PHY Covert Channels: Can you see the Idles? Ki Suh Lee Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1 첩자첩자 Chupja.

Slides:

Advertisements

Similar presentations

Spring 2000CS 4611 Introduction Outline Statistical Multiplexing Inter-Process Communication Network Architecture Performance Metrics.

Advertisements

 Implementation of physical and data link layer in software  Real-time access to network stack  Real-time traffic monitoring  Fine-grained control.

OSI MODEL Maninder Kaur

Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.

CacheCast: Eliminating Redundant Link Traffic for Single Source Multiple Destination Transfers Piotr Srebrny, Thomas Plagemann, Vera Goebel Department.

COMMUNICATION TECHNOLOGY by Shashi Bhushan School of Computer and Information Sciences.

Sang-Chun Han Hwangjun Song Jun Heo International Conference on Intelligent Hiding and Multimedia Signal Processing (IIH-MSP), Feb, /05 Feb 2009.

Networking Theory (Part 1). Introduction Overview of the basic concepts of networking Also discusses essential topics of networking theory.

1 Fall 2005 Protocols and layering Qutaibah Malluhi Computer Science and Engineering Qatar University.

Circuit Switching (a) Circuit switching. (b) Packet switching.

Chapter 5 Link Layer slides are modified from J. Kurose & K. Ross CPE 400 / 600 Computer Communication Networks Lecture 20.

04/26/2004CSCI 315 Operating Systems Design1 Computer Networks.

1 Link Layer & Network Layer Some slides are from lectures by Nick Mckeown, Ion Stoica, Frans Kaashoek, Hari Balakrishnan, and Sam Madden Prof. Dina Katabi.

Timing is Everything: Accurate, Minimum Overhead, Available Bandwidth Estimation in High-speed Wired Networks Han Wang, Ki Suh Lee, Erluo Li, Chiun Lin.

1 Chapter 10 Introduction to Metropolitan Area Networks and Wide Area Networks Data Communications and Computer Networks: A Business User’s Approach.

Network Analysis -- Available Bandwidth Estimation Using SoNIC Junyu Chen, Yicheng Liang, Zhihong Liu Cornell University 1.

Data Center Traffic and Measurements: Available Bandwidth Estimation Hakim Weatherspoon Assistant Professor, Dept of Computer Science CS 5413: High Performance.

5: DataLink Layer5-1 Chapter 5 Link Layer and LANs Part 1: Overview of the Data Link layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose,

 Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the.

Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.

1 Networks and Telecommunications. 2 Applying Telecommunications in Business TELECOMMUNICATIONS – the transmission of data between devices in different.

Introduction1-1 Data Communications and Computer Networks Chapter 5 CS 3830 Lecture 27 Omar Meqdadi Department of Computer Science and Software Engineering.

CSCI-235 Micro-Computer in Science The Network. © Prentice-Hall, Inc Communications  Communication is the process of sending and receiving messages 

CS 640: Introduction to Computer Networks Aditya Akella Lecture 5 - Encoding and Data Link Basics.

Computer Networks: Multimedia Applications Ivan Marsic Rutgers University Chapter 3 – Multimedia & Real-time Applications.

High Performance Computing & Communication Research Laboratory 12/11/1997 [1] Hyok Kim Performance Analysis of TCP/IP Data.

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

Introduction to Networks CS587x Lecture 1 Department of Computer Science Iowa State University.

1 Chapter 16 Protocols and Protocol Layering. 2 Protocol  Agreement about communication  Specifies  Format of messages (syntax)  Meaning of messages.

EITnotes.com For more notes and topics visit:

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Data Link Layer Part I – Designing Issues and Elementary.

Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010.

MODULE I NETWORKING CONCEPTS.

An Overlay Network Providing Application-Aware Multimedia Services Maarten Wijnants Bart Cornelissen Wim Lamotte Bart De Vleeschauwer.

Review:. Chapter 3: The Data Link Layer –achieve reliable, efficient communication between two physically connected machines. –Example problems to be.

ﺑﺴﻢﺍﷲﺍﻠﺭﺣﻣﻥﺍﻠﺭﺣﻳﻡ. Group Members Nadia Malik01 Malik Fawad03.

ICOM 6115©Manuel Rodriguez-Martinez ICOM 6115 – Computer Networks and the WWW Manuel Rodriguez-Martinez, Ph.D. Lecture 13.

CS 164: Slide Set 2: Chapter 1 -- Introduction (continued).

Experiences with Multimedia Streaming over 2.5G and 3G Networks J. Chesterfield, R. Chakravorty, J. Crowcroft, P. Rodriguez, S. Banerjee Presented by Denny.

Model-Based Covert Timing Channels: Automated Modeling and Evasion Steven Gianvecchio 1, Haining Wang 1, Duminda Wijesekera 2, and Sushil Jajodia 2 1 College.

