covert channels in tcp ip attack and defence
play

Covert channels in TCP/IP: attack and defence The creation and - PowerPoint PPT Presentation

Jun 14, 2023 •538 likes •915 views

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

  1. Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer Laboratory University of Cambridge 22nd Chaos Communication Congress

  2. Scenario Alice Bob Walter

  3. Threat model • Walter is a passive warden , trying to detect unauthorised communication from Alice to Bob • To break this policy, Alice uses a covert channel • Walter knows which OS Alice is running • Alice sends message hidden in cover-text • The cover-text must be received intact • Alice requires indistinguishability • Subject to these constraints, Alice would like to maximise the available bandwidth • Techniques to achieve these goals are known as steganography

  4. Protocol stack Type: IP, From: 00:11:11:0e:08:ea, Ethernet To: 00:00:0c:07:ac:01 Type: TCP, ToS: 0, Flags: 4, ID:6801, IP From: 128.232.0.20, To: 213.73.91.29, ... Seq: 3622491521, Ack: 1380426457 TCP From: port 37633, To: port 80, ... GET /congress/2005/ HTTP/1.0 ...

  5. Why TCP/IP • Lower levels (Ethernet) will not reach Bob • Alice might not be able to control which applications she runs • So higher level protocols might not be available • Almost all network applications use TCP/IP • So Alice can use this without raising suspicion

  6. IP 0 3 4 7 8 15 16 18 19 23 24 31 Total Length Version IHL Type of Service Flags Fragment Offset Identification Time to Live Protocol Header Checksum Source Address Destination Address Padding Options

  7. Fragmentation • If IP packets are too large to fit into the lower layer, they can be fragmented • Data could be encoded by changing • The size of fragments • The order of fragments • IP gives no guarantees of in-order delivery • So IP packets can be re-ordered • All these are predictable, so while the cover-text will get through, Walter can see the steganography

  8. Seldom used IP options • ToS: Used for altering quality of service • Almost never used, so easily detectable • Flags: Used to signal fragmentation • Predictable based on context, so easily detectable • IP options (different from TCP options) • Seldom used now, so easily detectable

  9. IP ID • Unique value associated with each IP packet • Used to re-assemble fragments • Commonly implemented (e.g. Linux) as a per-destination counter • This is to prevent idle-scanning • Linked to TCP (details later) • Violating this would result in easy detection • Respecting this dramatically reduces bandwidth

  10. TCP 0 3 4 9 10 15 16 23 24 31 Source Port Destination Port Sequence Number Acknowledgement Number Flags Offset Reserved Window Urgent Pointer Checksum Options (including timestamp) Padding

  11. TCP timestamp • Option available in TCP packets which allows hosts to measure round-trip-time • Available in most modern operating systems, but off by default in Windows • Stores the time packet was sent, according to a 1 Hz–1 kHz clock • Predictable, but packets can be delayed to force this value to be odd or even, allowing 1 bit per packet to be sent • With high-bandwidth connections, where many packets with the same timestamp are normally sent out, this scheme can be detected

  12. TCP initial sequence number • When TCP connection is first built, each side picks an initial sequence number (ISN) , used for reliability and flow control. • To prevent IP address spoofing, this number should be hard to guess • While there have been problems in the past, all modern operating systems now do this • It is large (32 bits), and because it is unpredictable to outsiders, including Walter, this field is the most useful for steganography. • However using it properly is far from simple

  13. Nushu • Presented by Joanna Rutkowska at 21C3 • Steganographic covert channel implemented for Linux • Also includes error recovery • Uses clever kernel tricks to hide from local detection (outside the scope of this talk) • Replaces ISN with encrypted message (so should look random)

  14. Catching Nushu Unmodified Linux Nushu 4.29e+09 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 9.30e+08 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 3e+09 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Next ISN ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 9.20e+08 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 2e+09 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 906500000 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ●● ● 11710000 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 907100000 9.20e+08 9.30e+08 11470000 2e+09 3e+09 4.28e+09 Current ISN Current ISN

  15. Nushu encryption Source Port Address Destination Port Address "NU" Key DES Message New ISN

  16. Nushu encryption Frequent duplications Source Port Address Destination Port Address "NU" Key DES Message New ISN

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Chupja Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1

627 views • 38 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to be problematic for Delft Lab on May 31st seems to be problematic for Twente Systems Security Covert Channels 2 14.05.2018 Prepare to vote 1

1.05k views • 50 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau Christian Dietrich Outline 1. Covert Channels 2. Steganography a. Lurk b. Gozi c. Stegoloader 3. Inconspicuous Carrier Protocols a.

