A F RAMEWORK FOR THE A NALYSIS OF M IX -B ASED S TEGANOGRAPHIC F ILE S YSTEMS Claudia Diaz, Carmela Troncoso, Bart Preneel K.U.Leuven / COSIC Cambridge, January 28,

M OTIVATION Problem: we want to keep stored information secure (confidential) Encryption protects against the unwanted disclosure of information but… reveals the fact that hidden information exists! User can be threatened / tortured / coerced to disclose the decryption keys (“ coercion attack ”) We need to hide the existence of files Property: plausible deniability Allow users to deny believably that any further encrypted data is located on the storage device If password is not known, not possible to determine the existence of hidden files 2

A TTACKER MODEL : ONE SNAPSHOT Attacker has never inspected the user’s computer before coercion Ability to coerce the user at any point in time User produces some keys Attacker inspects user computer Game: If attacker is able to determine that the user has not provided all her keys, the attacker wins 3

A NDERSON, N EEDHAM & S HAMIR (1998) 1. Use cover files such that a linear combination (XOR) of them reveals the information Password: subset of files to combine Hierarchy (various levels of security) User can show some “low” security levels while hiding “high” security levels Not possible to know whether she has revealed the keys to all existing levels Drawbacks: File read operations have high cost Needs a lot of cover files to be secure (computationally infeasible to try all combinations) Assumes adversary knows nothing about the plaintext 4

A NDERSON, N EEDHAM & S HAMIR (1998) 2. Real files hidden in encrypted form in pseudo- random locations amongst random data Location derived from the name of the file and a password Collisions (birthday paradox) overwrite data: Use only small part of the storage capacity ( < ) Replication All copies of a block need to be overwritten to lose the data Linear hierarchy: higher security levels need more replication 5

S TEG FS: M C D ONALD & K UHN (1999) o Implemented as extension of the Linux file system (Ext2fs) o Hidden files are placed into unused blocks of a “normal” partition o Normal files are overwritten with random data when deleted o Attacker cannot distinguish a deleted normal file from an encrypted hidden file o Block allocation table with one entry per block on the partition: o Used blocks: entry encrypted with same key as data block o Unused blocks: random data o The table helps locating data and detecting corrupted blocks (lower security levels can still overwrite higher ones) 6

What if attacker can observe accesses to the store? Remote or shared semi-trusted store Distributed P2P system Same game as before: o Ability to coerce the user at any point in time o User produces keys to some security levels o Attacker inspects user computer o If attacker is able to determine that the user has not provided all her keys, the attacker wins BUT now the adversary has prior information (which blocks have been accessed/modified) Previous systems do not provide plausible deniability against this adversary model A TTACKER MODEL : CONTINUOUS OBSERVATION 7

P REVIOUS WORK WHERE THIS ADVERSARY IS RELEVANT : P2P Distributed (P2P) steganographic file systems: Mnemosyne: Hand and Roscoe (2002) Mojitos: Giefer and Letchner (2002) Propose dummy traffic to hide access patterns (no details provided) 8

P REVIOUS WORK WHERE THIS ADVERSARY IS RELEVANT : S EMI - TRUSTED REMOTE STORE Semi-trusted remote store: Zhou et al. (2004) Use of constant rate cover traffic (dummy accesses) to disguise file accesses Every time a block location is accessed, it is overwritten with different data (re-encrypted with different IV) Block updates no longer indicate file modifications Every time a file block is accessed, it is moved to another (empty) location Protects against simple access frequency analysis Relocations are low-entropy Broken by Troncoso et al. (2007) with traffic analysis attacks that find correlations between sets of accesses Multi-block files are found prior to coercion if they are accessed twice One-block files are found if accessed a few times 9

H OW IT IS BROKEN ( SIMPLIFIED VERSION ) … … At time t 1 At time t 2 10

Can we provide plausible deniability against an adversary who monitors the store prior to coercion? 11

S YSTEM MODEL Files are stored on fixed-size blocks Blocks containing (encrypted) file data are undistinguishable from empty blocks containing random data Several levels of security (we assume hierarchical) User discloses keys to some of these levels while keeping others hidden Data persistence: erasure codes for redundancy (impact on plausible deniability) Traffic analysis resistance Constant rate dummy traffic High entropy block relocation 12 Process user file requests Generate dummy traffic (uniform)

U SER L OGIN User logs in with security level s, by providing key uk s Agent trial-decrypts every entry in the table Files in security levels s or lower can be found in the table Files in higher security levels are indistinguishable from random (empty) Agent starts making block accesses (either dummy or to retrieve files requested by the user) For each block, the agent performs an access cycle 13 Table

Block containing a file in security level s User key: uk s (One time) block key: bk i Empty block, or containing a file in security level higher than s B LOCK ENCRYPTION 14 data random

A CCESS CYCLE 15 Table

A TTACK METHODOLOGY 1. Attacker profiles the system to extract: Typical access sequences when the user is idle (dummy traffic) Typical access sequences when the user is accessing a file 2. Attacker monitors accesses and looks for sequences that look like file accesses 3. Attacker coerces the user when sequence indicates possible file access (worst case scenario) 4. Attacker obtains some user keys and inspects computer 5. Attacker combines the evidence obtained before and after coercion to try to determine if there are more user keys the user has not provided 6. If the probability of undisclosed keys is high, deniability is low, and vice versa. 16

E XTRACTING INFORMATION FROM THE SEQUENCE OF ACCESSES TO THE STORE I 17 Attacker profiles the system to extract t ypical access sequences when the user is accessing a file MixSFS xxx

E XTRACTING INFORMATION FROM THE SEQUENCE OF ACCESSES TO THE STORE II 18 Attacker profiles the system to extract: Typical access sequences when the user is idle (dummy traffic) Establish a baseline for dummy traffic Analyze accesses to store and find strong correlations (unlikely to be generated by dummy traffic) For big files, the area that goes over the baseline is much bigger than for dummy traffic (i.e., distinguishable)

S ECURITY METRICS : UNOBSERVABILITY Prior to coercion: we define unobservability (U) as the probability of a file operation being undetectable by the adversary; i.e., the sequence of store accesses generated by a file operation is considered by the adversary as dummy traffic 19

S ECURITY METRICS : DENIABILITY 20 After coercion Percentage of empty blocks in pool compared to the percentage in the whole store Worst case scenario: coercion occurs immediately after a hidden file access – large number of “empty” blocks in the pool We define deniability (D) as the probability that the evidence collected by the adversary (before and after coercion) has been generated by dummy traffic (i.e., no evidence of hidden files).

C ONCLUSIONS AND OPEN QUESTIONS Conclusions Hard to protect against traffic analysis, even using constant rate dummy traffic Hard to conceal file accesses with dummy traffic that selects locations uniformly at random When files occupy more blocks, access to them is harder to conceal Open questions More sophisticated pattern recognition algorithms may extract more info from the sequence of accesses Design of smarter traffic analysis strategies Can such a system be implemented in practice? 21

Thank you! 22