Transcript Covert Channel Creation through VPN

Covert Channel Creation
through VPN
Prepared by Isakov Yehiel
Under Supervision of Dr. Gabi Nakibly
What is a covert channel ?

Definition A:
Covert channel is a mechanism by which a process at a high
security level leaks information to a process at a low security
level that would otherwise not have access to it (usually not
intended for information transfer at all).

Definition B:
Any information channel that can be exploited by a process to
transfer information in a manner that violates the systems
security policy (U.S. Department of Defense).
… or simply speaking …

There are Alice, Bob and warden Wendy
(in simpler schematics there is no Wendy).



A is trying to communicate with B through a
shared resource R (file / network channel /
CPU) while being watched by W.
Sometimes there are more entities that just
make noise.
How can B filter the noise ?!
Project Setting



There is a computer network with more than a one
computer (naturally ).
All of the communication from this network passes
through VPN Gateway (which works using FCFS
algorithm).
One of the computers is compromised (has a Trojan
Horse T). T is trying to establish a covert
communications channel with Peer that sits on the
channel that VPN Gateway transmits.
Project Setting (cont.)



Detection computer D is between VPN and
P: checks all of outgoing communications
from the Network and “cuts” the outgoing
communications if senses something fishy …
Peer receives not only the packets that
Trojan sends: it has to filter out Trojan’s
packets from the noise.
Since VPN encrypts packet contents Trojan
can only manipulate packet sizes and PIATs
Project Setting (Schematics)
Existing methods




There are not much! Actually, there are none
within the given project settings.
It is due to unique setting of the problem.
For example, most of the existing noisy
covert channels in network use protocol
fields (like TTL, Options in TCP/IP).
One can not do that in this case.
Existing methods (cont.)



However, existing examples in CPU and file
system are interesting, though not relevant.
For more information see the literature
review document (to be released soon).
It also contains an example of a “burst
channel” that eventually develops into a
method (all in review document).
Method Selection



PIATs are very sensitive to network status.
Complex maintenance technique is needed
in order to keep PIATs consistent in
transitions.
On the other hand sizes remain the same all
the time (do not change in transitions).
Therefore we’ll choose communication
through “smart” packet size selections.
Method I




Learn normal communications.
Define m keys
Select two hashing functions f and g and a
natural number
To send “1” for the ith time generate packets
of sizes
and send them to Peer through VPN.
Method I (cont.)



To send “0” for the ith time generate packets
of sizes
and send the to Peer through VPN.
PIATs for sending sequences for “1” and “0”
are set according to learned PIATs.
In order to decode the message Peer (that
also has the keys and the functions) simply
reconstructs the original sequence.
Some implementation details

Hashing algorithm is based upon Knuth’s
hashing method for small numbers:

Key creation algorithm makes sure that the
keys are “random” and suite the learned
packet size distribution (but do not come
from it! Details in literature review).
Analysis

Error probability is very low:

Suppose that normal communication rate is
CR bits per second. Assume that every
source transmits with the same rate. If there
are N sources then Trojan must transmit
СR/N bits per second.
Analysis (cont.)



In order to transmit “1” Trojan must transmit
at most
and for “0” Denote M as maximum between those two
values.
Therefore Trojan’s optimal trans. rate is:
Method II




Number theory based.
While learning count packets with special sizes –
Pythagorean Squares and 1-pseudo Pythagorean
Squares.
Find such packet ratios (number of special packets /
total number of packets).
Generate PSList and 1PseudoPSList (one contains
PSes from min to max, the other – 1-Pseudo PSes).
Method II



If Trojan wants to transmit “1” it sends k
1-pseudo PS sized squares from
1PseudoPSList.
If Trojan wants to transmit “0” it sends m
1-pseudo PS sized squares from PSList.
k and m are determined during learning process.
They are set in such manner that Peer will
detect the according ration changes and it will be
an indication of transmission.
Analysis

Error probability is:

transmission rate analysis is the similar to
Method I analysis.
Method II was not implemented yet!

Analysis (cont.)



Determining how Peer will see k and m
impact is not simple. That is what sets back
the implementation. Channel works only in
noiseless setting.
One way is to check rates at certain time
windows and determine how noise affects
the “special” packets distribution.
Final implementation will follow the literature
review document.
Execution Results

Method I:
1. Works without noise, 0% error in transmission.
2. Works with 50% noise, 0% error in transmission.
3. Assumption: very noise-proof and robust.

Method II:
1. Works without noise, 0% error in transmission.
2. Doesn’t work in noisy environments … yet …
Execution Results (cont.)

A reminder … doesn’t work yet …
Conclusions




Developing an algorithm for a cover channel
creation under so many constraints is
difficult.
Method I provides a simple and robust
method for solving this problem.
It defines a “non-statistical” sample property.
Method II continues with the same notion
(although needs some refinement).
Conclusions (cont.)



Non-statistical properties are sometimes
easy to define, but difficult to implement (like
in Method II case).
Detection is almost impossible for a certain
channels based on such approach.
Non-statistical properties use “difficult”
(almost NP-hard) properties to define
pattern.
The End
Thanks for your time
I hope you enjoyed the lecture 