Embedding Covert Channels into TCP/IP

S.J. Murdoch, S. Lewis

University of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005

Sweety Chauhan October 26, 2005

CMSC 691I

Clandestine Channels

Overview
New and Significant Overview of Covert Channels TCP/IP based Steganography Detection of TCP/IP Steganography Conclusion

CMSC 691I

Clandestine Channels

New and Significant

Proposed a scheme Lathra for encoding data in TCP/IP header not detected by warden A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key

CMSC 691I

Clandestine Channels

Covert Channels
Communication in a non-obvious manner Potential methods - to get information out of the security perimeter Two Types:

Storage Timing

CMSC 691I

Clandestine Channels

Types of Covert Channels

Storage Timing

Information conveyed Information conveyed by writing or abstaining by the timing of events from writing
Clock not needed Receiver needs clock

CMSC 691I

Clandestine Channels

Where is this relevant?

The use of covert channels is relevant in organizations that:

restrict

the use of encryption in their systems have privileged or private information wish to restrict communication monitor communications
CMSC 691I Clandestine Channels

Network Covert Channels

Information hiding
placed

in network headers AND/OR conveyed through action/reaction

Goal - channel undetectable or unobservable Network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted

CMSC 691I

Clandestine Channels

Taxonomy (I)

Network covert channels can be

Storage-based Timing-based

Frequency-based
Protocol-based any

combination of the above

CMSC 691I

Clandestine Channels

Taxonomy (II)

Each of the above categories constitute a dimension of data

Information

hiding in packet payload is outside the realm of network covert channels These cases fit into the broader field of steganography

CMSC 691I

Clandestine Channels

Packet Header Hiding

20-64 bytes 20-64 bytes 0-65,488 bytes

IP Header TCP Header

DATA
This is Information Assurance Class

TCP Source Port TCP Destination Port

IP Source Address IP Destination Address

TCP/IP Header can serve as a carrier for a steganographic covert channel

CMSC 691I

Clandestine Channels

10

IP Header

0-44 bytes

Fields that may be used to embed steganographic data

CMSC 691I

Clandestine Channels

11

TCP Header

0-44 bytes
Timestamp

CMSC 691I

Clandestine Channels

12

Storage Based

Information is leaked by hiding data in packet header fields

IP identification Offset Options TCP Checksum TCP Sequence Numbers

Clandestine Channels

CMSC 691I

13

Timing Channels (I)

Information is leaked by triggering or delaying events at specific time intervals

CMSC 691I

Clandestine Channels

14

Timing Channels (II)

CMSC 691I

Clandestine Channels

15

Frequency Based (I)

Information is encoded over many channels of cover traffic The order or combination of cover channel access encodes information

CMSC 691I

Clandestine Channels

16

Frequency Based (II)

CMSC 691I

Clandestine Channels

17

Protocol Based

Exploits ambiguities or non-uniform features in common protocol specifications

CMSC 691I

Clandestine Channels

18

Traditional Detection Mechanisms

Statistical methods Storage-based

Data analysis Time analysis Flow analysis Clandestine Channels

Time-based

Frequency-based

CMSC 691I

19

Threat Model
Passive

Warden Threat Model Active Warden Threat Model

CMSC 691I

Clandestine Channels

20

IP Covert Channel
IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers For IP Networks:

Data hidden in the IP header Data hidden in ICMP Echo Request and Response Packets Data tunneled through an SSH connection Port 80 Tunneling, (or DNS port 53 tunneling) In image files

CMSC 691I

Clandestine Channels

21

IP ID and TCP ISN Implementation

Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN Due to their construction, these fields contain some structure

Partially unpredictable Clandestine Channels

CMSC 691I

22

Detection of TCP/IP Steganography

Each operating system exhibits well defined characteristics in generated TCP/IP fields

can be used to identify any anomalies that may indicate the use of steganography applied to network traces to identify whether the results are consistent with known operating systems

suite of tests

CMSC 691I

Clandestine Channels

23

IP ID Characteristics
1.
2. 3. 4.

Sequential Global IP ID Sequential Per-host IP ID IP-ID MSB Toggle IP-ID Permutation

CMSC 691I

Clandestine Channels

24

TCP ISN Characteristics

5.
6. 7. 8. 9.

10.
11.

Rekey Timer Rekey Counter ISN MSB Toggle ISN Permutation Zero bit 15 Full TCP Collisions Partial TCP Collisions
Clandestine Channels
25

CMSC 691I

Explicit Steganography Detection

12. Nushu Cryptography
encrypts data before including it in the ISN field results in a distribution which is different from normally generated by Linux and so will be detected by the other TCP tests

CMSC 691I

Clandestine Channels

26

13. TCP Timestamp

If a low bandwidth TCP connection is being used to leak information a randomness test can be applied to the least significant bits of the timestamps in the TCP packets If too much randomness is detected in the LSBs a steganographic covert channel is in use

CMSC 691I

Clandestine Channels

27

14. Other Anomalies

unusual flags (e.g. DF when not expected, ToS set) excessive fragmentation use of IP options non-zero padding unexpected TCP options (e.g. timestamps from operating systems which do not generate them) excessive re-ordering

CMSC 691I

Clandestine Channels

28

Results

CMSC 691I

Clandestine Channels

29

Detection-Resistant TCP Steganography Schemes

Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden

CMSC 691I

Clandestine Channels

30

Conclusion
TCP/IP header fields can be used as a carrier for a steganographic covert channel Two schemes for encoding data with ISNs generated by OpenBSD and Linux

indistinguishable from those generated by a genuine TCP stack

CMSC 691I

Clandestine Channels

31

Future Work
Flexible covert channel scheme which can be used in many channels Create a protocol for jumping between multiple covert channels New schemes to detect different encoding mechanisms in TCP/IP Header fields

CMSC 691I

Clandestine Channels

32

References
1.

2.

Hide and Seek: An Introduction to Steganography, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003 Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005
Clandestine Channels
33

CMSC 691I

Thanks a lot
For Your

Presence

CMSC 691I

Clandestine Channels

34

Any Questions

CMSC 691I

Clandestine Channels

35

Homework
Presentation Slides and Research Papers are available at :

www.umbc.edu/~chauhan2/CMSC691I/

CMSC 691I

Clandestine Channels

36

Covert Channel Tools

SSH (SCP, FTP Tunneling, Telnet Tunneling, XWindows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege). Loki (ICMP Echo R/R, UDP 53) NT - Back Orifice (BO2K) plugin BOSOCK32 Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands.
Clandestine Channels
37

CMSC 691I

Linux 2.0 ISN Generator

CMSC 691I

Clandestine Channels

38

Linux ISN and ID generator

CMSC 691I

Clandestine Channels

39

Open BSD ISN generator

CMSC 691I

Clandestine Channels

40