Covert Channel in the Bittorrent Tracker Protocol Joseph Desimone Rochester Institute of Technology
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Covert Channel Capacity
COVERT CHANNEL CAPACITY Jonathan K. Millen The MITRE Corporation Bedford, MA 01730 Techniques for detecting covert channels are Some models are aimed at defining information based on information flow models. This paper flow exactly, with necessary and sufficient conditions. establishes a connection between Shannon’s theory These models share the philosophy that information of communication and information flow models, such flow in a computer security context is related to as the Goguen-Meseguer model, that view a reference inference: if one user can, by observing outputs monitor as a state-transition automaton. The channel available to him, deduce something about inputs from associated with a machine and a compromise policy is another user, there has been some information flow. defined, and the capacity of that channel is taken as a Conversely, if there is no information flow, the user’s measure of covert channel information rate. outputs would be the same regardless of the input from the other user. This ap roach was suggested in f INTRODUCTION a paper by Jones and Lipton investigating protection mechanisms in the context of computations, considered as functions rather than machines. This One of the objectives of computer security is to paper defined a security policy as an prevent the unauthorized disclosure of information. information-hiding function applied to the input, and Models of protection mechanisms and policies that said that a protection mechanism was “sound” if the espouse this objective fall into one of two categories: computational values received by the user could have access control models or information flow models. been obtained from such censored input. -
Analysis of Bittorrent Protocol and Its Effect on the Network ENSC 427: Final Project Report Spring 2011
SIMON FRASER UNIVERSITY Analysis of BitTorrent Protocol and Its Effect on the Network ENSC 427: Final Project Report Spring 2011 Group 11 www.sfu.ca/~kna5/ensc427 Ken Kyoungwoo Nam 301046747 Kna5 @sfu.ca Yu Jie Xu 301083552 Xya14 @ sfu.ca Abstract The first version of the peer-to-peer file sharing protocol was invented in 1999, called Napster protocol. From then on, the application of peer-to-peer protocol has been widely spread in the internet. The advantage of the network with p2p protocol is that it needs much less server bandwidth compare to the basic client and server network. Moreover, in the p2p network, the client itself is the server, so they can communicate with each other without the central sever. Nowadays, there are two primary peer-to-peer file sharing protocol that dominate in the network: the Gnutella protocol and BitTorrent Protocol. In our project, we will focus on BitTorrent Protocol. To do this, we will create three different networks in OPNET, and investigate the network performance with and without BitTorrent nodes. 2 Table of contents 1. Introduction…………..……………………………………………………………......4 2. Theory……………...………………………………………………………………......4 2.1 Terminology and Definition…………………………………………………......5 2.2 Peer-to-Peer Protocol…………………………………………………………….5 2.3 BitTorrent Protocol………………………………………………………………6 2.4 BitTorrent Tracker………………………………………………………………7 2.5 Rarest Algorithm…………………………………………………………………8 2.6 Choke Algorithm…………………………………………………………………9 3. Implementation…...…………………………………………………………..……...10 3.1 Packet Formats………………………………………………………………….11 3.2 Normal Client and Server Node Models………………………………………11 3.3 Plain Peer-to-Peer Node Model……………………………………..…………12 3.4 BitTorrent Node Model……………………………………………………...…13 3.5 Building the Small Network……………………………………………………14 3.6 Building the Large Network…………………………………………………...15 4. -
Asynchronous Covert Communication Using Bittorrent Trackers Mathieu Cunche, Mohamed Ali Kaafar, Roksana Boreli
Asynchronous Covert Communication Using BitTorrent Trackers Mathieu Cunche, Mohamed Ali Kaafar, Roksana Boreli To cite this version: Mathieu Cunche, Mohamed Ali Kaafar, Roksana Boreli. Asynchronous Covert Communication Using BitTorrent Trackers. International Symposium on Cyberspace Safety and Security (CSS), Aug 2014, Paris, France. hal-01053147 HAL Id: hal-01053147 https://hal.inria.fr/hal-01053147 Submitted on 29 Jul 2014 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Asynchronous Covert Communication Using BitTorrent Trackers Mathieu Cunche∗†, Mohamed-Ali Kaafar†‡, Roksana Boreli‡ †Inria, France ∗INSA-Lyon CITI, France ‡National ICT Australia fi[email protected] fi[email protected] Abstract—Covert channels enable communicating parties to in a swarm (set of peers downloading and/or sharing a given exchange messages without being detected by an external ob- content). Our contributions are as follows. server. We propose a novel covert channel mechanism based We present a communication scheme that enables two on BitTorrent trackers. The proposed mechanism uses common HTTP commands, thus having the appearance of genuine web parties to perform a hidden exchange of information through traffic and consists of communications that are both indirect and the centralized BitTorrent tracker. -
POWER-Supplay: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers
POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers Mordechai Guri Ben-Gurion University of the Negev, Israel Cyber-Security Research Center [email protected] Air-Gap research page: http://www.covertchannels.com Demo video: http://www.covertchannels.com Abstract—It is known that attackers can exfiltrate data from insiders. Famous air-gap breaching cases include Stuxnet [4] air-gapped computers through their speakers via sonic and and Agent.BTZ [5], but other incidents have also been reported ultrasonic waves. To eliminate the threat of such acoustic covert [6], [7]. In 2018, The US Department of Homeland Security channels in sensitive systems, audio hardware can be disabled and the use of loudspeakers can be strictly forbidden. Such audio-less accused Russian government hackers of penetrating America’s systems are considered to be audio-gapped, and hence immune power utilities [8]. Due to reports in the Washington Post to acoustic covert channels. in November 2019, the Nuclear Power Corporation of India In this paper, we introduce a technique that enable attackers Limited (NPCIL) confirmed that the Kudankulam Nuclear leak data acoustically from air-gapped and audio-gapped systems. Power Plant suffered a cyber-attack earlier that year [9]. Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary A. Air-Gap Covert Channels speaker with limited capabilities. The malicious code manipulates the internal switching frequency of the power supply and hence While the infiltration of such networks has been shown to be controls the sound waveforms generated from its capacitors and feasible, the exfiltration of data from non-networked computers transformers. -
Detecting Covert Storage Channels Using Relative Entropy
Raising Flags: Detecting Covert Storage Channels Using Relative Entropy Josephine Chow Xiangyang Li Xenia Mountrouidou University of Maryland, College Park Johns Hopkins University Information College of Charleston College Park, Maryland, US Security Institute Charleston, South Carolina, US [email protected] Baltimore, Maryland, US [email protected] [email protected] Abstract— This paper focuses on one type of Covert Storage Storage Channel (CSC) and Covert Timing Channel (CTC) [1]. Channel (CSC) that uses the 6-bit TCP flag header in TCP/IP A CSC writes to a storage location by a sender process and network packets to transmit secret messages between then a receiver process reads the message according to a pre- accomplices. We use relative entropy to characterize the defined coding scheme of information [2]. In order to transmit irregularity of network flows in comparison to normal traffic. A information secretly, a CTC schematically modulates the normal profile is created by the frequency distribution of TCP temporal characteristic of a process by a sender, which is then flags in regular traffic packets. In detection, the TCP flag measured by the receiver. frequency distribution of network traffic is computed for each unique IP pair. In order to evaluate the accuracy and efficiency Unlike most other exploits, covert channels often go of the proposed method, this study uses real regular traffic data unnoticed by the access control mechanisms of most operating sets as well as CSC messages using coding schemes under systems. They can use a regular medium, such as unused assumptions of both clear text, composed by a list of keywords protocol bits in a networking protocol, in a way that does not common in Unix systems, and encrypted text. -
A Study of Peer-To-Peer Systems
A Study of Peer-to-Peer Systems JIA, Lu A Thesis Submitted in Partial Fulfilment of the Requirements for the Degree of Master of Philosophy in Information Engineering The Chinese University of Hong Kong August 2009 Abstract of thesis entitled: A Study of Peer-to-Peer Systems Submitted by JIA, Lu for the degree of Master of Philosophy at The Chinese University of Hong Kong in June 2009 Peer-to-peer (P2P) systems have evolved rapidly and become immensely popular in Internet. Users in P2P systems can share resources with each other and in this way the server loading is reduced. P2P systems' good performance and scalability attract a lot of interest in the research community as well as in industry. Yet, P2P systems are very complicated systems. Building a P2P system requires carefully and repeatedly thinking and ex- amining architectural design issues. Instead of setting foot in all aspects of designing a P2P system, this thesis focuses on two things: analyzing reliability and performance of different tracker designs and studying a large-scale P2P file sharing system, Xun- lei. The "tracker" of a P2P system is used to lookup which peers hold (or partially hold) a given object. There are various designs for the tracker function, from a single-server tracker, to DHT- based (distributed hash table) serverless systems. In the first part of this thesis, we classify the different tracker designs, dis- cuss the different considerations for these designs, and provide simple models to evaluate the reliability of these designs. Xunlei is a new proprietary P2P file sharing protocol that has become very popular in China. -
Predicting Software Piracy Rates, Bittorrent Tracker Hosting, and P2P File Sharing Client Downloads Between Countries
