A combinatorial approach to network covert communications with applications in Web Leaks

Various effective network covert channels have recently demonstrated the feasibility of encoding messages into the timing or content of individual network objects, such as data packets and request messages. However, we show in this paper that more robust and stealthy network covert channels can be devised by exploiting the relationship of the network objects. In particular, we propose a combinatorial approach for devising a wide spectrum of covert channels which can meet different objectives based on the channel capacity and channel undetectability. To illustrate the approach, we design WebLeaks and ACKLeaks, two novel covert channels which can leak information through the data and acknowledgment traffic in a web session. We implement both channels and deploy them on the PlanetLab nodes for evaluation. Besides the channel capacity, we apply the state-of-the-art detection schemes to evaluate their camouflage capability. The experiment results show that their capacity can be boosted up by our combinatorial approach, and at the same time they can effectively evade the detection.

[1]  A. Nijenhuis Combinatorial algorithms , 1975 .

[2]  Jack K. Wolf,et al.  On runlength codes , 1988, IEEE Trans. Inf. Theory.

[3]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[4]  Moti Yung,et al.  Deniable password snatching: on the possibility of evasive electronic espionage , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[5]  Donald L. Kreher,et al.  Combinatorial algorithms: generation, enumeration, and search , 1998, SIGA.

[6]  Herbert S. Wilf East Side, West Side . . . - an introduction to combinatorial families-with Maple programming , 1999 .

[7]  Frank Ruskey,et al.  Ranking and unranking permutations in linear time , 2001, Inf. Process. Lett..

[8]  Deepa Kundur,et al.  Practical Data Hiding in TCP/IP , 2002 .

[9]  Mike Fisk,et al.  Eliminating Steganography in Internet Traffic with Active Wardens , 2002, Information Hiding.

[10]  Rachel Greenstadt,et al.  Covert Messaging through TCP Timestamps , 2002, Privacy Enhancing Technologies.

[11]  Nick Feamster,et al.  Infranet: Circumventing Web Censorship and Surveillance , 2002, USENIX Security Symposium.

[12]  Donald F. Towsley,et al.  On the autocorrelation structure of TCP traffic , 2002, Comput. Networks.

[13]  Matthias Bauer New covert channels in HTTP: adding unwitting Web browsers to anonymity sets , 2003, WPES '03.

[14]  David Watson,et al.  Protocol scrubbing: network security through transparent flow modification , 2004, IEEE/ACM Transactions on Networking.

[15]  Kevin Borders,et al.  Web tap: detecting covert web traffic , 2004, CCS '04.

[16]  Norka B. Lucena,et al.  Syntax and Semantics-Preserving Application-Layer Protocol Steganography , 2004, Information Hiding.

[17]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[18]  Xiapu Luo,et al.  Novel approaches to end-to-end packet reordering measurement , 2005, IMC '05.

[19]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[20]  Vincent H. Berk,et al.  Detection of Covert Channel Encoding in Network Packet Delays , 2005 .

[21]  Grzegorz Lewandowski,et al.  Covert Channels in IPv6 , 2005, Privacy Enhancing Technologies.

[22]  Mun Choon Chan,et al.  Pervasive Random Beacon in the Internet for Covert Coordination , 2005, Information Hiding.

[23]  T. Moon Error Correction Coding: Mathematical Methods and Algorithms , 2005 .

[24]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[25]  R. A. Proctor Let's Expand Rota's Twelvefold Way For Counting Partitions! , 2006, math/0606404.

[26]  Qing Zhang,et al.  Glavlit: Preventing Exfiltration at Wire Speed , 2006, HotNets.

[27]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[28]  C. Pandu Rangan,et al.  Steganographic Communication in Ordered Channels , 2006, Information Hiding.

[29]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[30]  Takehiro Takahashi,et al.  An assessment of VoIP covert channel threats , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[31]  Xiapu Luo,et al.  Crafting Web Counters into Covert Channels , 2007, SEC.

[32]  Xiapu Luo,et al.  Cloak: A Ten-Fold Way for Reliable Covert Communications , 2007, ESORICS.

[33]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[34]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[35]  Xiapu Luo,et al.  TCP covert timing channels: Design and detection , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[36]  Charalambos A. Charalambides,et al.  Enumerative combinatorics , 2018, SIGA.

[37]  Ehab Al-Shaer,et al.  Building Covert Channels over the Packet Reordering Phenomenon , 2009, IEEE INFOCOM 2009.

[38]  Xiapu Luo,et al.  CLACK: A Network Covert Channel Based on Partial Acknowledgment Encoding , 2009, 2009 IEEE International Conference on Communications.

[39]  Kevin Borders,et al.  Quantifying Information Leaks in Outbound Web Traffic , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[40]  Saurabh Bagchi,et al.  TCP/IP Timing Channels: Theory to Implementation , 2009, IEEE INFOCOM 2009.

[41]  Santosh S. Vempala,et al.  Chipping Away at Censorship Firewalls with User-Generated Content , 2010, USENIX Security Symposium.

[42]  Xiapu Luo,et al.  HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows , 2011, NDSS.