Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Published byJanice Ryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See."— Presentation transcript:

1 Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the last slide for acknowledgements!

2 Classes of Information Hiding Digital watermarking Steganography Covert channels Anonymous communication Protocol obfuscation CS660 - Advanced Information Assurance - UMassAmherst 2

3 Covert Channels Definition: Communicate information between two computer processes that are not allowed to communicate, by hiding information into shared resources Steganography: hiding information into digital media CS660 - Advanced Information Assurance - UMassAmherst 3

4 Prisoners’ problem Alice, Bob, and Walter CS660 - Advanced Information Assurance - UMassAmherst 4

5 Applications, or Why Use Covert Channels Bypass security policy by malicious/compromised computer processes Evade surveillance Bypass communication restrictions Etc. CS660 - Advanced Information Assurance - UMassAmherst 5

6 What Is the Importance? Difficult to detect Can operate for a long time and leak a substantial amount of classified data Can compromise an otherwise secure system, including one that has been formally verified!

7 Classification: Hiding Method – Storage channel Data transmitted by writing or abstaining from writing, e.g., writing into RAM – Timing channel Data modulated into the timing, or occurrence of events, e.g., the times between network packets CS660 - Advanced Information Assurance - UMassAmherst 7

8 Classification: Shared Resources – Network resource: an existing, legitimate communication channel designed for some purpose  Remote (network) covert channels – Computer resource: RAM, HardDisk, CPU, etc.  Local covert channels CS660 - Advanced Information Assurance - UMassAmherst 8

9 Local Channels CS660 - Advanced Information Assurance - UMassAmherst 9

10 Virtual Machines Shared resources: – CPU – RAM – Disk – Network Examples? CS660 - Advanced Information Assurance - UMassAmherst 10

11 Smartphones Shared resources: – CPU – RAM – Disk – Network – Microphone/speaker – Battery Examples? CS660 - Advanced Information Assurance - UMassAmherst 11

12 Remote (Network) Channels CS660 - Advanced Information Assurance - UMassAmherst 12

13 What is the shared resource here? CS660 - Advanced Information Assurance - UMassAmherst 13

14 Types Timing – E.g., packet timings Storage – E.g., packet headers How about the information hidden in packet payload? – Steganography CS660 - Advanced Information Assurance - UMassAmherst 14

15 Protocol Stack CS660 - Advanced Information Assurance - UMassAmherst 15

16 Packet Header Hiding IP Header TCP Header DATA 20-64 bytes 0-65,488 bytes IP Source Address IP Destination Address TCP Source Port TCP Destination Port This is Information Assurance Class TCP/IP Header can serve as a carrier for acovert channel

17 IP Header 0-44 bytes Fields that may be used to embed covert data

18 TCP Header 0-44 bytes Timestam p

19 Storage Based Information is embedded by hiding data in packet header fields IP identification Offset Options TCP Checksum TCP Sequence Numbers

20 Timing Channels Information is hidden by triggering or delaying events at specific time intervals

21 Timing Channels

22 Detection Mechanisms Storage-based – Data analysis Timing-based – Timing analysis CS660 - Advanced Information Assurance - UMassAmherst 22

23 Threat Model Passive Warden Threat Model – Detect, then remove Active Warden Threat Model – Modify traffic regardless of suspicion – Constraint?

24 IP ID and TCP ISN Implementation Two fields which are commonly used to embed covert data are the IP ID and TCP ISN Due to their construction, these fields contain some structure Partially unpredictable

25 Detection of TCP/IP Covert Channels Each operating system exhibits well defined characteristics in generated TCP/IP fields can be used to identify any anomalies that may indicate the use of steganography Suite of tests applied to network traces to identify whether the results are consistent with known operating systems

26 CS660 - Advanced Information Assurance - UMassAmherst 26

27 CS660 - Advanced Information Assurance - UMassAmherst 27

28 IP ID Characteristics 1.Sequential Global IP ID 2.Sequential Per-host IP ID 3.IP-ID MSB Toggle 4.IP-ID Permutation

29 TCP ISN Characteristics 5.Rekey Timer 6.Rekey Counter 7.ISN MSB Toggle 8.ISN Permutation 9.Zero bit 15 10.Full TCP Collisions 11.Partial TCP Collisions

