Transcript TCP/IP Covert Channels

Embedding Covert
Channels into TCP/IP
S.J. Murdoch, S. Lewis
University of Cambridge, United Kingdom
7th Information Hiding Workshop, June 2005
Sweety Chauhan
October 26, 2005
CMSC 691I
Clandestine Channels
Overview
New and Significant
 Overview of Covert Channels
 TCP/IP based Steganography
 Detection of TCP/IP Steganography
 Conclusion

CMSC 691I
Clandestine Channels
2
New and Significant
Proposed a scheme “Lathra” for encoding
data in TCP/IP header not detected by
warden
 A message can be hidden so that an
attacker cannot demonstrate its existence
without knowing a secret key

CMSC 691I
Clandestine Channels
3
Covert Channels
Communication in a non-obvious manner
 Potential methods - to get information out
of the security perimeter
 Two Types:

 Storage
 Timing
CMSC 691I
Clandestine Channels
4
Types of Covert Channels
Storage
Timing
Information conveyed
Information conveyed
by writing or abstaining by the timing of events
from writing
Clock not needed
CMSC 691I
Receiver needs clock
Clandestine Channels
5
Where is this relevant?

The use of covert channels is relevant in
organizations that:
 restrict
the use of encryption in their
systems
 have privileged or private information
 wish to restrict communication
 monitor communications
CMSC 691I
Clandestine Channels
6
Network Covert Channels

Information hiding
 placed
in network headers AND/OR
 conveyed through action/reaction
Goal - channel undetectable or unobservable
 Network watchers (sniffer, IDS, ..) will not be
aware that data is being transmitted

CMSC 691I
Clandestine Channels
7
Taxonomy (I)

Network covert channels can be
 Storage-based
 Timing-based
 Frequency-based
 Protocol-based
 any
CMSC 691I
combination of the above
Clandestine Channels
8
Taxonomy (II)

Each of the above categories constitute a
dimension of data
 Information
hiding in packet payload is
outside the realm of network covert channels
 These cases fit into the broader field of
steganography
CMSC 691I
Clandestine Channels
9
Packet Header Hiding
20-64 bytes
20-64 bytes
IP Header TCP Header
0-65,488 bytes
DATA
This is Information
Assurance Class
TCP Source Port
TCP Destination Port
IP Source Address
TCP/IP Header can serve as a
carrier for a steganographic
covert channel
IP Destination Address
CMSC 691I
Clandestine Channels
10
IP Header
0-44
bytes
Fields that may be used to embed steganographic data
CMSC 691I
Clandestine Channels
11
TCP Header
0-44
bytes
Timestamp
CMSC 691I
Clandestine Channels
12
Storage Based

Information is leaked by hiding data in
packet header fields





IP identification
Offset
Options
TCP Checksum
TCP Sequence Numbers
CMSC 691I
Clandestine Channels
13
Timing Channels (I)

Information is leaked by triggering or
delaying events at specific time intervals
CMSC 691I
Clandestine Channels
14
Timing Channels (II)
CMSC 691I
Clandestine Channels
15
Frequency Based (I)
Information is encoded over many
channels of cover traffic
 The order or combination of cover channel
access encodes information

CMSC 691I
Clandestine Channels
16
Frequency Based (II)
CMSC 691I
Clandestine Channels
17
Protocol Based

Exploits ambiguities or non-uniform
features in common protocol
specifications
CMSC 691I
Clandestine Channels
18
Traditional Detection Mechanisms
Statistical methods
 Storage-based



Time-based


Data analysis
Time analysis
Frequency-based

Flow analysis
CMSC 691I
Clandestine Channels
19
Threat Model
 Passive
Warden Threat Model
 Active Warden Threat Model
CMSC 691I
Clandestine Channels
20
IP Covert Channel
IP allows fragmentation and reassembly of
long datagrams, requiring certain extra
headers
 For IP Networks:






Data hidden in the IP header
Data hidden in ICMP Echo Request and Response Packets
Data tunneled through an SSH connection
“Port 80” Tunneling, (or DNS port 53 tunneling)
In image files
CMSC 691I
Clandestine Channels
21
IP ID and TCP ISN Implementation
Two fields which are commonly used to
embed steganographic data are the IP ID
and TCP ISN
 Due to their construction, these fields
contain some structure


