A Covert Channel Using Named Resources

A network covert channel is created that uses resource names such as addresses to convey information, and that approximates typical user behavior in order to blend in with its environment. The channel correlates available resource names with a user defined code-space, and transmits its covert message by selectively accessing resources associated with the message codes. In this paper we focus on an implementation of the channel using the Hypertext Transfer Protocol (HTTP) with Uniform Resource Locators (URLs) as the message names, though the system can be used in conjunction with a variety of protocols. The covert channel does not modify expected protocol structure as might be detected by simple inspection, and our HTTP implementation emulates transaction level web user behavior in order to avoid detection by statistical or behavioral analysis.Comment: 9 page

A Wireless Covert Channel Based on Constellation Shaping Modulation

Wireless covert channel is an emerging covert communication technique which conceals the very existence of secret information in wireless signal including GSM, CDMA, and LTE. The secret message bits are always modulated into artificial noise superposed with cover signal, which is then demodulated with the shared codebook at the receiver. In this paper, we first extend the traditional KS test and regularity test in covert timing channel detection into wireless covert channel, which can be used to reveal the very existence of secret data in wireless covert channel from the aspect of multiorder statistics. In order to improve the undetectability, a wireless covert channel for OFDM-based communication system based on constellation shaping modulation is proposed, which generates additional constellation points around the standard points in normal constellations. The carrier signal is then modulated with the dirty constellation and the secret message bits are represented by the selection mode of the additional constellation points; shaping modulation is employed to keep the distribution of constellation errors unchanged. Experimental results show that the proposed wireless covert channel scheme can resist various statistical detections. The communication reliability under typical interference is also proved

Covert Timing Channel Analysis Either as Cyber Attacks or Confidential Applications

Covert timing channels are an important alternative for transmitting information in the world of the Internet of Things (IoT). In covert timing channels data are encoded in inter-arrival times between consecutive packets based on modifying the transmission time of legitimate traffic. Typically, the modification of time takes place by delaying the transmitted packets on the sender side. A key aspect in covert timing channels is to find the threshold of packet delay that can accurately distinguish covert traffic from legitimate traffic. Based on that we can assess the level of dangerous of security threats or the quality of transferred sensitive information secretly. In this paper, we study the inter-arrival time behavior of covert timing channels in two different network configurations based on statistical metrics, in addition we investigate the packet delaying threshold value. Our experiments show that the threshold is approximately equal to or greater than double the mean of legitimate inter-arrival times. In this case covert timing channels become detectable as strong anomalies

Information Hiding in the DICOM Message Service and Upper Layer Service with Entropy-Based Detection

The DICOM (Digital Imaging and COmmunication in Medicine) standard provides a framework for a diagnostically-accurate representation, processing, transfer, storage and display of medical imaging data. Information hiding in DICOM is currently limited to the application of digital media steganography and watermarking techniques on the media parts of DICOM files, as well as text steganographic techniques for embedding information in metadata of DICOM files. To improve the overall security of the DICOM standard, we investigate its susceptibility to network steganographic techniques. To this aim, we develop several network covert channels that can be created by using a specific transport mechanism – the DICOM Message Service and Upper Layer Service. The bandwidth, undetectability and robustness of the proposed covert channels are evaluated, and potential countermeasures are suggested. Moreover, a detection mechanism leveraging entropy-based metrics is introduced and its performance has been assessed

Network covert channels on the Android platform

Network covert channels are used to exfiltrate information from a secured environment in a way that is extremely difficult to detect or prevent. These secret channels have been identified as an important security threat to governments and the private sector, and several research efforts have focused on the design, detection, and prevention of such channels in enterprise-type environments. Mobile devices have become a ubiquitous computing platform, and are storing or have access to an increasingly large amount of sensitive information. As such, these devices have become prime targets of attackers who desire access to this information. In this work, we explore the implementation of network covert channels on the Google Android mobile platform. Our work shows that covert communication channels can be successfully implemented on the Android platform to allow data to be leaked from these devices in a manner that hides the fact that subversive communication is taking place

