230 likes | 250 Views
Covert Channel Creation through VPN. Prepared by Isakov Yehiel Under Supervision of Dr. Gabi Nakibly. What is a covert channel ?. Definition A :
E N D
Covert Channel Creation through VPN Prepared by Isakov Yehiel Under Supervision of Dr. Gabi Nakibly
What is a covert channel ? • Definition A: Covert channel is a mechanism by which a process at a high security level leaks information to a process at a low security level that would otherwise not have access to it (usually not intended for information transfer at all). • Definition B: Any information channel that can be exploited by a process to transfer information in a manner that violates the systems security policy (U.S. Department of Defense).
… or simply speaking … • There are Alice, Bob and warden Wendy (in simpler schematics there is noWendy). • A is trying to communicate with B through a shared resource R (file / network channel / CPU) while being watched by W. • Sometimes there are more entities that just make noise. • How can B filter the noise ?!
Project Setting • There is a computer network with more than a one computer (naturally ). • All of the communication from this network passes through VPN Gateway (which works using FCFS algorithm). • One of the computers is compromised (has a Trojan Horse T). Tis trying to establish a covert communications channel with Peer that sits on the channel that VPN Gateway transmits.
Project Setting (cont.) • Detection computer D is between VPN and P:checks all of outgoing communications from the Network and “cuts” the outgoing communications if senses something fishy … • Peer receives not only the packets that Trojan sends: it has to filter out Trojan’s packets from the noise. • Since VPN encrypts packet contents Trojan can only manipulate packet sizes and PIATs
Existing methods • There are not much! Actually, there are none within the given project settings. • It is due to unique setting of the problem. • For example, most of the existing noisy covert channels in network use protocol fields (like TTL, Options in TCP/IP). • One can not do that in this case.
Existing methods (cont.) • However, existing examples in CPU and file system are interesting, though not relevant. • For more information see the literature review document (to be released soon). • It also contains an example of a “burst channel” that eventually develops into a method (all in review document).
Method Selection • PIATs are very sensitive to network status. Complex maintenance technique is needed in order to keep PIATs consistent in transitions. • On the other hand sizes remain the same all the time (do not change in transitions). • Therefore we’ll choose communication through “smart” packet size selections.
Method I • Learn normal communications. • Define m keys • Select two hashing functions f and g and a natural number • To send “1” for the ith time generate packets of sizes and send them to Peer through VPN.
Method I (cont.) • To send “0” for the ith time generate packets of sizes and send the to Peer through VPN. • PIATs for sending sequences for “1” and “0” are set according to learned PIATs. • In order to decode the message Peer (that also has the keys and the functions) simply reconstructs the original sequence.
Some implementation details • Hashing algorithm is based upon Knuth’s hashing method for small numbers: • Key creation algorithm makes sure that the keys are “random” and suite the learned packet size distribution (but do not come from it! Details in literature review).
Analysis • Error probability is very low: • Suppose that normal communication rate is CR bits per second. Assume that every source transmits with the same rate. If there are N sources then Trojan must transmitСR/N bits per second.
Analysis (cont.) • In order to transmit “1” Trojan must transmit at most and for “0” - • Denote M as maximum between those two values. • Therefore Trojan’s optimal trans. rate is:
Method II • Number theory based. • While learning count packets with special sizes – Pythagorean Squares and 1-pseudo Pythagorean Squares. • Find such packet ratios (number of special packets / total number of packets). • Generate PSList and 1PseudoPSList (one contains PSes from min to max, the other – 1-Pseudo PSes).
Method II • If Trojan wants to transmit “1” it sends k 1-pseudo PS sized squares from 1PseudoPSList. • If Trojan wants to transmit “0” it sends m 1-pseudo PS sized squares from PSList. • k and m are determined during learning process. They are set in such manner that Peer will detect the according ration changes and it will be an indication of transmission.
Analysis • Error probability is: • transmission rate analysis is the similar to Method I analysis. • Method II was not implemented yet!
Analysis (cont.) • Determining how Peer will see k and m impact is not simple. That is what sets back the implementation. Channel works only in noiseless setting. • One way is to check rates at certain time windows and determine how noise affects the “special” packets distribution. • Final implementation will follow the literature review document.
Execution Results • Method I: 1. Works without noise, 0% error in transmission. 2. Works with 50% noise, 0% error in transmission. 3. Assumption: very noise-proof and robust. • Method II: 1. Works without noise, 0% error in transmission. 2. Doesn’t work in noisy environments … yet …
Execution Results (cont.) • A reminder … doesn’t work yet …
Conclusions • Developing an algorithm for a cover channel creation under so many constraints is difficult. • Method I provides a simple and robust method for solving this problem. • It defines a “non-statistical” sample property. • Method II continues with the same notion (although needs some refinement).
Conclusions (cont.) • Non-statistical properties are sometimes easy to define, but difficult to implement (like in Method II case). • Detection is almost impossible for a certain channels based on such approach. • Non-statistical properties use “difficult” (almost NP-hard) properties to define pattern.
The End Thanks for your time I hope you enjoyed the lecture