ip covert timing channels design and detection
play

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, - PowerPoint PPT Presentation

Mar 27, 2024 •152 likes •496 views

IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields. Outline Positive Traits Problems Questions Extensions Other Covert Channels Discussion Positive Traits What are the

  1. IP Covert Timing Channels: Design and Detection By Serdar Cabuk, Carla E. Brodley, Clay Shields.

  2. Outline  Positive Traits  Problems  Questions  Extensions  Other Covert Channels  Discussion

  3. Positive Traits  What are the redeeming qualities and/or contributions of this paper?

  4. Problems

  5. Acceptable Test Scenario #1  Team 1 builds the covert channel and generates 3 logs, gives them to team 2.  Team 2 does not know which or even if the logs have a covert channel.  Team 2 tries to detect the covert channel.

  6. Acceptable Test Scenario #2  Team 1 builds the covert channel and generates 3 logs, gives them to Team 2.  Team 2 knows at least one log contains a covert channel, but not which log(s).  Team 2 tries to detect the covert channel.

  7. Testing Methodologies  Double Blind? No  Ideal, but not really plausible in computer science.  Single Blind? No  Eyes wide open? Of course.  A preferred method would be to make all data sets public to have them more openly scrutinized and tested.

  8. Noise introduction  What is the goal of introducing noise in Covert Channel III?  To introduce irregularity  To try to defeat e-similarity

  9. Noise introduction (cont)

  10. Graphs and Data

  11. Edit Distance Better Explained  Four operations: Insert, Delete, Replace, Match.  Edit distance = number of the above operations preformed

  12. Edit Distance Example

  13. Edit Distance in this Paper

  14. False Positive Rates • Seemingly high false positive rates • Lack of an equal error rate and ROC curve make the reported false positive rates useless.

  15. False Positive Rates (cont)

  16. False Positive Rates (cont)

  17. Compression  How does compression impact their detection methods?  How does compression affect inter-arrival time?

  18. On the limits of compression  How do we design an ideal covert channel?  Does this necessarily mandate error connection strategies?  How does this interplay with compression?

  19. Revisited Assumptions  Any reasonable covert timing channel has to have regularity  Random function/seed  IP traffic is irregular and thus can be distinguished from regular covert traffic.  Research shows IP traffic can be regular. View [5].

  20. Questions

  21. Real Threat?  Is this a feasible threat? Why or why not?  Do we need to make covert channel resistant protocols and schemes?  How could we?  Is there a bound on the acceptability of information leakage?

  22. Class Questions  Is edit distance more appropriate than Hamming distance in this setting?  If so, why?  Why do they use a unidirectional channel?

  23. Extensions  “Quantifying how error-correction can be used to mitigate network congestion and improve channel accuracy.”

  24. Extensions (cont)  Looking at the creation of a covert channel in a completely realistic environment. Hide the covert channel in a real distribution by monitoring traffic  Are there protection methods that would detect covert channels trying to blend into distributions?

  25. Extensions (cont)  Can you find a statistical measure that can be proved to be invariable under an entire (non- trivial) class of attacks?

  26. Other Forms of Covert Channels

  27. HTTP Covert Channel  Paper entitled New Covert Channels in HTTP by Mathias Bauer [2]  Uses HTTP to spread information between sites (cookies, meta tags)  Universal Re-encryption  Potentially faster communication speeds  Clients spreading information offer cover

  28. Packet Sorting Channel  For every n objects, they can be ordered n! ways  Can encode information using this by picking specific orderings.  2 shared keys: K and k  K is the length of the packet sequence (IE 24 packets are to be sent)  k is a parameter to the toral automorphism (really fancy PRNG)

  29. Packet Sorting (cont)  There is a final private key that determines which sequence is used  If Alice encodes a message to Bob  Bob generates every sequence for every possible final key  Picks the one that matches, the final key contains the covert message

  30. Subliminal Channel (Broadband)  ElGamal Signatures  R = g^k mod p (where p is a big prime)  S = (M – xr) / k (mod p -1) : M is the message, x is the signer’s private ke, k is a random value  Subliminal channel (Horribly trivial)  1.) Give the recipient the signing key, x  2.) Make “k” a covert message  3.) The recipient recovers k by algebra and has the message

  31. Subliminal Channel (Narrow band)  Suppose the signer wishes to convey 10 bits of information  The signer can try values of k until he/she gets lucky (on average, 1000 tries)  K is again recovered by algebra

  32. References  [1] S. Cabuk, C. Brodley, R. Forte, C. Shields. “IP Covert Timing Channels: An Initial Exploration”. Proceedings of Computer and Communications Security, 2004.  [2] M. Bauer . “New Covert Channels in HTTP: adding unwitting Web browsers to anonymity sets”. Proceedings of the 2003 ACM workshop on Privacy in the electronic society

  33. References (cont)  [3] K. Ahsan and D. Kundur. “Practical Data Hiding in TCP/IP ”. Proceedings Workshop on Multimedia Security at ACM Multimedia 2002 .  [4] RJ Anderson, S Vaudenay, B Preneel, K Nyberg. “The Newton Channel”. IEEE Journal of Selected Areas in Communications, 1998.

