Embed Size (px)
DESCRIPTION
Covert Channel Creation through VPN. Prepared by Isakov Yehiel Under Supervision of Dr. Gabi Nakibly. What is a covert channel ?. Definition A : - PowerPoint PPT Presentation
Citation preview
Covert Channel Creation through VPN
Prepared by Isakov YehielUnder Supervision of Dr. Gabi Nakibly
What is a covert channel?
Definition A:Covert channel is a mechanism by which a process at a high security level leaks information to a process at a low security level that would otherwise not have access to it (usually not intended for information transfer at all).
Definition B:Any information channel that can be exploited by a process to transfer information in a manner that violates the systems security policy (U.S. Department of Defense).
…or simply speaking…
There are Alice, Bob and warden Wendy (in simpler schematics there is no Wendy).
A is trying to communicate with B through a shared resource R (file / network channel / CPU) while being watched by W.
Sometimes there are more entities that just make noise.
How can B filter the noise ?!
Project Setting
There is a computer network with more than a one computer (naturally ).
All of the communication from this network passes through VPN Gateway (which works using FCFS algorithm).
One of the computers is compromised (has a Trojan Horse T). T is trying to establish a covert
communications channel with Peer that sits on the channel that VPN Gateway transmits.
Project Setting (cont.)
Detection computer D is between VPN and P: checks all of outgoing communications from the Network and “cuts” the outgoing communications if senses something fishy …
Peer receives not only the packets that Trojan sends: it has to filter out Trojan’s packets from the noise.
Since VPN encrypts packet contents Trojan can only manipulate packet sizes and PIATs
Project Setting (Schematics)
Existing methods
There are not much! Actually, there are none within the given project settings.
It is due to unique setting of the problem. For example, most of the existing noisy
covert channels in network use protocol fields (like TTL, Options in TCP/IP).
One can not do that in this case.
Existing methods (cont.)
However, existing examples in CPU and file system are interesting, though not relevant.
For more information see the literature review document (to be released soon).
It also contains an example of a “burst channel” that eventually develops into a method (all in review document).
Method Selection
PIATs are very sensitive to network status.Complex maintenance technique is needed in order to keep PIATs consistent in transitions.
On the other hand sizes remain the same all the time (do not change in transitions).
Therefore we’ll choose communication through “smart” packet size selections.
Method I
Learn normal communications. Define m keys Select two hashing functions f and g and a
natural number To send “1” for the ith time generate packets
of sizes
and send them to Peer through VPN.
Method I (cont.)
To send “0” for the ith time generate packets of sizes and send the to Peer through VPN.
PIATs for sending sequences for “1” and “0” are set according to learned PIATs.
In order to decode the message Peer (that also has the keys and the functions) simply reconstructs the original sequence.
Some implementation details
Hashing algorithm is based upon Knuth’s hashing method for small numbers:
Key creation algorithm makes sure that the keys are “random” and suite the learned packet size distribution (but do not come from it! Details in literature review).
Analysis
Error probability is very low:
Suppose that normal communication rate is CR bits per second. Assume that every source transmits with the same rate. If there are N sources then Trojan must transmit СR/N bits per second.
Analysis (cont.)
In order to transmit “1” Trojan must transmit at most
and for “0” - Denote M as maximum between those two
values. Therefore Trojan’s optimal trans. rate is:
Method II
Number theory based. While learning count packets with special sizes –
Pythagorean Squares and 1-pseudo Pythagorean Squares.
Find such packet ratios (number of special packets / total number of packets).
Generate PSList and 1PseudoPSList (one contains PSes from min to max, the other – 1-Pseudo PSes).
Method II
If Trojan wants to transmit “1” it sends k 1-pseudo PS sized squares from 1PseudoPSList.
If Trojan wants to transmit “0” it sends m 1-pseudo PS sized squares from PSList.
k and m are determined during learning process. They are set in such manner that Peer will detect the according ration changes and it will be an indication of transmission.
Analysis
Error probability is:
transmission rate analysis is the similar to Method I analysis.
Method II was not implemented yet!
Analysis (cont.)
Determining how Peer will see k and m impact is not simple. That is what sets back the implementation. Channel works only in noiseless setting.
One way is to check rates at certain time windows and determine how noise affects the “special” packets distribution.
Final implementation will follow the literature review document.
Execution Results
Method I:
1. Works without noise, 0% error in transmission.
2. Works with 50% noise, 0% error in transmission.
3. Assumption: very noise-proof and robust.
Method II:
1. Works without noise, 0% error in transmission.
2. Doesn’t work in noisy environments … yet …
Execution Results (cont.)
A reminder … doesn’t work yet …
Conclusions
Developing an algorithm for a cover channel creation under so many constraints is difficult.
Method I provides a simple and robust method for solving this problem.
It defines a “non-statistical” sample property. Method II continues with the same notion
(although needs some refinement).
Conclusions (cont.)
Non-statistical properties are sometimes easy to define, but difficult to implement (like in Method II case).
Detection is almost impossible for a certain channels based on such approach.
Non-statistical properties use “difficult” (almost NP-hard) properties to define pattern.
The End
Thanks for your time
I hope you enjoyed the lecture
