PHY Covert Channels
Total Page:16
File Type:pdf, Size:1020Kb
PHY Covert Channels: Can you see the Idles? Ki Suh Lee, Han Wang, and Hakim Weatherspoon, Cornell University https://www.usenix.org/conference/nsdi14/technical-sessions/presentation/lee This paper is included in the Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’14). April 2–4, 2014 • Seattle, WA, USA ISBN 978-1-931971-09-6 Open access to the Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’14) is sponsored by USENIX PHY Covert Channels: Can you see the Idles? Ki Suh Lee, Han Wang, Hakim Weatherspoon Computer Science Department, Cornell University kslee,hwang,[email protected] Abstract ers [20, 28, 34, 35], and, thus, are relatively easy to de- Network covert timing channels embed secret messages tect and prevent [14, 19, 26]. Network timing channels in legitimate packets by modulating interpacket delays. deliver messages by modulating interpacket delays (or Unfortunately, such channels are normally implemented arrival time of packets). As a result, arrivals of pack- in higher network layers (layer 3 or above) and easily ets in network timing channels normally create patterns, detected or prevented. However, access to the physi- which can be analyzed with statistical tests to detect tim- cal layer of a network stack allows for timing channels ing channels [11, 12, 16, 32], or eliminated by network that are virtually invisible: Sub-microsecond modula- jammers [17]. To make timing channels robust against tions that are undetectable by software endhosts. There- such detection and prevention, more sophisticated timing fore, covert timing channels implemented in the physi- channels mimic legitimate traffic with spreading codes cal layer can be a serious threat to the security of a sys- and a shared key [24], or use independent and identically tem or a network. In fact, we empirically demonstrate distributed (i.i.d) random interpacket delays [25]. an effective covert timing channel over nine routing hops In this paper, we present a new method of creating and thousands of miles over the Internet (the National a covert timing channel that is high-bandwidth, robust Lambda Rail). Our covert timing channel works with against cross traffic, and undetectable by software end- cross traffic, less than 10% bit error rate, which can be hosts. The channel can effectively deliver 81 kilobits per masked by forward error correction, and a covert rate of second with less than 10% errors over nine routing hops, 81 kilobits per second. Key to our approach is access and thousands of miles over the National Lambda Rail and control over every bit in the physical layer of a 10 (NLR). We empirically demonstrate that we can create Gigabit network stack (a bit is 100 picoseconds wide at such a timing channel by modulating interpacket gaps 10 gigabit per seconds), which allows us to modulate and at sub-microsecond scale: A scale at which sent infor- interpret interpacket spacings at sub-microsecond scale. mation is preserved through multiple routing hops, but We discuss when and how a timing channel in the phys- statistical tests cannot differentiate the channel from le- ical layer works, how hard it is to detect such a channel, gitimate traffic. Unlike approaches mentioned above, and what is required to do so. our covert timing channel, Chupja1, is implemented in 1 Introduction the physical layer of a network protocol stack. In or- der to hide the existence of the channel, we mainly ex- Covert channels are defined as channels that are not in- ploit the fact that statistical tests for covert channel de- tended for information transfer, but can leak sensitive tection rely on collected interpacket delays, which can information [21]. In essence, covert channels provide be highly inaccurate in a 10 Gigabit Ethernet (GbE) net- the ability to hide the transmission of data within es- work, whereas access to the physical layer provides fine- tablished network protocols [37], thus hiding their exis- grained control over interpacket delays at nanosecond tence. Covert channels are typically classified into two scale [15, 22]. As a result, a network monitoring appli- categories: Storage and timing channels. In storage cation needs to have the capability of fine-grained times- channels, a sender modulates the value of a storage loca- tamping to detect our covert channel. We argue that tion to send a message. In timing channels, on the other nanosecond level of resolution is key to do so. hand, a sender modulates system resources over time to The contributions of this paper are as follows: send a message [10]. • We discuss how to design and implement a covert Network covert channels send hidden messages over timing channel via access to the physical layer. legitimate packets by modifying packet headers (stor- • We demonstrate that a covert timing channel imple- age channels) or by modulating interpacket delays (tim- mented in the physical layer can effectively deliver ing channels). Because network covert channels can secret messages over the Internet. deliver sensitive messages across a network to a re- • We empirically illustrate that we can quantify per- ceiver multiple-hops away, they impose serious threats turbations added by a network, and the quantified to the security of systems. Network storage chan- nels normally exploit unused fields of protocol head- 1Chupja is equivalent to spy in Korean 1 USENIX Association 11th USENIX Symposium on Networked Systems Design and Implementation 173 perturbation is related to bit error rate of the covert delay conveys information, i.e. a long delay is zero, and timing channel. a short delay is one [11]. JitterBugs encodes bits in a sim- • We show that in order to detect Chupja, fine-grained ilar fashion, and uses the remainder of modulo operation timestamping at nanosecond scale is required. of interpacket delays for encoding and decoding [36]. These timing channels naturally create patterns of in- 2 Network Covert Channels terpacket delays which can be analyzed with statistical Network covert channels are not new. However, imple- tests for detection. For example, regularity tests [11, 12], menting such a channel in the physical layer has never shape tests [32], or entropy tests [16] are widely used for been tried before. In this section, we briefly discuss covert timing channel detection. On the other hand, to previous approaches to create and detect network covert avoid detection from such statistical tests, timing chan- channels, and why access to the physical layer can cre- nels can mimic patterns of legitimate traffic, or use ran- ate a covert channel that is hard to detect. Although our dom interpacket delays. Liu et al., demonstrated that focus of this paper is covert timing channels, we discuss with spreading codes and a shared key, a timing chan- both covert storage channels and covert timing channels nel can be robust against known statistical tests [24]. in this section. They further developed a method to use independent and In a network covert channel, the sender has secret in- identically distributed (i.i.d) random interpacket delays formation that she tries to send to a receiver over the to make the channel less detectable [25]. Internet. The sender has control of some part of a net- Access to the physical layer (PHY) allows the sender work stack including a network interface (L1∼2), kernel to create new types of both storage and timing channels. network stack (L3∼4) and/or user application (L5 and The sender of a covert storage channel can embed se- above). Thus, the sender can modify protocol headers, cret messages into special characters that only reside in checksum values, or control the timing of transmission the physical layer, which are discarded before the deliv- of packets. The sender can either use packets from other ery of packets to higher layers of a network stack. As a applications of the system or generate its own packets. result, by embedding messages into those special char- Although it is also possible that the sender can use packet acters, higher layers of a network stack will have no way payloads to directly embed or encrypt messages, we do to detect the existence of the storage channel. In fact, not consider this case because it is against the purpose idle characters (/I/s), which are used to fill gaps be- of a covert channel: hiding the existence of the chan- tween any two packets in the physical layer, would make nel. The adversary (or warden), on the other hand, wants for great covert channels if they could be manipulated. to detect and prevent covert channels. A passive adver- The IEEE 802.3 standard requires that at least twelve sary monitors packet information to detect covert chan- /I/ characters must be inserted after every packet [3]. nels while an active adversary employs network appli- Therefore, it is possible to create a high-bandwidth stor- ances such as network jammers to reduce the possibility age channel that cannot be detected without access to the of covert channels. PHY. Unfortunately, this covert storage channel can only In network storage channels, the sender changes the work for one hop, i.e. between two directly connected values of packets to secretly encode messages, which is devices, because network devices discard the contents of examined by the receiver to decode the message. This idle characters when processing packets. However, if a can be easily achieved by using unused bits or fields supply chain attack is taken into account where switches of protocol headers. The IP Identification field, the and routers between the sender and the receiver are com- IP Fragment Offset, the TCP Sequence Number field, promised and capable of forwarding hidden messages, and TCP timestamps are good places to embed mes- the PHY storage channel can be very effective.