1 / 38

PHY Covert Channels: Can you see the Idles?

첩자. PHY Covert Channels: Can you see the Idles?. Ki Suh Lee Cornell University Joint work with Han Wang, and Hakim Weatherspoon. Chupja. 첩자 ( chupja ). Network Covert Channels. Hiding information Through communication not intended for data transfer. Network Covert Channels.

taffy
Download Presentation

PHY Covert Channels: Can you see the Idles?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 첩자 PHY Covert Channels:Can you see the Idles? Ki Suh Lee Cornell University Joint work with Han Wang, and Hakim Weatherspoon Chupja

  2. 첩자 (chupja)

  3. Network Covert Channels • Hiding information • Through communication not intended for data transfer

  4. Network Covert Channels • Hiding information • Through communication not intended for data transfer • Using legitimate packets (Overt channel) • Storage Channels: Packet headers • Timing Channels: Arrival times of packets

  5. Network Covert Channels • Hiding information • Through communication not intended for data transfer • Using legitimate packets (Overt channel) • Storage Channels: Packet headers • Timing Channels: Arrival timesof packets

  6. Goals of Covert Channels • Bandwidth • How much information can be delivered in a second • Robustness • How much information can be delivered without loss / error • Undetectability • How well communication is hidden

  7. Goals of Covert Channels Application • Bandwidth • How much information can be delivered in a second • 10~100s bits per second • Robustness • How much information can be delivered without loss / error • Cabuk’04, Shah’06 • Undetectability • How well communication is hidden • Liu’09, Liu’10 Transport Network Data Link Physical

  8. Current network covert channels are implemented in L3~4 (TCP/IP) layers and are extremelyslow.

  9. Chupja: PHY Covert Channel Application • Bandwidth • How much information can be delivered in a second • 10~100s bits per second • Robustness • How much information can be delivered without loss / error • Bit Error Rate < 10% • Undetectability • How well communication is hidden • Invisible to detection software Transport Network -> 10s~100s Kilo bits per second Data Link Physical Physical

  10. Chupja is a network covert channel which isfaster than priori art. It is implemented in L1 (PHY), robust and virtually invisible to software.

  11. Outline • Introduction • Design • Evaluation • Conclusion

  12. Outline • Introduction • Design • Threat Model • 10 Gigabit Ethernet • Evaluation • Conclusion

  13. Threat Model Application Application Application Application Passive Adversary Transport Transport Transport Transport Commodity Server Commodity NIC Network Network Network Network Data Link Data Link Data Link Data Link Physical Physical Physical Physical Sender Receiver

  14. 10 Gigabit Ethernet Application • Idle Characters (/I/) • Each bit is ~100 picosecond wide • 7~8 bit special character in the physical layer • 700~800 picoseconds to transmit • Only in PHY Transport Network Packet i Packet i+1 Packet i+2 Data Link Physical

  15. Terminology • Interpacket delays (D) and gaps (G) • Homogeneous packet stream • Same packet size, • Same IPD (IPG), • Same destination IPG Packet i Packet i+1 IPD Packet i Packet i+1 Packet i+2

  16. Chupja: Design • Homogeneous stream • Sender • Receiver Gi G - Ɛ G Gi+1 G + Ɛ G Packet i Packet i Packet i Packet i+2 Packet i+2 Packet i+2 ‘0’ IPG ‘0’ Packet i+1 Packet i+1 Packet i+1 ‘1’ ‘1’ IPG D Di D - Ɛ D Di+1 D + Ɛ

  17. Chupja: Design • With shared G • Encoding ‘1’: Gi = G + ε • Encoding ‘0’: Gi = G - ε G - Ɛ G + Ɛ Packet i Packet i+2 ‘0’ Packet i+1 ‘1’ D - Ɛ D + Ɛ

  18. Implementation Application • SoNIC[NSDI ’13] • Software-defined Network Interface Card • Allows control and access every bit of PHY • In realtime, and in software • 50 lines of C code addition Transport Network Data Link Physical

  19. Outline • Introduction • Design • Evaluation • Bandwidth • Robustness • Undetectability • Conclusion

  20. Evaluation • What is the bandwidth of Chupja? • How robust is Chupja? • Why is Chupja robust? • How undetectable is Chupja?

