Crafting Web Counters into Covert Channels

1
Crafting Web Counters into Covert Channels

• Xiapu Luo, Edmond W. W. Chan, and Rocky K. C.
  Chang
• IFIP SEC 2007
• 16 MAY 2007

2
Introduction

• Network Covert Channels
• Allow two hosts to hide their communications from
  others by modulating fields in various protocols
  or packets timing relationships
• E.g. conceal the existence of malicious
  activities among compromised hosts, bypass
  censorship
• Complement to cryptography that tries to conceal
  the content of messages

3
Our Problem

• Encoder leaks out information to Decoder.
• Send modulated traffic to Server without the
  exposition of Decoder's location
• Assumption Decoder can eavesdrop the path
  between Encoder and Server. (Is it always
  feasible?)
• Our idea relay covert messages through a shared
  object in the Internet that can be read and
  written by both Encoder and Decoder

4
Contributions

• Propose a new network covert channel called
  WebShare
• Employ plentiful and publicly available Web
  counters as the shared object
• Manipulation of the counters can be as simple as
  reloading a Web page.
• Freely locate Decoder as long as it can access
  the Web counters used for the covert
  communication

5
Outline

• Introduction
• Related work
• WebShare
• Evaluation
• Conclusion

6
Related Work

• Network covert channels are broadly classified
  into storage channels and timing channels
  Gligor93.
• Storage Channels
• Embed information in, e.g.,
• IP header fields Rowland97, Ahsan02, Danezis06
• TCP header fields Rowland97, Giffen02
• Application protocols like DNS Heinz05 and HTTP
  Bauer03
• Easily defeated by active wardens, network
  normalizer and protocol scrubbing, by observing
  statistical anomalies of header fields
• Timing Channels
• Manipulate timing relationship among packets,
  e.g., IP timing channel Cabuk04
• Arrival of IP packets for message bit 1
• Absence of IP packets for message bit 0
• Require synchronization between Encoder and
  Decoder
• Affected by packet loss, reordering, delay and
  jitter

7
Outline

• Introduction
• Related work
• WebShare
• Evaluation
• Conclusion

8
WebShare The Basic Idea
Message 1
Web counter 0
Web counter 1
Web counter 2
Web counter 3
1
3
Current counter3, Previous counter1 ? Message
1
Current counter1
9
WebShare The Kernel

• Let
• T0 Agreed start time
• VEi Number of HTTP requests sent by Encoder
  during the i-th TE
• VWi Counters value at the end of the i-th TE
• Alternate the following two periods between
  encoder and decoder
• Encoding period TE
• Decoding period TD
• During i-th TE, Encoder sends VEi requests for
  transmitting bit 1, and does not send any for
  bit 0.
• During i-th TD, Decoder fetches current Web
  counters value VWi and compares with the
  previous one for message decoding.

10
Design Issues of WebShare

• Web counter selection
• Handling noise introduced by legitimate visitors
• Effect of time synchronization on Encoder and
  Decoder
• Bit rate improvement
• Reducing vulnerability of being detected while
  repeatedly using the same Web counter

11
Web Counter Selection

• Through search engines using hints like
  visitors and guests
• Using a wildcard search from search engines
• the 1 .. 1000 visitors
• Some web counters use a series of images or even
  a single image to represent the values.
• Some web counters may not increase its value on
  sequential hits from the same IP address
• Still useful but limit the resulting channel
  throughput

12
Noise Handling

• Noise can be introduced by other legitimate
  visitors to the web site.
• Not sufficient to simply send 0 or 1 HTTP request
  for encoding
• Decoder sets a high enough threshold Q such that
• Increased value Q ? Bit 1
• Increased value lt Q ? Bit 0
• Prudent to send more than Q HTTP requests while
  encoding bit 1 to account for possible loss of
  requests

13
Noise Handling - Formal Analysis

• Let
• ? Encoders average request sending rate
• ? Legitimate visitors average request arrival
  rate
• Ploss Probability of losing an Encoders request
• Assume that Encoder transmits HTTP requests at
  the constant rate ?.
• To decode correctly, the following must be
  satisfied
• (TE TD)? lt Q ? bit 0
• (TE TD)? TE (1 - Ploss)? Q ? bit 1
• Encoder could dispatch all requests at the
  beginning of each encoding period TE instead of
  at the constant rate ?.