Chapter 5 Link Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Link Layer introduction,

Lecture (Mar 23, 2000) H/W Assignment 3 posted on Web –Due Tuesday March 28, 2000 Review of Data packets LANS WANS.

BZUPAGES.COM Presentation on TCP/IP Presented to: Sir Taimoor Presented by: Jamila BB Roll no Nudrat Rehman Roll no

Prepared by Engr.Jawad Ali BSc(Hons)Computer Systems Engineering University of Engineering and Technology Peshawar.

LE427 Data communication and networks Jarree Chaicharn, Ph.D. รศ ดร จรี ไชยชาญ

SEPT, 2005CSI Part 2.1 Network Properties (Ownership, Service Paradigm, Measures of Performance) Robert Probert, SITE, University of Ottawa.

An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.

Chapter 3: Network Protocols and Communications

Protocol Layering Chapter 11.

An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.

Presented By: Gavin Worden Leased Lines vs. Internet Based VPNs.

Networks and the Internet Topic 3. Three Important Networking Technologies Networks, Internet, WWW.

TCP transfers over high latency/bandwidth networks & Grid DT Measurements session PFLDnet February 3- 4, 2003 CERN, Geneva, Switzerland Sylvain Ravot

Introduction to Quality of Service Klara Nahrstedt CS 538.

Network Layer4-1 Chapter 5: The Data Link Layer Our goals: r understand principles behind data link layer services: m error detection, correction m sharing.

Building A Network: Cost Effective Resource Sharing

TCP/IP Protocol Suite Suresh Kr Sharma 1 The OSI Model and the TCP/IP Protocol Suite Established in 1947, the International Standards Organization (ISO)

Week #8 OBJECTIVES Chapter #5. CHAPTER 5 Making Networks Work Two Networking Models –OSI OPEN SYSTEMS INTERCONNECTION PROPOSED BY ISO –INTERNATIONAL STANDARDS.

Network Models. The OSI Model Open Systems Interconnection (OSI). Developed by the International Organization for Standardization (ISO). Model for understanding.

1. Layered Architecture of Communication Networks: Circuit Switching & Packet Switching.

Protocols and layering Network protocols and software Layered protocol suites The OSI 7 layer model Common network design issues and solutions.

Chap. 2 Network Models.

Data Center Networks and Switching and Queueing

Instructor Materials Chapter 3: Network Protocols and Communications

Data Center Traffic and Measurements: SoNIC

Prof. Hakim Weatherspoon

SoNIC: Covert Channels over High Speed Cloud Networks

NetWarden: Mitigating Network Covert Channels without Performance Loss

Presentation transcript:

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1 첩자첩자 Chupja

첩자 (chupja) 2

Network Covert Channels Hiding information – Through communication not intended for data transfer 3

Network Covert Channels Hiding information – Through communication not intended for data transfer – Using legitimate packets (Overt channel) Storage Channels: Packet headers Timing Channels: Arrival times of packets 4

Network Covert Channels Hiding information – Through communication not intended for data transfer – Using legitimate packets (Overt channel) Storage Channels: Packet headers Timing Channels: Arrival times of packets 5

Goals of Covert Channels Bandwidth – How much information can be delivered in a second Robustness – How much information can be delivered without loss / error Undetectability – How well communication is hidden 6

Goals of Covert Channels Bandwidth – How much information can be delivered in a second – 10~100s bits per second Robustness – How much information can be delivered without loss / error – Cabuk’04, Shah’06 Undetectability – How well communication is hidden – Liu’09, Liu’10 7 Application Transport Network Data Link Physical

8 Current network covert channels are implemented in L3~4 (TCP/IP) layers and are extremely slow.

Chupja: PHY Covert Channel Bandwidth – How much information can be delivered in a second – 10~100s bits per second Robustness – How much information can be delivered without loss / error – Bit Error Rate < 10% Undetectability – How well communication is hidden – Invisible to detection software 9 Application Transport Network Data Link Physical -> 10s~100s Kilo bits per second

10 Chupja is a network covert channel which is faster than priori art. It is implemented in L1 (PHY), robust and virtually invisible to software.

Outline Introduction Design Evaluation Conclusion 11

Outline Introduction Design – Threat Model – 10 Gigabit Ethernet Evaluation Conclusion 12

Threat Model 13 Application Transport Network Data Link Physical Application Transport Network Data Link Physical Application Transport Network Data Link Physical Application Transport Network Data Link Physical SenderReceiver Passive Adversary Commodity Server Commodity NIC

10 Gigabit Ethernet Idle Characters (/I/) – Each bit is ~100 picosecond wide – 7~8 bit special character in the physical layer – 700~800 picoseconds to transmit – Only in PHY 14 Packet iPacket i+1Packet i+2 Application Transport Network Data Link Physical

Interpacket delays (D) and gaps (G) Homogeneous packet stream – Same packet size, – Same IPD (IPG), – Same destination Terminology 15 IPG Packet iPacket i+1 IPD Packet iPacket i+1Packet i+2

