University of Cambridge > Talks.cam > Computer Laboratory Security Seminar > Covert channels in TCP/IP: attack and defence

Covert channels in TCP/IP: attack and defence

Add to your list(s) Download to your calendar using vCal

If you have a question about this talk, please contact Saar Drimer.

This talk will show how idiosyncrasies in TCP /IP implementations can be used to reveal the use of several steganography schemes, and how they can be fixed. The analysis can even be extended to remotely identify the physical machine being used.

A number of steganography techniques have been designed to insert a covert channel into seemingly random TCP /IP fields, such as the IP ID , TCP initial sequence number (ISN) or the least significant bits of the TCP timestamp. While compliant with the TCP /IP specification, their output is unlike that an unmodified operating system would generate. This talk will show how by taking in account the implementation of the TCP /IP stack, a number of such specification-based steganography schemes can be broken. This includes Nushu, an ISN based scheme presented at 21C3.

Firstly the talk will introduce the field of covert channels and TCP /IP steganography in particular, giving an overview of the steganographic potential of different fields in the protocol. This will show that only the IP ID and TCP ISN can be plausibly used for steganography. The talk will then describe how these fields are generated, and how steganography schemes which do not properly take in account these algorithms can be detected.

The talk will then present improved TCP /IP steganography schemes for Linux and OpenBSD which, by deriving a reversible transformation from the standard TCP /IP stacks’ implementation, make a much harder to detect covert channel. Such a scheme can be shown to be as strong as the underlying encryption, when attacked by an adversary monitoring packet content.

Finally, a side effect of the steganography detection system is to reveal microsecond-level deviations in the clock speed of the device being monitored. Clock-skew varies from computer to computer so can act as a fingerprint of a particular physical device. This talk will show how this fact can be used to track physical devices across the Internet, and how the use of TCP IS Ns can improve over schemes based on TCP timestamps.

This work was done in conjunction with Stephen Lewis.

This talk is part of the Computer Laboratory Security Seminar series.

Tell a friend about this talk:

This talk is included in these lists:

Note that ex-directory lists are not shown.

 

© 2006-2014 Talks.cam, University of Cambridge. Contact Us | Help and Documentation | Privacy and Publicity