140 likes | 158 Views
Explore 22 covert channels in IPv6, active wardens, and potential attacks. Learn about stateless, stateful, and network-aware wardens. Enhance security measures.
E N D
Covert Channelsin IPv6 Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin Syracuse University PET 2005, Cavtat, Croatia May 31st, 2005
Outline • IPv6 Overview • Covert Channels Description • Active Wardens Analysis • Conclusions Lucena, Lewandowski, Chapin
IPv6 Overview • Header structure has a fixed length: 40 bytes • Header does not present five of the fields from IPv4: header length, identification, flags, fragmentoffset, and checksum • A full implementation includes six headers: • Hop-by-hop Options • Routing • Fragment • Destination Options • Authentication (AH) • Encapsulating Security Payload (ESP) Lucena, Lewandowski, Chapin
Covert Channels • Covert channel as a communication path that allows transferring information in a way that violates a security policy • Concerned only with network storage channels • Adversary model allows Alice and Bob to be or not be the same as the Sender and Receiver • A specification-based analysis of 22 covert channels Lucena, Lewandowski, Chapin
Version (4 bits) Traffic Class (1 byte) Flow Label (20 bits) Payload Length (2 bytes) Next Header (1 byte) Hop Limit (1 byte) Source Address (16 bytes) Destination Address (16 bytes) IPv6 Header: Hop Limit • Setting an initial hop limit value and modifying it appropriately in subsequent packets Hop Limit (1 byte) Lucena, Lewandowski, Chapin
h - 0 h + 1 IPv6 Header: Hop Limit • Alice sets an initial value, h , for the hop limit h Alice Bob Bandwidth:n packets, n – 1 bits • Alice signals a 0 decreasing by the hop count relatively to the previous packet • Alice signals a 1 increasing the same value by Lucena, Lewandowski, Chapin
Next Header (1 byte) Hop Limit (1 byte) Option Type (1 byte) Option Data Length (1 byte) Option Data (Variable length or specified in the Option Data length field) Next Header (1 byte) Hop Limit (1 byte) Option Type = C2 (1 byte) Option Data Length = 4 (1 byte) Jumbo Payload Length (4 bytes) Hop-by-Hop Options Header: Jumbograms • Using Jumbograms as means of covert communication in two ways: • Modifying an existing jumbogram length to append covert data • Converting a regular datagram into a jumbogram to fill in the extra bytes with hidden content Lucena, Lewandowski, Chapin
C2 4 1011010101010111.. Hop-by-Hop Options Header: Jumbograms Alice Bob Bandwidth: Varies • Alice sets the payload length of the IPv6 header to 0 • Alice sets the option type of the Hop-by-Hop header to C2 • Alice sets the option data length of the Hop-by-Hop header to 4 Lucena, Lewandowski, Chapin
Next Header (1 byte) Header Extension Length (1 byte) Routing Type = 0 (1 byte) Segment Left (1 byte) Reserved (4 bytes) Addresses (16 bytes each) Routing Header: Routing Type 0 • Fabricating “addresses” out of arbitrary data meaningful only to the covert communicating agents Lucena, Lewandowski, Chapin
4 0 2 10111001 10010011 … 10000001 11011001 … 8 0 2 10101111 00011110 … 01110010 00110111 … 10111001 10010011 … 10000001 11011001 … Routing Header: Routing Type 0 Alice Bob Bandwidth: Up to 2048 bytes/per packet • Alice takes inserts two fake addresses into the routing header • Alice modifies the header extension length field accordingly • Alice does not modify the original value of the segments left field Lucena, Lewandowski, Chapin
Active Wardens • Stateless Active Warden • Knows the protocol syntax and semantics and attempts to verify them • “Sees” one packet at a time • Performs at two levels of diligence • Stateful Active Warden • Registers already-observed semantic conditions • Network-aware Active Warden • Is a stateful active warden • Is also a network topologist Lucena, Lewandowski, Chapin
Conclusions • Provide awareness of the existence of at least 22 covert channels in IPv6 • Generate discussion toward harmful means of covert communication • Help to understand potential attacks that exploit IPv6 traffic to take appropriate countermeasures • Raise issues for considerations by implementors of IPv6 protocol stacks and firewalls • Introduce three types of active wardens: stateless, stateful, and network-aware Lucena, Lewandowski, Chapin
Any Questions? Lucena, Lewandowski, Chapin
Thank You All! Lucena, Lewandowski, Chapin