14
Mitigating the Effect of Desynchronization

• WebShare requires only loose time
  synchronization.
• Let
• ?e (?d) Time difference between encoders
  (decoders) local time and start time T0
• Ti ?e - ?d
• Assume that Encoder transmits VEi requests at the
  constant rate ?.
• Upper limit of desynchronization
• Ti should be less than minTE, TD in order not
  to affect adjacent decoded values.

15
Mitigating the Effect of Desynchronization

• Consider two extreme cases when Ti ?e ?d
  and Ti is less than minTE, TD
• Case 1 ?e lt 0 lt ?d
• Case 2 ?d lt 0 lt ?e

16
Mitigating the Effect of Desynchronization

• Case 1 ?e lt 0 lt ?d
• Encoder starts earlier than what decoder expects.
• Each TE is sandwiched between two consecutive
  decoding epoches.
• E.g. although VE1 requests are dispatched before
  T0 ?d, its effect is still registered by
  increased value VW1 - VW0 at the first decoding
  epoch.

17
Mitigating the Effect of Desynchronization

• Case 2 Td lt 0 lt Te
• Decoder might register part of current counters
  value ? to the next decoding value
• ? Ti(1-Ploss)?
• Consider four possible bit sequences 0,0
  0,1 1,1 1,0, and the effect on decoding
  the latter bit of each sequence
• We can adjust ? and Q to mitigate the effect of
  desynchronization.

18
Mitigating the Effect of Desynchronization

• Case 2 Td lt 0 lt Te
• ? Ti(1-Ploss)?
• Bit sequence 0,1
• VE0 ? message bit 0 and VE1 ? message bit 1
• The encoder did not dispatch any request during
  VE0
• ? requests are registered to the 2nd decoding
  value.
• To decode latter bit 1 correctly for the 1st
  decoding value
• (TE TD)? TE (1-Ploss)? - ? Q should be
  satisfied.

19
Increasing the Bit Rate

• Bit rate is limited by the frequency of
  increasing the Web counters value.
• Several approaches to increase the bit rate
• Use VEi parallel HTTP connections to update the
  Web counter, each of which carries only one
  request
• Encode multiple bits in parallel with a set of
  ordered web counters Encoder sends one bit of
  information to each Web counter
• Using multilevel quantization, e.g. uniform
  quantization
• Partition counters value into M intervals
• Each interval has the size Q
• Decode as i if the increased value
• falls into the interval of iQ, (i1)Q),
• 0 i lt M-1, and as M-1 if it is larger
• than (M-1)Q

20
Site-hopping

• Repeatedly using a fixed set of Web counters
  could increase vulnerability of being detected.
• Propose a new approach called Site-hopping to
  change the set of Web counters dynamically
• Similar to frequency-hopping in the spread
  spectrum communication.
• E.g. The encoder and decoder can use two sets of
  non-overlapping Web counters alternatively.
• Site-hopping also helps increase the channels
  bit rate.
• If any two consecutive sets of counters do not
  have any overlap, it is possible to parallelize
  the encoding and decoding operations.

21
Site-hopping

• Two design issues
• How to ensure that any two adjacent sets of Web
  counters do not overlap? (Non-overlapping
  requirement)
• How to let both Encoder and Decoder agree on the
  same set and order of Web counters? (Same order
  requirement)
• To minimize additional overhead, we do not prefer
  to use the covert channel to communicate the
  information.