30 Explicit Steganography Detection 12. Nushu Cryptography encrypts data before including it in the ISN field results in a distribution which is different from normally generated by Linux and so will be detected by the other TCP tests

31 13. TCP Timestamp If a low bandwidth TCP connection is being used to leak information a randomness test can be applied to the least significant bits of the timestamps in the TCP packets If “ too much “ randomness is detected in the LSBs → a steganographic covert channel is in use

32 14. Other Anomalies unusual flags (e.g. DF when not expected, ToS set) excessive fragmentation use of IP options non-zero padding unexpected TCP options (e.g. timestamps from operating systems which do not generate them) excessive re-ordering

33 Results

34 Accuracy No false negatives Possible false positives The accuracy depends on the size of observation CS660 - Advanced Information Assurance - UMassAmherst 34

35 Detection-Resistant Schemes Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden

36 Other Network Channels CS660 - Advanced Information Assurance - UMassAmherst 36

37 ICMP Channels ICMP echo request/reply can tunnel arbitrary user data – Payload capacity depends on path MTU (this feature often used to measure PMTU) www.erg.abdn.ac.uk/users/gorry Sohn, Noh, Moon 2003, “Support Vector Machine Based ICMP Covert Channel Attack Detection”

38 HTTP Channels Fields in the header – Infranet – StegoTorus

39 DNS Channels DNS can hold arbitrary text in its various fields High bandwidth: 110-220 bytes per request! – Used for SSH, streaming audio Not yet filtered by firewalls Proof of concept available: OzyManDNS (http://www.doxpara.com)http://www.doxpara.com

40 Channel Detection and Analysis

41 Analysis Techniques Information flow – Operates at high-level language level – Often overestimates flows, flags non-existant flows Noninterference – Analysis performed on abstract model, not real system Shared Resource Matrix – Very popular with systems folks Sabelfeld, Myers 2003, “Language-Based Information-Flow Security”

42 Shared Resource Matrix Kemmerer 1983, “Shared Resource Matrix Methodology: An Approach to Identifying Storage and Timing Channels”

43 Active Channel Mitigation

44 Fuzzy Time All covert timing channels rely on accurate clock You can either attempt to disrupt the timing of the channel (add noise or slow it down), or reduce the accuracy of the clock VAX security kernel slows down timer interrupt periods to be uniformly distributed with a mean of 20 ms. Randomly modifies the completion time of I/O requests, so they can’t be used as a clock Hu 1991, “Reducing Timing Channels with Fuzzy Time”

45 Lattice Scheduling Many local covert channels require simultaneous operation of spy and Trojan Process scheduler can be modified to prevent this situation Hu 1992, “Lattice Scheduling and Covert Channels”

46 Wrapping Up Do covert channels pose a real threat? – Some are difficult to exploit, requiring a skillful attacker – Others are fairly easy to exploit: Acoustic keylogger HTTP tunnels – Definitely a threat!

47 Classes of Information Hiding Digital watermarking Steganography Covert channels Anonymous communication Protocol obfuscation CS660 - Advanced Information Assurance - UMassAmherst 47

48 Side Channels Similar to covert channels, but information is leaked unintentionally Examples? CS660 - Advanced Information Assurance - UMassAmherst 48

49 Acknowledgement Some of the slides, content, or pictures are borrowed from the following resources, and some pictures are obtained through Google search without being referenced below: TCP/IP covert channels -UMBC Covert Channels, by Michael LeMay @UIUC 49

Download ppt "Information Hiding: Covert Channels Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See."

Similar presentations

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Information Hiding: Watermarking and Steganography

Information Hiding: Watermarking and Steganography
Covert Channels in TCP and IP Headers Drew Hintz

Covert Channels in TCP and IP Headers Drew Hintz
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.

Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Embedding Covert Channels into TCP/IP

Embedding Covert Channels into TCP/IP
What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host IP treats a computer as an endpoint of communication Best.

What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host IP treats a computer as an endpoint of communication Best.

Similar presentations

Ads by Google