  34. References (cont)  [5] V. Paxson, and S. Floyd. “Wide-Area Traffic: the Failure of Poisson Modeling.” IEEE/ACM Transactions on Networking , 1995.

Recommend

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide & Ross Gegan BroCon ESnet Austin, TX Lawrence Berkeley National Laboratory Sept, 13, 2016 Table of Contents Introduction Something Important Part 1: Multi-Notice

862 views • 52 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Chupja Cornell University Joint work with Han Wang, and Hakim Weatherspoon 1

627 views • 38 slides
COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to

COVERT CHANNELS ERIK TEWS <E.TEWS@UTWENTEL.NL> HOUSEKEEPLING Lab on May 30th seems to be problematic for Delft Lab on May 31st seems to be problematic for Twente Systems Security Covert Channels 2 14.05.2018 Prepare to vote 1

1.05k views • 50 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau Christian Dietrich Outline 1. Covert Channels 2. Steganography a. Lurk b. Gozi c. Stegoloader 3. Inconspicuous Carrier Protocols a.

674 views • 49 slides
Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels

Treating Interference as Noise is Optimal for Covert Communication over Interference Channels Kang-Hee Cho and Si-Hyeon Lee School of Electrical Engineering KAIST 2020 ISIT 1 / 14 Covert Communication ^ Y n W Decoder X n W P n Encoder

386 views • 15 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
Mitigation of Timing Channels Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell

Mitigation of Timing Channels Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell

Language-Based Control and Mitigation of Timing Channels Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell Harvard Cornell PLDI 2012 Timing Channels Hard to detect and prevent 2 Timing Channels: Examples

662 views • 30 slides
I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche,

I DPID It My Way! A Covert Timing Channel in Software-Defined Networks Robert Kro sche, Kashyap Thimmaraju , Liron Schiff and Stefan Schmid IFIP Networking 2018 14-16 May, 2018, Zurich, Switzerland 1 Outline 1. Motivation 2. Covert

999 views • 95 slides
Predictive Mitigation of Timing Channels in Interactive Systems Danfeng Zhang , Aslan Askarov,

Predictive Mitigation of Timing Channels in Interactive Systems Danfeng Zhang , Aslan Askarov,

Predictive Mitigation of Timing Channels in Interactive Systems Danfeng Zhang , Aslan Askarov, Andrew C. Myers Cornell University CCS 2011 Timing Channels Hard to detect and prevent 10/20/2011 2 Timing Channels: Examples Cryptographic

664 views • 38 slides
New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng Zhang, Aslan Askarov) Timing channels e adversary can learn (a lot) from timing measurements. Known to exist Hard to detect Hard to prevent

639 views • 40 slides
March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B

Mitigation of Covert Channels About Voting and Computers March 6, 2014 1 Mitigation of Covert Channels 2 About Voting and Computers March 6, 2014 ECS 235B Winter Quarter 2014 Slide 1 Mitigation of Covert Channels About Voting and Computers

416 views • 26 slides
May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels

May 24: Confinement Confinement, non-VM isolation Program modification Covert channels May 24, 2017 ECS 235B Spring Quarter 2017 Slide #1 Compiling Compiler enforces or validates constraints Type-safe language enforces them

313 views • 27 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard Laboratoire dInformatique de Grenoble / INRIA Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 1 / 18 Introduction

785 views • 18 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo Barradas PhD Stage: Planner Advisors: Prof. Lus Rodrigues & Prof. Nuno Santos Research Area: Privacy-Enhancing Technologies Diogo Barradas - EuroSys

395 views • 15 slides
Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard

Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard

Stealth Communication with Vanishing Power over Binary Symmetric Channels Diego Lentner, Gerhard Kramer Technical University of Munich Institute for Communications Engineering ISIT 2020 Covert Communication Covert Communication vs. Secrecy:

269 views • 16 slides
Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The

Keyboards and Covert Channels G. Shah, A. Molina, M. Blaze USENIX 2006 Eric Hennenfent The Humble Keylogger Malware Malicious Hardware In-Cable Devices Malicious Keyboards Supply Chain Attacks Malicious BIOS

591 views • 14 slides

More recommend