki (ICMP Echo R/R, UDP 53) • NT - Back Orifice (BO2K) plugin BOSOCK32 • Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands.