Download pdf

PHY Covert Channels: Can you see the Idles? Ki Suh Lee Cornell University 첩
자
Chupja Joint work with Han Wang, and Hakim Weatherspoon 1 첩자 (chupja) 2 Network Covert Channels •  Hiding informaJon –  Through communicaJon not intended for data transfer 3 Network Covert Channels •  Hiding informaJon –  Through communicaJon not intended for data transfer –  Using legiJmate packets (Overt channel) •  Storage Channels: Packet headers •  Timing Channels: Arrival Jmes of packets 4 Network Covert Channels •  Hiding informaJon –  Through communicaJon not intended for data transfer –  Using legiJmate packets (Overt channel) •  Storage Channels: Packet headers •  Timing Channels: Arrival Jmes of packets 5 Goals of Covert Channels •  Bandwidth –  How much informaJon can be delivered in a second •  Robustness –  How much informaJon can be delivered without loss / error •  Undetectability –  How well communicaJon is hidden 6 Goals of Covert Channels •  Bandwidth –  How much informaJon can be delivered in a second –  10~100s bits per second •  Robustness –  How much informaJon can be delivered without loss / error ApplicaJon –  Cabuk’04, Shah’06 •  Undetectability –  How well communicaJon is hidden –  Liu’09, Liu’10 Transport Network Data Link Physical 7 Current network covert channels are implemented in L3~4 (TCP/IP) layers and are extremely slow. 8 Chupja: PHY Covert Channel •  Bandwidth –  How much informaJon can be delivered in a second –  10~100s bits per second -­‐> 10s~100s Kilo bits per second •  Robustness –  How much informaJon can be delivered without loss / error ApplicaJon –  Bit Error Rate < 10% •  Undetectability –  How well communicaJon is hidden –  Invisible to detecJon socware Transport Network Data Link Physical 9 Chupja is a network covert channel which is faster than priori art. It is implemented in L1 (PHY), robust and virtually invisible to socware. 10 Outline • 
• 
• 
• 
IntroducJon Design EvaluaJon Conclusion 11 Outline •  IntroducJon •  Design –  Threat Model –  10 Gigabit Ethernet •  EvaluaJon •  Conclusion 12 Threat Model ApplicaJon Transport Data Link Sender Transport Commodity Server Commodity NIC Network Physical ApplicaJon Passive Adversary Network Data Link Physical Receiver 13 10 Gigabit Ethernet ApplicaJon •  Idle Characters (/I/) Transport Packet i Packet i+1 Packet i+2 Network Data Link –  Each bit is ~100 picosecond wide –  7~8 bit special character in the physical layer –  700~800 picoseconds to transmit –  Only in PHY Physical 14 Terminology •  Interpacket delays (D) and gaps (G) IPG Packet i Packet i+1 IPD •  Homogeneous packet stream Packet i Packet i+1 Packet i+2 –  Same packet size, –  Same IPD (IPG), –  Same desJnaJon 15 Chupja: Design •  Homogeneous stream G Packet i •  Sender IPG IPG Packet i+1 D G -­‐ Ɛ ‘0’ G + Ɛ Packet i+2 D + Ɛ Gi Di ‘1’ Packet i+1 D -­‐ Ɛ Packet i Packet i+2 D Packet i •  Receiver G Gi+1 ‘0’ Packet i+1 ‘1’ Packet i+2 Di+1 16 Chupja: Design •  With shared G –  Encoding ‘1’: Gi = G + ε –  Encoding ‘0’: Gi = G -­‐ ε G -­‐ Ɛ Packet i D -­‐ Ɛ ‘0’ G + Ɛ Packet i+1 ‘1’ Packet i+2 D + Ɛ 17 ImplementaJon •  SoNIC [NSDI ’13] –  Socware-­‐defined Network Interface Card –  Allows control and access every bit of PHY •  In realJme, and in socware ApplicaJon Transport Network Data Link Physical •  50 lines of C code addiJon 18 Outline •  IntroducJon •  Design •  EvaluaJon –  Bandwidth –  Robustness –  Undetectability •  Conclusion 19 EvaluaJon •  What is the bandwidth of Chupja? •  How robust is Chupja? –  Why is Chupja robust? •  How undetectable is Chupja? 20 What is the bandwidth of Chupja? 21 EvaluaJon: Bandwidth Covert Channel Capacity (bps) •  Covert bandwidth equals to packet rate of overt channel 1.E+08 1.E+07 1.E+06 1.E+05 1.E+04 1.E+03 1.E+02 0.01 1518B 1Gbps 81kbps 64B 512B 1024B 1518B 0.1 0.5 1 3 6 Overt Channel Throughput (Gbps) 9 22 How robust is Chupja? 23 EvaluaJon Setup •  NaJonal Lambda Rail •  Small Network –  Six commercial switches –  Average RTT: 0.154 ms SW1 SW2 SW3 Sender Chicaco SW1 –  Nine rouJng hops –  Average RTT: 67.6ms –  1~2 Gbps External Traffic Boston Cornell (NYC) Cleveland SW2 SW4 Receiver Sender NLR (NYC) Receiver Cornell (Ithaca) 24 EvaluaJon: Robustness •  Overt Channel at 1 Gbps (D = 12211ns, G=13738 /I/s) •  Covert Channel at 81 kbps 0.6 0.5 BER 0.4 0.3 0.2 7.7% 0.1 0 16 Sender 32 64 Small No Ext. Small Ext 3.6G NLR 8.9% 2.8% 128 256 512 1024 2048 4096 Ɛ (/I/s) ?