674 views • 49 slides
Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels Kang-Hee Cho and Si-Hyeon Lee School of Electrical Engineering KAIST 2020 ISIT 1 / 14 Covert Communication ^ Y n W Decoder X n W P n Encoder

386 views • 15 slides
IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

496 views • 34 slides
March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

Mitigation of Covert Channels About Voting and Computers March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B Winter Quarter 2014 Slide 1 Mitigation of Covert Channels About Voting and Computers

416 views • 26 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard Laboratoire dInformatique de Grenoble / INRIA Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 1 / 18 Introduction

784 views • 18 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
FAB: Towards Flow-aware Bu fg er Sharing in Programmable Switches Maria Apostolaki Joint work

FAB: Towards Flow-aware Bu fg er Sharing in Programmable Switches Maria Apostolaki Joint work

FAB: Towards Flow-aware Bu fg er Sharing in Programmable Switches Maria Apostolaki Joint work with Laurent Vanbever & Manya Ghobadi An old story An old story Fan-in causing queue built-up Switch Senders Receivers An

1.04k views • 85 slides
Dataflow Network Programming with Neuron Eric Griffis RacketCon 2018 St. Louis, MO 1 I. Meet

Dataflow Network Programming with Neuron Eric Griffis RacketCon 2018 St. Louis, MO 1 I. Meet

Dataflow Network Programming with Neuron Eric Griffis RacketCon 2018 St. Louis, MO 1 I. Meet Nick 2 Nick cares about cancer 3 Curing cancer is expensive 4 5 6 II. Enter Neuron 7 The Neuron Framework concurrency model messaging API

580 views • 28 slides
Cap Sante North & West Basin Upland Redevelopment Council Briefjng - February 24, 2020

Cap Sante North & West Basin Upland Redevelopment Council Briefjng - February 24, 2020

Cap Sante North & West Basin Upland Redevelopment Council Briefjng - February 24, 2020 Overview Project Process and Purpose Development Plan Site Plan Rationale Event Center Building Design Parking Strategy

840 views • 61 slides
Consistent Reads Using ProxySQL and GTID Santa Clara, California | April 23th 25th, 2018

Consistent Reads Using ProxySQL and GTID Santa Clara, California | April 23th 25th, 2018

Consistent Reads Using ProxySQL and GTID Santa Clara, California | April 23th 25th, 2018 Disclaimer I am not Ren Canna @lefred MySQL Community Manager / Oracle the one who provided a hint for this not the one

1.27k views • 50 slides
NFS Don Porter CSE 506 together as the !handle for a rue. The inode generation number is

NFS Don Porter CSE 506 together as the !handle for a rue. The inode generation number is

NFS Don Porter CSE 506 together as the !handle for a rue. The inode generation number is necessary because the server may hand out an !handle with an inode number of a file that is later removed and the inode J reused. When the original

617 views • 24 slides
Information Management for Business Dr. Tom Acton 1 2 3 Huh? Whats an organisation?

Information Management for Business Dr. Tom Acton 1 2 3 Huh? Whats an organisation?

Information Management for Business Dr. Tom Acton 1 2 3 Huh? Whats an organisation? What do businesses do anyway? What are the parts of a business, and what has technology got to do with any of it? And hold on , whats

197 views • 16 slides
Management Nima Honarmand (Based on slides by Don Porter and Mike Ferdman) Fall 2014 :: CSE 506

Management Nima Honarmand (Based on slides by Don Porter and Mike Ferdman) Fall 2014 :: CSE 506

Fall 2014 :: CSE 506 :: Section 2 (PhD) Page Frame Management Nima Honarmand (Based on slides by Don Porter and Mike Ferdman) Fall 2014 :: CSE 506 :: Section 2 (PhD) Recap and background Page tables: translate virtual addresses to physical

366 views • 24 slides
Buying Service Wisconsin Retirement System etf.wi.gov Randall Porter Presenter The Department

Buying Service Wisconsin Retirement System etf.wi.gov Randall Porter Presenter The Department

Buying Service Wisconsin Retirement System etf.wi.gov Randall Porter Presenter The Department of Employee Trust Funds has made every effort to ensure that this webinar is current and accurate. However, changes in the law or processes since 1

470 views • 18 slides

More recommend