Beruflich Dokumente
Kultur Dokumente
CMSC 691I
Clandestine Channels
Overview
New and Significant Overview of Covert Channels TCP/IP based Steganography Detection of TCP/IP Steganography Conclusion
CMSC 691I
Clandestine Channels
CMSC 691I
Clandestine Channels
Covert Channels
Communication in a non-obvious manner Potential methods - to get information out of the security perimeter Two Types:
Storage Timing
CMSC 691I
Clandestine Channels
Information conveyed Information conveyed by writing or abstaining by the timing of events from writing
Clock not needed Receiver needs clock
CMSC 691I
Clandestine Channels
the use of encryption in their systems have privileged or private information wish to restrict communication monitor communications
CMSC 691I Clandestine Channels
Information hiding
placed
Goal - channel undetectable or unobservable Network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted
CMSC 691I
Clandestine Channels
Taxonomy (I)
Frequency-based
Protocol-based any
CMSC 691I
Clandestine Channels
Taxonomy (II)
hiding in packet payload is outside the realm of network covert channels These cases fit into the broader field of steganography
CMSC 691I
Clandestine Channels
DATA
This is Information Assurance Class
CMSC 691I
Clandestine Channels
10
IP Header
0-44 bytes
CMSC 691I
Clandestine Channels
11
TCP Header
0-44 bytes
Timestamp
CMSC 691I
Clandestine Channels
12
Storage Based
CMSC 691I
13
CMSC 691I
Clandestine Channels
14
CMSC 691I
Clandestine Channels
15
CMSC 691I
Clandestine Channels
16
CMSC 691I
Clandestine Channels
17
Protocol Based
CMSC 691I
Clandestine Channels
18
Time-based
Frequency-based
CMSC 691I
19
Threat Model
Passive
CMSC 691I
Clandestine Channels
20
IP Covert Channel
IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers For IP Networks:
Data hidden in the IP header Data hidden in ICMP Echo Request and Response Packets Data tunneled through an SSH connection Port 80 Tunneling, (or DNS port 53 tunneling) In image files
CMSC 691I
Clandestine Channels
21
CMSC 691I
22
Each operating system exhibits well defined characteristics in generated TCP/IP fields
can be used to identify any anomalies that may indicate the use of steganography applied to network traces to identify whether the results are consistent with known operating systems
suite of tests
CMSC 691I
Clandestine Channels
23
IP ID Characteristics
1.
2. 3. 4.
CMSC 691I
Clandestine Channels
24
10.
11.
Rekey Timer Rekey Counter ISN MSB Toggle ISN Permutation Zero bit 15 Full TCP Collisions Partial TCP Collisions
Clandestine Channels
25
CMSC 691I
CMSC 691I
Clandestine Channels
26
CMSC 691I
Clandestine Channels
27
CMSC 691I
Clandestine Channels
28
Results
CMSC 691I
Clandestine Channels
29
CMSC 691I
Clandestine Channels
30
Conclusion
TCP/IP header fields can be used as a carrier for a steganographic covert channel Two schemes for encoding data with ISNs generated by OpenBSD and Linux
CMSC 691I
Clandestine Channels
31
Future Work
Flexible covert channel scheme which can be used in many channels Create a protocol for jumping between multiple covert channels New schemes to detect different encoding mechanisms in TCP/IP Header fields
CMSC 691I
Clandestine Channels
32
References
1.
2.
Hide and Seek: An Introduction to Steganography, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003 Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005
Clandestine Channels
33
CMSC 691I
Thanks a lot
For Your
Presence
CMSC 691I
Clandestine Channels
34
Any Questions
CMSC 691I
Clandestine Channels
35
Homework
Presentation Slides and Research Papers are available at :
www.umbc.edu/~chauhan2/CMSC691I/
CMSC 691I
Clandestine Channels
36
SSH (SCP, FTP Tunneling, Telnet Tunneling, XWindows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege). Loki (ICMP Echo R/R, UDP 53) NT - Back Orifice (BO2K) plugin BOSOCK32 Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands.
Clandestine Channels
37
CMSC 691I
CMSC 691I
Clandestine Channels
38
CMSC 691I
Clandestine Channels
39
CMSC 691I
Clandestine Channels
40