Chupja: Design Homogeneous stream Sender Receiver 16 Packet iPacket i+1Packet i+2 G - ƐG + Ɛ D - ƐD + Ɛ ‘0’‘1’Packet iPacket i+2 G i G i+1 DiDi D i+1 ‘0’‘1’Packet i+1Packet iPacket i+2 GG DD IPG Packet i+1

Chupja: Design With shared G – Encoding ‘1’: G i = G + ε – Encoding ‘0’: G i = G - ε 17 Packet iPacket i+1Packet i+2 G - ƐG + Ɛ D - ƐD + Ɛ ‘0’‘1’

Implementation SoNIC [NSDI ’13] – Software-defined Network Interface Card – Allows control and access every bit of PHY In realtime, and in software 50 lines of C code addition 18 Application Transport Network Data Link Physical

Outline Introduction Design Evaluation – Bandwidth – Robustness – Undetectability Conclusion 19

Evaluation What is the bandwidth of Chupja? How robust is Chupja? – Why is Chupja robust? How undetectable is Chupja? 20

What is the bandwidth of Chupja? 21

Evaluation: Bandwidth Covert bandwidth equals to packet rate of overt channel B 1Gbps 81kbps

How robust is Chupja? 23

Boston Cornell (Ithaca) Cornell (NYC)NLR (NYC) Chicaco Cleveland Sender Receiver SW1 SW2 SW3SW4 Sender Receiver Evaluation Setup Small Network – Six commercial switches – Average RTT: ms National Lambda Rail – Nine routing hops – Average RTT: 67.6ms – 1~2 Gbps External Traffic 24

Evaluation: Robustness Overt Channel at 1 Gbps (D = 12211ns, G=13738 /I/s) Covert Channel at 81 kbps 25 ? SenderReceiver 7.7%2.8% 8.9%

? Evaluation: Robustness Overt Channel at 1 Gbps (D = 12211ns, G=13738 /I/s) Covert Channel at 81 kbps Modulating IPGS at 1.6us scale (=2048 /I/s) 26 SenderReceiver 7.7%2.8% 8.9%

Why is Chupja robust? 27

Evaluation: Why? Switches do not add significant perturbations to IPDs Switches treat ‘1’s and ‘0’s as uncorrelated – Over multiple hops when there is no external traffic. – With external traffic 28

Evaluation: Why? Switches do not add significant perturbations to IPDs Switches treat ‘1’s and ‘0’s as uncorrelated – Over multiple hops when there is no external traffic. – With external traffic 29 Sender Homogeneous 1518B at 1 Gbps ReceiverSender Chupja (Ɛ = 256/I/s) 1518B at 1 Gbps Receiver

Evaluation: Why? Switches do not add significant perturbations to IPDs Switches treat encoded ‘0’ and ‘1’ as uncorrelated – Over multiple hops when there is no external traffic hop3 hop6 hop9 hop12 hop15 hop D - Ɛ 90% in D - Ɛ ± 250ns 1 hop3 hop6 hop9 hop12 hop 90% in D ± 250ns Homogeneous streamChupja stream ( Ɛ=256/I/s ) 90% in D ± 100ns 90% in D – Ɛ ± 100ns D + Ɛ

Evaluation: Why? 31 Boston Cornell (Ithaca) Cornell (NYC)NLR (NYC) Chicaco Cleveland Most of IPDs are within some range from original IPD – Even when there is external traffic. Encoded ‘Zero’ Encoded ‘One’ SenderReceiver Ɛ (/I/s) (ns) 256 (=204.8ns) 512 (=409.6) 1024 (=819.2) 2048 (=1638.4) 4096 (=3276.8) BER

Evaluation: Why? Switches do not add significant perturbations to IPDs Switches treat ‘1’s and ‘0’s as uncorrelated – Over multiple hops when there is no external traffic. – With external traffic 32 ? SenderReceiver 1518B at 1 Gbps With sufficiently large Ɛ, the interpacket spacing holds throughout the network, and BER is less than 10%

How undetectable is Chupja? 33

Evaluation: Detection Setup Commodity server with 10G NIC – Kernel timestamping 34 NLR Sender Kernel timestamping Receiver NLR Sender SoNIC timestamping Receiver

Evaluation: Detection 35 Adversary cannot detect patterns of Chupja Kernel TimestampingSoNIC Timestamping Ɛ = 1024 Ɛ = 4096 Ɛ = 1024 Ɛ = 4096

Evaluation: Summary What is the bandwidth of Chupja? – 10s~100s Kilo bits per second How robust is Chupja? – BER < 10% over NLR – Why is Chupja robust? Sufficiently large Ɛ holds throughout the network How undetectable is Chupja? – Invisible to software 36

Conclusion Chupja: PHY covert channel – High-bandwidth, robust, and undetectable Based on understanding of network devices – Perturbations from switches – Inaccurate endhost timestamping & GENI (ExoGENI)!!! 37 첩자첩자

Thank you 38