22
Site-hopping - Non-overlapping Requirement

• Assume that Encoder is sending S bits in parallel
• Therefore, each set contains S web counters.
• Encoder and Decoder agree on a list of N gtgt S web
  counters.
• Partition the N web counters into two groups with
  N1LS and N2gtS
• With a given order of N1 web counters, we are
  ready to send L S-bit messages in a
  non-overlapping fashion.
• After sending the first L messages, we could
  consider a different order of the N1 web
  counters, and perform the similar steps.
• However, last set of S counters for the current L
  S-bit messages may overlap with the first set of
  S counters for the next!
• Insert S counters chosen from N2 between the two
  sets

23
Site-hopping - Same Order Requirement

• There are totally NP N1! ways to permutate the
  N1 counters, and NC N2!/(N2-S)! ways to
  permutate S counters chosen from N2.
• Given a pre-shared key K0, Encoder and Decoder
  can easily come up with the same indices for
  permutations (IP,i) or combinations (IC,i)
• IP,i HashP(Ki) and IC,i HashC(Ki)
• Ki1 IP,i XOR IC,i
• HashP() and HashC() are the good hash functions
  that output pseudo-random values in ranges of 1,
  NP and 1, NC, respectively.
• Apply existing unranking algorithms from the
  field of enumerative combinatorics to map the
  indices uniquely to specific permutation and
  combination.

24
Outline

• Introduction
• Related work
• WebShare
• Evaluation
• Conclusion

25
Evaluation Setup

• Prototype WebShare encoder and decoder using Perl
  5 under Linux 2.6.8
• Encoder and decoder are located in our campus
  network.
• Both of them obtain a similar Round-trip time to
  each Web counter.
• Use NTP to synchronize the encoders and
  decoders clocks

26
The Choice of Q

• Unavoidable noise from legitimate visitors
  directly affects the choice of Q.
• Randomly select 220 Web counters located at ten
  different geographical locations
• Query each counters value every an hour for a
  week of time.
• Evaluate the average legitimate request rate ?
  requests/second.

• Over 95 of the measured web counters have their
  average request rates smaller than 0.01.
• All the counters average request rates are no
  greater than 0.08.
• Choose Q 2 for the following experiments to
  mitigate noise-induced errors

27
Distribution of Web Counters Write Times

• A write time is the duration between a hosts
  starting a TCP 3-Way handshake with a web server
  and its reception of a counters value.
• Affect the channels bit rate and accuracy, and
  the lengths of TE and TD
• Measure write times for seven randomly selected
  Web counters from the 220 web counters

28
Distribution of Web Counters Write Times

• Mean write times for all the counters are smaller
  than 2 seconds, and show a large variation from
  0.1s to 82.7s
• Variations of the write times for some web
  counters are much larger than the others.

29
Choices of TE and TD

• Study the relationship between the servers write
  time and the choice of TE and TD
• Measure Bit Error Rate (BER) of WebShare obtained
  from the seven web counters under various
  settings of TE and TD, Q 2, and VEi 3
• BER is calculated in terms of Hamming Distance.

30
Choices of TE and TD

• When TE TD 1s, WebShare performs very well
  for JP, HK, and SE with BERs less than 3
• Verified that the errors are mainly due to
  background legitimate requests and dropping of
  encoders or decoders requests

31
Choices of TE and TD

• WebShare shows poorer performance for SG, AU, US,
  and RU
• Those sites exhibit very high variations of write
  times or those mean write times are greater than
  TE or TD

32
Choices of TE and TD

• More likely to incur a higher BER for TD lt TE,
  and less impact for a small TE on the channel
  performance.
• A small TD may be prone to a higher interference
  from the encoders next counter update.
• Even for a small TE , the web server could still
  produce responses for the Decoders request based
  on the current counters value as long as TD is
  long enough.

33
Conclusion

• Propose a network storage channel using Web
  counters to relay covert messages
• Only require loose synchronization between
  Encoder and Decoder
• Allow Decoder located anywhere to read the covert
  messages as long as the web counters are
  accessible
• Design various schemes to increase channel
  capacity and to further camouflage WebShare
• Future work
• Extend WebShare to support covert communications
  among multi-encoders and multi-decoders

34
Q A
Thanks
35
Backup Slides
36
WebShare The Basic Idea
Message 0
Web counter 0
Web counter 1
Web counter 2
1
2
Current counter2, Previous counter1 ? Message
0
Current counter1
37
Performance Gain of the Site-hopping Approach

• BERs versus different size S of Web counter for
  site-hopping

• Site hopping can increase WebShares accurcacy
• All measured BERs are no greater than 1 when TE
  1s
• Observe significant channel throughput
  improvement
• 57.816 bit/s with site-hopping, comparing with
  0.789 bit/s without site-hopping