Receiver 25 EvaluaJon: Robustness •  Overt Channel at 1 Gbps (D = 12211ns, G=13738 /I/s) •  Covert Channel at 81 kbps •  Modula=ng IPGS at 1.6us scale (=2048 /I/s) 0.6 0.5 BER 0.4 0.3 0.2 7.7% 0.1 0 16 Sender 32 64 Small No Ext. Small Ext 3.6G NLR 8.9% 2.8% 128 256 512 1024 2048 4096 Ɛ (/I/s) ?
Receiver 26 Why is Chupja robust? 27 EvaluaJon: Why? •  Switches do not add significant perturbaJons to IPDs •  Switches treat ‘1’s and ‘0’s as uncorrelated –  Over mul=ple hops when there is no external traffic. –  With external traffic 28 EvaluaJon: Why? •  Switches do not add significant perturbaJons to IPDs •  Switches treat ‘1’s and ‘0’s as uncorrelated –  Over mul=ple hops when there is no external traffic. –  With external traffic Homogeneous 1518B at 1 Gbps Sender Chupja (Ɛ = 256/I/s) 1518B at 1 Gbps Receiver Sender Receiver 29 EvaluaJon: Why? •  Switches do not add significant perturbaJons to IPDs •  Switches treat encoded ‘0’ and ‘1’ as uncorrelated –  Over mul=ple hops when there is no external traffic. 1. 0.1 0.01 15 12 1 hop 3 6 9 90% in D ± 1
200ns 50ns 1. D + Ɛ 0.01 0.001 0.001 0.0001 0.0001 0.00001 0.00001 0.000001 11343.51515 12 15 1 hop 3 6 9 90% in 0.1 D –-­‐ Ɛ ± 2150ns 00ns D -­‐ Ɛ 12211.2 13078.88485 0.000001 11343.51515 12211.2 Interpacket Delay (ns) Interpacket Delayy (ns) Homogeneous stream Chupja stream ( Ɛ=256/I/s ) 13078.88485 30 EvaluaJon: Why? •  Most of IPDs are within some range from original IPD –  Even when there is external traffic. Ɛ (/I/s) 256 512 1024 2048 4096 (ns) (=204.8ns) (=409.6) (=819.2) (=1638.4) (=3276.8) BER 0.367 0.391 0.281 0.089 0.013 Chicaco Encoded Boston ‘Zero’ Encoded ‘One’ Cleveland Cornell (NYC) NLR (NYC) Cornell (Ithaca) Sender Receiver 31 EvaluaJon: Why? •  Switches do not add significant perturbaJons to IPDs •  Switches treat ‘1’s and ‘0’s as uncorrelated –  Over mul=ple hops when there is no external traffic. –  With external traffic With sufficiently large Ɛ, the interpacket spacing holds throughout the network, and BER is less than 10% 1518B at 1 Gbps Sender ?
Receiver 32 How undetectable is Chupja? 33 EvaluaJon: DetecJon Setup •  Commodity server with 10G NIC –  Kernel Jmestamping Kernel Jmestamping NLR Sender SoNIC Jmestamping NLR Receiver Sender Receiver 34 EvaluaJon: DetecJon •  Adversary cannot detect paPerns of Chupja 1. HOM 0.1 Ɛ = 1024 1024 0.01 4096 Ɛ = 4096 0.001 HOM 0.1 Ɛ = 1024 1024 0.01 Ɛ = 4096 4096 0.001 0.0001 0.0001 0.00001 1228 1. 0.00001 12211 Interpacket Delay (ns) Kernel Timestamping 0.000001 23194 1228 12211 Interpacket Delay (ns) 23194 SoNIC Timestamping 35 EvaluaJon: Summary •  What is the bandwidth of Chupja? –  10s~100s Kilo bits per second •  How robust is Chupja? –  BER < 10% over NLR –  Why is Chupja robust? •  Sufficiently large Ɛ holds throughout the network •  How undetectable is Chupja? –  Invisible to socware 36 Conclusion •  Chupja: PHY covert channel –  High-­‐bandwidth, robust, and undetectable •  Based on understanding of network devices –  PerturbaJons from switches –  Inaccurate endhost Jmestamping 첩
자
•  hvp://sonic.cs.cornell.edu & GENI (ExoGENI)!!! 37 Thank you 38