Presentation is loading. Please wait.

Presentation is loading. Please wait.

NetWarden: Mitigating Network Covert Channels without Performance Loss

Published byMarshall James Modified over 5 years ago

Similar presentations

Presentation on theme: "NetWarden: Mitigating Network Covert Channels without Performance Loss"— Presentation transcript:

1 NetWarden: Mitigating Network Covert Channels without Performance Loss
Jiarong Xing, Adam Morrison, Ang Chen Rice University

2 Motivation: Mitigating network covert channels
Launch code: 1011 Ah! 1011 TCP hdr: 1011 H E L L O President Launch code Code is 1011 1 1 1 H E L L O Attacker Secretary Covert channels: Storage channels: changing the packet header fields. Timing channels: changing the timing of packets.

3 State of the art: Existing channels
Covert storage channels: TCP initial sequence number channel (Rowland, 1997) IP TTL channel (Qu, 2004) Partial ACK channel (Luo, 2009) Covert timing channels: IP timing channel (Cabuk, 2004) TCP timing channel (Luo, 2008) Physical layer channel (Lee, 2014) Covert channels can leak data over long distance effectively “Common Criteria” require protection against both channel types!

4 State of the art: Storage channel defense
TCP sender TCP hdr: 1011 H E L L O TCP receiver TCP hdr: 1101 H E L L O replace (+2) Repeat for EVERY packets for Tbps traffic Field X = a replace (+2) Field X = a +2 Field X = b replace (+2) Field X = b +2 Field X = c replace (+2) Field X = c +2 Field X = d replace (+2) Field X = d +2 State-of-the-art solutions are software-based Detection: Per-packet header inspection Mitigation: Per-packet header modification As a result, they are very inefficient!

5 State of the art: Timing channel detection
Normal traffic: With channel: Two peaks One peak Distribution of packet gaps 1 Detection: Statistics-based tests over packet gaps Looking for signs of statistical deviation  Not always accurate

6 State of the art: Timing channel mitigation
With channel: After mitigating: H E L O 1 extra delay Mitigation: Add random delay to each packet Destroy the original timing of the packets It will increase the latency of TCP connections

7 Problem: Performance penalty
Detection: Per-packet inspection required Software cannot keep up with Tbps traffic Mitigation: Adding random delay to each packet  Increase latency Collateral damage  Affects legitimate traffic (e.g., false positives)

8 Can we mitigate covert channels while preserving performance?
Key question Can we mitigate covert channels while preserving performance?

9 Approach: NetWarden Launch code: 1011 NetWarden TCP hdr: 1011 H E L L O ???? President 1 1 1 H E L L O Attacker Secretary ToR switch NetWarden: A performance-preserving covert channel defense.

10 Key challenges and solutions
Challenge #1: Efficient detection Solution: Use programmable switches Challenge #2: Performance-preserving mitigation Solution: Performance “boosting” Challenge #3: Hardware limitations Solution: Fastpath/slowpath co-design

11 Outline Motivation: Mitigating network covert channels
State of the art: Performance penalty Approach: NetWarden NetWarden design Challenge #1: Efficient detection Challenge #2: Performance-preserving mitigation Challenge #3: Hardware limitations Initial validation Ongoing work Conclusion

12 Challenge #1: Efficient detection
Memory Switch control plane Problem: Software-based detection cannot handle Tbps traffic. Solution: Detecting covert channels on programmable switches. Programmable switches have two layers: Control plane: General purpose CPU. Data plane: Programmable ASIC.

13 Challenge #2: Performance-preserving mitigation
Problem: Existing mitigations incur performance loss. Solution: Temporarily boosting TCP performance to neutralize the performance penalty. Two boosters: ACK booster: Generate ACK packets in advance. Receive window booster: Enlarge receive window field temporarily. Two boosters: ACK booster: Generate ACK packets in advance. Receive window booster: Enlarge receive window field temporarily.

14 Boosting performance: ACK booster
NetWarden data1 data1 ACK1 ACK1 data2 data2 Performance boosting Creates the illusion of a shorter latency as perceived by the sender.

15 Challenge #3: Hardware limitations
Packet buffers Statistical tests Traffic Fast path (data plane) Slow path (control plane) Storage channel detector Timing channel detector Problem: The data plane has hardware restrictions E.g., does not support packet caching Or complex statistical tests Solution: Fastpath/slowpath co-design

16 Outline State of the art: Performance penalty Approach: NetWarden
Motivation: Mitigating network covert channels State of the art: Performance penalty Approach: NetWarden NetWarden design Challenge #1: Efficient detection Challenge #2: Performance-preserving mitigation Challenge #3: Hardware limitations Initial validation Ongoing work Conclusion

17 Experimental setup Proof-of-concept prototype: Two covert channels:
P4 for fastpath Python for slowpath Runs in software-based simulator. Two covert channels: Channel #1: TCP storage channel Channel #2: IP timing channel Scenario: Client downloads file from NetWarden-protected server Baseline: A naïve defense without performance boosting

18 Results: Effectiveness
Bit decoding error rate (%) Perfect decoding (flip 0/1) 100 75 50 25 50 49 Random guess 4 Perfect decoding No defense Naïve defense NetWarden Naïve defense: renders decoding to a random guess. NetWarden: very close to a random guess. NetWarden can mitigate covert channels effectively.