Kigerl - Infringing Nations: Predicting Software Piracy Rates, BitTorrent Tracker Hosting, and P2P File Sharing Client Downloads Between Countries Copyright © 2013 International Journal of Cyber Criminology (IJCC) ISSN: 0974 – 2891 January – June 2013, Vol 7 (1): 62–80 This is an Open Access paper distributed under the terms of the Creative Commons Attribution-Non- Commercial-Share Alike License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited. This license does not permit commercial exploitation or the creation of derivative works without specific permission. Infringing Nations: Predicting Software Piracy Rates, BitTorrent Tracker Hosting, and P2P File Sharing Client Downloads Between Countries Alex C. Kigerl1 Washington State University, United States of America Abstract This study sought to investigate the predictors of digital piracy at the national level. The bulk of previous research on this subject has relied almost exclusively on measures of piracy taken from reports created by copyright industry representatives, which may not be objective sources. For this research, two new measures of piracy related activity in addition to the usual software piracy rate and software piracy cost measures were used. The number of BitTorrent tracking servers and the number of peer- to-peer file sharing client downloads per country were measured. It was determined that these new measures tended to have predictors that were different than the standard software piracy rates. Additionally, it appeared that measuring piracy as a rate relative to legal purchases had the opposite effect than when measuring piracy in absolute terms (such as the absolute number of BitTorrent trackers and absolute dollar amount lost due to piracy). -
Torrent Crawler: a Tool for Collecting Information from Bittorrent Networks
Torrent Crawler: a tool for collecting information from BitTorrent networks Yeounoh Chung 1. Abstract structure and the unpredictability of the clients can cause problems in the network, making errors BitTorrent is a free peer-to-peer (P2P) difficult to detect and diagnosis. The reliance of a content-sharing application with a complex and node on node local views to maintain the overlay dynamic overlay structure due to loose coupling, high structure further compounds the problem. Defects or churn rate, and varying responsiveness of nodes. The anomalies such as partitioning in the overlay or load complexity and the dynamic nature of the overlay imbalance due to biased peer selection are structure can mask the problems in the network, undetectable without partial global information and a making errors difficult to detect and diagnosis in a good understanding of the various characteristics and timely manner. Furthermore, the heavy reliance of dynamic behaviors of the network. However, such an clients on the node local views compounds the understanding was often times missing or incorrectly problems such as partitioning in the network or load obtained from non-representative measurement imbalance due to biased peer selection. studies, in which a few instrumented clients were In an effort to provide the network with used to capture the desired properties. partial global information to resolve the network Collecting representative global information problems, this project looks into introducing a tool such as peer’s download rate, known neighboring that efficiently collects global information from peers, and the network’s churn rate, from the BitTorrent network. The tool, called Torrent Crawler complex and dynamic BitTorrent network is not (TC) uses a number of techniques to efficiently find simple. -
Niv Sardi-Altivanik Floss Arquitect
NIV SARDI-ALTIVANIK FLOSS ARQUITECT LINKEDIN TWITTER GITHUB https://www.linkedin.com @xaiki https://github.com/xaiki /in/xaiki/ EMAIL TELEFONO [email protected] +54 911 5596 6800 Formed as a Mathematician I’ve been working as a Free Software Developer for the last 15 years, following a path that brought me deep technical knowledge, precise leading skills and a proven experience in the world of politics. Passionate and details-conscious, I am excited to foster the very best of technology and human capacity into tools we need to steer the world into a more liveable place. EDUCATION SKILLS UNIVERSITÉ DENIS DIDEROT PARIS VII PARIS HUMAN LANGUAGES 2004_2007 owning the diplomatariat Spanish ★★★ Maths and Computer Science Masters 2007 lengua materna Université Denis Diderot: Maitrise de Mathematiques et d’Informatique Project : MiniOCaML interpreter (CaML) ★★★ Research: Big Social Networks Topology — using Graph Theory to French lengua paterna analyze online comunities (Perl & C) 2005 Maths and Computer Science Bachelor English ★★★ Université Denis Diderot: Licence de Mathematiques et d’informatique 2 años de vida en Australia Project: Su�x Arrays, Algorithms, Analysis and Implementation (C) Portuguese ★★☆ lived and worked 9 months in Brazil LATEST WORK EXPERIENCE PRESIDENCIA DE LA NACION: TECHNOLOGY ARCHITECT MANAGEMENT 2019 BUENOSAIRES I took part of the intervention of a sector of the Presidencial o�ce. My role was to ensure a smooth operation of the IT infrastructure SCRUM/Agile ★★★ during the intervention, and to sta� and direct 3 National Directors roles. The intervention went on with 99% availability, we’ve set up plans that are currently beeing executed to reduce cost and enhance reliability of all Arquitecture ★★★ services and software platforms. -
A Week in the Life of the Most Popular Bittorrent Swarms
