Covert Channel Creation through VPNPrepared by Isakov YehielUnder Supervision of Dr. Gabi Nakibly
What is a covert channel ?Definition A:Covert channel is a mechanism by which a process at a high security level leaks information to a process at a low security level that would otherwise not have access to it (usually not intended for information transfer at all).Definition B:Any information channel that can be exploited by a process to transfer information in a manner that violates the systems security policy (U.S. Department of Defense).
or simply speaking There are Alice, Bob and warden Wendy (in simpler schematics there is no Wendy).A is trying to communicate with B through a shared resource R (file / network channel / CPU) while being watched by W.Sometimes there are more entities that just make noise. How can B filter the noise ?!
Project SettingThere is a computer network with more than a one computer (naturally ).All of the communication from this network passes through VPN Gateway (which works using FCFS algorithm).One of the computers is compromised (has a Trojan Horse T). T is trying to establish a covert communications channel with Peer that sits on the channel that VPN Gateway transmits.
Project Setting (cont.)Detection computer D is between VPN and P: checks all of outgoing communications from the Network and cuts the outgoing communications if senses something fishy Peer receives not only the packets that Trojan sends: it has to filter out Trojans packets from the noise.Since VPN encrypts packet contents Trojan can only manipulate packet sizes and PIATs
Project Setting (Schematics)
Existing methodsThere are not much! Actually, there are none within the given project settings.It is due to unique setting of the problem.For example, most of the existing noisy covert channels in network use protocol fields (like TTL, Options in TCP/IP).One can not do that in this case.
Existing methods (cont.)However, existing examples in CPU and file system are interesting, though not relevant.For more information see the literature review document (to be released soon).It also contains an example of a burst channel that eventually develops into a method (all in review document).
Method SelectionPIATs are very sensitive to network status.Complex maintenance technique is needed in order to keep PIATs consistent in transitions.On the other hand sizes remain the same all the time (do not change in transitions).Therefore well choose communication through smart packet size selections.
Method ILearn normal communications.Define m keys Select two hashing functions f and g and a natural number To send 1 for the ith time generate packets of sizes and send them to Peer through VPN.
Method I (cont.)To send 0 for the ith time generate packets of sizes and send the to Peer through VPN.PIATs for sending sequences for 1 and 0 are set according to learned PIATs.In order to decode the message Peer (that also has the keys and the functions) simply reconstructs the original sequence.
Some implementation detailsHashing algorithm is based upon Knuths hashing method for small numbers:Key creation algorithm makes sure that the keys are random and suite the learned packet size distribution (but do not come from it! Details in literature review).
AnalysisError probability is very low:
Suppose that normal communication rate is CR bits per second. Assume that every source transmits with the same rate. If there are N sources then Trojan must transmit R/N bits per second.
Analysis (cont.)In order to transmit 1 Trojan must transmit at most and for 0 - Denote M as maximum between those two values.Therefore Trojans optimal trans. rate is:
Method IINumber theory based.While learning count packets with special sizes Pythagorean Squares and 1-pseudo Pythagorean Squares.Find such packet ratios (number of special packets / total number of packets).Generate PSList and 1PseudoPSList (one contains PSes from min to max, the other 1-Pseudo PSes).
Method IIIf Trojan wants to transmit 1 it sends k 1-pseudo PS sized squares from 1PseudoPSList. If Trojan wants to transmit 0 it sends m 1-pseudo PS sized squares from PSList.k and m are determined during learning process. They are set in such manner that Peer will detect the according ration changes and it will be an indication of transmission.
AnalysisError probability is:
transmission rate analysis is the similar to Method I analysis.Method II was not implemented yet!
Analysis (cont.)Determining how Peer will see k and m impact is not simple. That is what sets back the implementation. Channel works only in noiseless setting. One way is to check rates at certain time windows and determine how noise affects the special packets distribution.Final implementation will follow the literature review document.
Execution ResultsMethod I:1. Works without noise, 0% error in transmission.2. Works with 50% noise, 0% error in transmission.3. Assumption: very noise-proof and robust. Method II:1. Works without noise, 0% error in transmission.2. Doesnt work in noisy environments yet
Execution Results (cont.)A reminder doesnt work yet
ConclusionsDeveloping an algorithm for a cover channel creation under so many constraints is difficult.Method I provides a simple and robust method for solving this problem.It defines a non-statistical sample property.Method II continues with the same notion (although needs some refinement).
Conclusions (cont.)Non-statistical properties are sometimes easy to define, but difficult to implement (like in Method II case).Detection is almost impossible for a certain channels based on such approach.Non-statistical properties use difficult (almost NP-hard) properties to define pattern.
Thanks for your time
I hope you enjoyed the lecture