19 NetWarden can mitigate covert channels with minimal performance loss.
Results: Performance Normalized file downloading time 1.2 1.1 1.0 0.9 1.18 1.00 1.03 No defense Naïve defense NetWarden Naïve defense incurs 18% extra downloading time. NetWarden only incurs 3% extra downloading time. NetWarden can mitigate covert channels with minimal performance loss.

20 Ongoing work How should we divide the labor between fastpath and slowpath? “Optimal” division of labor How much performance boosting should NetWarden perform? Too much  unfair to other connections Too little  cannot neutralize performance loss How can we make NetWarden effective for all TCP variants?

21 Questions? Conclusion Motivation: Mitigating network covert channels
Key limitation of existing approaches: Performance penalty Our approach: NetWarden Using programmable data planes Performance boosting Fastpath/slowpath design The goal of NetWarden: Mitigating covert channels without performance loss! Questions?

Download ppt "NetWarden: Mitigating Network Covert Channels without Performance Loss"

Similar presentations

An Adaptive TCP Protocol for Lossy Mobile Environment Choong Seon Hong Feb. 27, 2003.

An Adaptive TCP Protocol for Lossy Mobile Environment Choong Seon Hong Feb. 27, 2003.
Chapter 3 The Data Link Layer.

Chapter 3 The Data Link Layer.
The Data Link Layer Chapter 3. Data Link Layer Design Issues Services Provided to the Network Layer Framing Error Control Flow Control.

The Data Link Layer Chapter 3. Data Link Layer Design Issues Services Provided to the Network Layer Framing Error Control Flow Control.
Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Detecting Covert Timing Channels with Time-deterministic Replay Ang Chen * W. Brad Moore + Hanjun Xiao * Andreas Haeberlen * Linh Thi Xuan Phan * Micah.

Detecting Covert Timing Channels with Time-deterministic Replay Ang Chen * W. Brad Moore + Hanjun Xiao * Andreas Haeberlen * Linh Thi Xuan Phan * Micah.
Experimental evaluation of TCP-L June 5, 2003 Stefan Alfredsson Karlstad University.

Experimental evaluation of TCP-L June 5, 2003 Stefan Alfredsson Karlstad University.
Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.

Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.
Error control An Engineering Approach to Computer Networking.

Error control An Engineering Approach to Computer Networking.
The Transport Layer Chapter 6. The TCP Segment Header TCP Header.

The Transport Layer Chapter 6. The TCP Segment Header TCP Header.
The Transport Layer Chapter 6. Performance Issues Performance Problems in Computer Networks Network Performance Measurement System Design for Better Performance.

The Transport Layer Chapter 6. Performance Issues Performance Problems in Computer Networks Network Performance Measurement System Design for Better Performance.
Adapted from Tanenbaum's Slides for Computer Networking, 4e The Data Link Layer Chapter 3.

Adapted from Tanenbaum's Slides for Computer Networking, 4e The Data Link Layer Chapter 3.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
TCP Behavior across Multihop Wireless Networks and the Wired Internet Kaixin Xu, Sang Bae, Mario Gerla, Sungwook Lee Computer Science Department University.

TCP Behavior across Multihop Wireless Networks and the Wired Internet Kaixin Xu, Sang Bae, Mario Gerla, Sungwook Lee Computer Science Department University.
CS 218 F 2003 Nov 3 lecture:  Streaming video/audio  Adaptive encoding (eg, layered encoding)  TCP friendliness References: r J. Padhye, V.Firoiu, D.

CS 218 F 2003 Nov 3 lecture:  Streaming video/audio  Adaptive encoding (eg, layered encoding)  TCP friendliness References: r J. Padhye, V.Firoiu, D.
CIS679: RTP and RTCP r Review of Last Lecture r Streaming from Web Server r RTP and RTCP.

CIS679: RTP and RTCP r Review of Last Lecture r Streaming from Web Server r RTP and RTCP.
ISO Layer Model Lecture 9 October 16, 2000. The Need for Protocols Multiple hardware platforms need to have the ability to communicate. Writing communications.

ISO Layer Model Lecture 9 October 16, The Need for Protocols Multiple hardware platforms need to have the ability to communicate. Writing communications.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
On the use of Reliable Multicast for Content Distribution Vassilis Chatzigiannakis

On the use of Reliable Multicast for Content Distribution Vassilis Chatzigiannakis
Review of key networking techniques: –Reliable communication over unreliable channels –Error detection and correction –Medium access control –routing –Congestion.

Review of key networking techniques: –Reliable communication over unreliable channels –Error detection and correction –Medium access control –routing –Congestion.

Similar presentations

Ads by Google