A Week in the Life of the Most Popular BitTorrent Swarms Mark Scanlon, Alan Hannaway and Mohand-Tahar Kechadi 1 UCD Centre for Cybercrime Investigation, School of Computer Science & Informatics, University College Dublin, Belfield, Dublin 4, Ireland {mark.scanlon, alan.hannaway, tahar.kechadi}@ucd.ie AbstractThe popularity of peer-to-peer (P2P) file distribution is c material, which typically commences with a single source sharing large sized files to many downloaders. networks lend themselves well to the unauthorised distribution of To commence the download of the content in a particular copyrighted material due to their ease of use, the abundance of - material available and the apparent anonymity awarded to the downloaders. This paper presents the results of an investigation loaded from an indexing website. This file is then opened conducted on the top 100 most popular BitTorrent swarms over using a BitTorrent client, which proceeds to connect to several the course of one week. The purpose of this investigation is to members of the swarm and download the content. Each quantify the scale of unauthorised distribution of copyrighted BitTorrent swarm is built around a particular piece of content material through the use of the BitTorrent protocol. Each IP which is determined through a unique identifier based on a address, which was discovered over the period of the weeklong SHA-1 hash of the file information contained in this UTF- 8 investigation, is mapped through the use of a geolocation encoded metadata file, e.g., name, piece length, piece hash database, which results in the ability to determine where the values, length and path. -
Understanding Microarchitectural Channels and Using Them for Defense
Understanding Microarchitectural Channels and Using Them for Defense Casen Hunger Mikhail Kazdagli Ankit Rawat Alex Dimakis Sriram Vishwanath Mohit Tiwari UT Austin {casen.h, mikhail.kazdagli, ankitsr}@utexas.edu, {dimakis, sriram, tiwari}@austin.utexas.edu Abstract networks-on-chip [9, 8]; clearing out leftover state in Microarchitectural resources such as caches and pre- caches [10] and branch predictor on a context switch [11]; dictors can be used to leak information across security and even complete systems-on-chip where processes cannot domains. Significant prior work has demonstrated attacks interfere with each other [12, 13, 14]. Alternatively, archi- and defenses for specific types of such microarchitectural tects have also proposed the introduction of random noise side and covert channels. In this paper, we introduce a to hardware counters [15] or cache replacement policies [7]. general mathematical study of microarchitectural channels While these approaches are promising, they either address using information theory. Our conceptual contribution is a only known, specific sources of leaks [7, 8, 9] or require simple mathematical abstraction that captures the common far-reaching changes to the entire microarchitecture [12, 14] characteristics of all microarchitectural channels. We call that hamper adoption. this the Bucket model and it reveals that microarchitectural A complementary software-only approach to protect sen- channels are fundamentally different from side and covert sitive data in the cloud is to rent dedicated physical ma- channels in networking. chines, so that only friendly virtual machines co-reside We then quantify the communication capacity of sev- on a physical machine. The challenge for a cloud tenant eral microarchitectural covert channels (including chan- then is to audit whether an attacker has exploited a vulner- nels that rely on performance counters, AES hardware ability in the cloud provider’s software to co-reside on the and memory buses) and measure bandwidths across both same hardware [1]. -
Covert Channel Vulnerabilities in Anonymity Systems
UCAM-CL-TR-706 Technical Report ISSN 1476-2986 Number 706 Computer Laboratory Covert channel vulnerabilities in anonymity systems Steven J. Murdoch December 2007 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2007 Steven J. Murdoch This technical report is based on a dissertation submitted August 2007 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Girton College. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986 Covert channel vulnerabilities in anonymity systems Steven J. Murdoch Summary The spread of wide-scale Internet surveillance has spurred interest in ano- nymity systems that protect users’ privacy by restricting unauthorised access to their identity. This requirement can be considered as a flow control policy in the well established field of multilevel secure systems. I apply previous re- search on covert channels (unintended means to communicate in violation of a security policy) to analyse several anonymity systems in an innovative way. One application for anonymity systems is to prevent collusion in compe- titions. I show how covert channels may be exploited to violate these pro- tections and construct defences against such attacks, drawing from previous covert channel research and collusion-resistant voting systems. In the military context, for which multilevel secure systems were designed, covert channels are increasingly eliminated by physical separation of intercon- nected single-role computers. Prior work on the remaining network covert channels has been solely based on protocol specifications.