Análise de canais laterais de tempo em tradutores dinâmicos de binários

Orientadores: Edson Borin, Diego de Freitas AranhaDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Ataques de canais laterais são um importante problema para os algoritmos criptográficos. Se o tempo de execução de uma implementação depende de uma informação secreta, um adversário pode recuperar a mesma através da medição de seu tempo. Diferentes abordagens surgiram recentemente para explorar o vazamento de informações em implementações criptográficas e para protegê-las contra esses ataques. Para tanto, a criptografia em tempo constante é uma pratica amplamente adotada visando descorrelacionar a dependencia entre um dado secreto e suas amostras de tempo. Apesar das contra-medidas serem eficazes para garantir execução dos algoritmos em um sistema evitando canais laterais de tempo, emuladores podem modificar e reintroduzir pontos de vazamento durante sua execução. Trabalhos recentes discutem os impactos dos compiladores Just-In-Time (JIT) de linguagens de alto nível no vazamento de informações a partir do tempo de execução. Entretanto, pouco foi dito sobre a emulação entre ISAs e seu impacto em vazamentos de tempo. Neste trabalho, nós investigamos o impacto de emuladores (tradutores dinâmicos de binários) entre ISAs na propriedade de tempo constante de implementações criptográficas. Utilizando métodos estatísticos e rotinas criptográficas validas, nós afirmamos a viabilidade de vazamentos de tempo em códigos gerados por tradutores dinâmicos de binários, usando diferentes técnicas de formação de regiões. Nós mostramos que a emulação pode ter um impacto significante, inserindo construções de tempo não constante durante sua tradução, levando a vazamentos de tempo significantes. Esses vazamentos podem ser observados em tradutores dinâmicos como o QEMU e o HQEMU durante a emulação de rotinas de bibliotecas criptográficas conhecidas, como a mbedTLS e podem ser rapidamente verificados. Por fim, para garantir a propriedade de tempo constante nós propusemos um modelo de mitigação para tradutores dinâmicos de binários baseado em transformações de compiladores, mitigando os canais laterais inseridosAbstract: Timing side-channel attacks are an important issue for cryptographic algorithms. If the execution time of an implementation depends on secret information, an adversary may recover the latter through measuring the former. Different approaches have recently emerged to exploit information leakage on cryptographic implementations and to protect them against these attacks. Therefore, implementation of constant-time cryptography is a widely adopted practice aiming to decorrelate the dependency between a secret data and its timing samples. Despite the countermeasures are effective to guarantee the execution of algorithms in a system by avoiding timing side-channels, emulators can modify and reintroduce leakage points during their execution. Recent works discusses the impact of high level language Just-In-Time (JIT) compilers in leakages through execution time. However, little has been said about Cross-ISA emulation through DBT and its impact on timing leakages. In this work, we investigate the impact of emulators (dynamic binary translators) on constant-time property of cryptographic implementations. By using statistical methods and cryptographic routines we asserted the feasibility of timing leaks in codes generated by a dynamic binary translator, even using different Region Formation Techniques. We show that the emulation may have a significant impact by inserting non constant-time constructions during its translations, leading to a significant timing leakage. This leakage is observed in dynamic binary translation systems such as QEMU and HQEMU when emulating routines from known cryptographic libraries, such mbedTLS and can be quickly verified. Finally, to guarantee the constant-time property we implemented a compiler transformation based on the if-conversion transformation in the dynamic binary translators, mitigating the inserted timing side-channelsMestradoCiência da ComputaçãoMestre em Ciência da Computação2014/50704-7FAPES

Application of information theory and statistical learning to anomaly detection

In today\u27s highly networked world, computer intrusions and other attacks area constant threat. The detection of such attacks, especially attacks that are new or previously unknown, is important to secure networks and computers. A major focus of current research efforts in this area is on anomaly detection.;In this dissertation, we explore applications of information theory and statistical learning to anomaly detection. Specifically, we look at two difficult detection problems in network and system security, (1) detecting covert channels, and (2) determining if a user is a human or bot. We link both of these problems to entropy, a measure of randomness information content, or complexity, a concept that is central to information theory. The behavior of bots is low in entropy when tasks are rigidly repeated or high in entropy when behavior is pseudo-random. In contrast, human behavior is complex and medium in entropy. Similarly, covert channels either create regularity, resulting in low entropy, or encode extra information, resulting in high entropy. Meanwhile, legitimate traffic is characterized by complex interdependencies and moderate entropy. In addition, we utilize statistical learning algorithms, Bayesian learning, neural networks, and maximum likelihood estimation, in both modeling and detecting of covert channels and bots.;Our results using entropy and statistical learning techniques are excellent. By using entropy to detect covert channels, we detected three different covert timing channels that were not detected by previous detection methods. Then, using entropy and Bayesian learning to detect chat bots, we detected 100% of chat bots with a false positive rate of only 0.05% in over 1400 hours of chat traces. Lastly, using neural networks and the idea of human observational proofs to detect game bots, we detected 99.8% of game bots with no false positives in 95 hours of traces. Our work shows that a combination of entropy measures and statistical learning algorithms is a powerful and highly effective tool for anomaly detection

Behavioral Mimicry Covert Communication

Covert communication refers to the process of communicating data through a channel that is neither designed, nor intended to transfer information. Traditionally, covert channels are considered as security threats in computer systems and a great deal of attention has been given to countermeasures for covert communication schemes. The evolution of computer networks led the communication community to revisit the concept of covert communication not only as a security threat but also as an alternative way of providing security and privacy to communication networks. In fact, the heterogeneous structure of computer networks and the diversity of communication protocols provide an appealing setting for covert channels. This dissertation is an exploration on a novel design methodology for undetectable and robust covert channels in communication networks. Our new design methodology is based on the concept of behavioral mimicry in computer systems. The objective is to design a covert transmitter that has enough degrees of freedom to behave like an ordinary transmitter and react normally to unpredictable network events, yet it has the ability to modulate a covert message over its behavioral fingerprints in the network. To this end, we argue that the inherent randomness in communication protocols and network environments is the key in finding the proper medium for network covert channels. We present a few examples on how random behaviors in communication protocols lead to discovery of suitable shared resources for covert channels. The proposed design methodology is tested on two new covert communication schemes, one is designed for wireless networks and the other one is optimized for public communication networks (e.g., Internet). Each design is accompanied by a comprehensive analysis from undetectability, achievable covert rate and reliability perspectives. In particular, we introduced turbo covert channels, a family of extremely robust model-based timing covert channels that achieve provable polynomial undetectability in public communication networks. This means that the covert channel is undetectable against any polynomial-time statistical test that analyzes samples of the covert traffic and the legitimate traffic of the network. Target applications for the proposed covert communication schemes are discussed including detailed practical scenarios in which the proposed channels can be implemented