  21. What is the bandwidth of Chupja?

  22. Evaluation: Bandwidth • Covert bandwidth equals to packet rateof overt channel 1518B 1Gbps 81kbps

  23. How robust is Chupja?

  24. Evaluation Setup • National Lambda Rail • Nine routing hops • Average RTT: 67.6ms • 1~2 Gbps External Traffic • Small Network • Six commercial switches • Average RTT: 0.154 ms Chicaco Boston SW1 SW1 Cleveland SW2 SW2 SW3 SW4 Cornell (NYC) NLR (NYC) Sender Sender Receiver Receiver Cornell (Ithaca)

  25. Evaluation: Robustness • Overt Channel at 1 Gbps (D = 12211ns, G=13738 /I/s) • Covert Channel at 81 kbps 8.9% 7.7% 2.8% ? Sender Receiver

  26. Evaluation: Robustness • Overt Channel at 1 Gbps (D = 12211ns, G=13738 /I/s) • Covert Channel at 81 kbps • Modulating IPGS at 1.6us scale (=2048 /I/s) 8.9% 7.7% 2.8% ? Sender Receiver

  27. Why is Chupja robust?

  28. Evaluation: Why? • Switches do not add significant perturbations to IPDs • Switches treat ‘1’s and ‘0’s as uncorrelated • Over multiple hops when there is no external traffic. • With external traffic

  29. Evaluation: Why? • Switches do not add significant perturbations to IPDs • Switches treat ‘1’s and ‘0’s as uncorrelated • Over multiple hops when there is no external traffic. • With external traffic Homogeneous 1518B at 1 Gbps Chupja(Ɛ = 256/I/s) 1518B at 1 Gbps Sender Sender Receiver Receiver

  30. Evaluation: Why? • Switches do not add significant perturbations to IPDs • Switches treat encoded ‘0’ and ‘1’ as uncorrelated • Over multiple hops when there is no external traffic. 15 hop 12 hop 9 hop 1 hop 3 hop 6 hop 12 hop 15 hop 9 hop 6 hop 1 hop 3 hop 90% in D - Ɛ ± 250ns 90% in D ± 250ns D - Ɛ D + Ɛ 90% in D – Ɛ ± 100ns 90% in D ± 100ns Homogeneous stream Chupja stream ( Ɛ=256/I/s )

  31. Evaluation: Why? • Most of IPDs are within some range from original IPD • Even when there is external traffic. Encoded ‘Zero’ Encoded ‘One’ Chicaco Boston Cleveland Cornell (NYC) NLR (NYC) Cornell (Ithaca) Sender Receiver

  32. Evaluation: Why? • Switches do not add significant perturbations to IPDs • Switches treat ‘1’s and ‘0’s as uncorrelated • Over multiple hops when there is no external traffic. • With external traffic With sufficiently large Ɛ, the interpacket spacing holds throughout the network, and BER is less than 10% ? 1518B at 1 Gbps Sender Receiver

  33. How undetectable is Chupja?

  34. Evaluation: Detection Setup • Commodity server with 10G NIC • Kernel timestamping NLR NLR Kernel timestamping SoNICtimestamping Sender Sender Receiver Receiver

  35. Evaluation: Detection • Adversary cannot detect patterns of Chupja Ɛ = 1024 Ɛ = 1024 Ɛ = 4096 Ɛ = 4096 Kernel Timestamping SoNICTimestamping

  36. Evaluation: Summary • What is the bandwidth of Chupja? • 10s~100s Kilo bits per second • How robust is Chupja? • BER < 10% over NLR • Why is Chupja robust? • Sufficiently large Ɛ holds throughout the network • How undetectable is Chupja? • Invisible to software

  37. Conclusion 첩자 • Chupja: PHY covert channel • High-bandwidth, robust, and undetectable • Based on understanding of network devices • Perturbations from switches • Inaccurate endhosttimestamping • http://sonic.cs.cornell.edu & GENI (ExoGENI)!!!

  38. Thank you

More Related