Partially unpredictable
CMSC 691I
Clandestine Channels
22
Detection of TCP/IP Steganography

Each operating system exhibits well defined
characteristics in generated TCP/IP fields


can be used to identify any anomalies that may
indicate the use of steganography
suite of tests

applied to network traces to identify whether the
results are consistent with known operating systems
CMSC 691I
Clandestine Channels
23
IP ID Characteristics
1.
2.
3.
4.
Sequential Global IP ID
Sequential Per-host IP ID
IP-ID MSB Toggle
IP-ID Permutation
CMSC 691I
Clandestine Channels
24
TCP ISN Characteristics
5.
6.
7.
8.
9.
10.
11.
Rekey Timer
Rekey Counter
ISN MSB Toggle
ISN Permutation
Zero bit 15
Full TCP Collisions
Partial TCP Collisions
CMSC 691I
Clandestine Channels
25
Explicit Steganography Detection
12. Nushu Cryptography
encrypts data before including it in the ISN field
 results in a distribution which is different from normally
generated by Linux and so will be detected by the other
TCP tests

CMSC 691I
Clandestine Channels
26
13. TCP Timestamp
If a low bandwidth TCP connection is being used to
leak information
 a randomness test can be applied to the least
significant bits of the timestamps in the TCP
packets
 If “too much“ randomness is detected in the LSBs
→ a steganographic covert channel is in use

CMSC 691I
Clandestine Channels
27
14. Other Anomalies
unusual flags (e.g. DF when not expected, ToS set)
 excessive fragmentation
 use of IP options
 non-zero padding
 unexpected TCP options (e.g. timestamps from
operating systems which do not generate them)
 excessive re-ordering

CMSC 691I
Clandestine Channels
28
Results
CMSC 691I
Clandestine Channels
29
Detection-Resistant TCP
Steganography Schemes
Lathra - Robust scheme, using the TCP
ISNs generated by OpenBSD and Linux as
a steganographic carrier
 Simply encoding data within the least
significant 24 bits of the ISN could be
detected by the warden

CMSC 691I
Clandestine Channels
30
Conclusion
TCP/IP header fields can be used as a
carrier for a steganographic covert channel
 Two schemes for encoding data with ISNs
generated by OpenBSD and Linux


indistinguishable from those generated by a
genuine TCP stack
CMSC 691I
Clandestine Channels
31
Future Work
Flexible covert channel scheme which can
be used in many channels
 Create a protocol for jumping between
multiple covert channels
 New schemes to detect different encoding
mechanisms in TCP/IP Header fields

CMSC 691I
Clandestine Channels
32
References
1.
2.
Hide and Seek: An Introduction to
Steganography, Niels Provos, Peter
Honeyman, IEEE Security and Privacy
Journal, May-June 2003
Embedding Covert Channels into TCP/IP,
Steven J. Murdoch, Stephen Lewis, 7th
Information Hiding Workshop, Barcelona,
Catalonia (Spain) June 2005
CMSC 691I
Clandestine Channels
33
Thanks a lot …
For Your
Presence
CMSC 691I
Clandestine Channels
34
Any Questions
CMSC 691I
Clandestine Channels
35
Homework
Presentation Slides and Research Papers are available at :
www.umbc.edu/~chauhan2/CMSC691I/
CMSC 691I
Clandestine Channels
36
Covert Channel Tools




SSH (SCP, FTP Tunneling, Telnet Tunneling, XWindows Tunneling, ...) - can be set to operate on
any port (<1024 usually requires root privilege).
Loki (ICMP Echo R/R, UDP 53)
NT - Back Orifice (BO2K) plugin BOSOCK32
Reverse WWW Shell Server - looks like a HTTP
client (browser). App headers mimic HTTP GET
and response commands.
CMSC 691I
Clandestine Channels
37
Linux 2.0 ISN Generator
CMSC 691I
Clandestine Channels
38
Linux ISN and ID generator
CMSC 691I
Clandestine Channels
39
Open BSD ISN generator
CMSC 691I
Clandestine Channels
40