A Systematic Analysis of Covert Channels in the Network Time Protocol

Covert channels in network protocols are a technique aiming to hide the very existence of secret communication in computer networks. In this work we present a systematic in-depth analysis of covert channels by modification for the Network Time Protocol (NTP). Our analysis results in the identification of 49 covert channels, by applying a covert channel pattern-based taxonomy. The summary and comparison based on nine selected key attributes show that NTP is a plausible carrier for covert channels. The analysis results are evaluated in regards to common behavior of NTP implementations in six major operating systems. Two channels are selected and implemented to be evaluated in network test-beds. By hiding encrypted high entropy data in a high entropy field of NTP we show in our first assessment that practically undetectable channels can be implemented in NTP, motivating the required further research. In our evaluation, we analyze 40,000 NTP server responses from public NTP server providers. We discuss the general approach of the research community that detection of covert channels is the more promising countermeasure, compared to active suppression of covert channels. Therefore, normalization approaches and a secure network environment are introduced.

[1]  Sebastian Zander,et al.  Network Steganography Countermeasures , 2016 .

[2]  Sharon Goldberg,et al.  Message Authentication Code for the Network Time Protocol , 2019, RFC.

[3]  A. Azzouz 2011 , 2020, City.

[4]  David L. Mills,et al.  Network Time Protocol Version 4: Protocol and Algorithms Specification , 2010, RFC.

[5]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[6]  Andreas Pfitzmann,et al.  Attacks on Steganographic Systems , 1999, Information Hiding.

[7]  Florence March,et al.  2016 , 2016, Affair of the Heart.

[8]  Information Theoretic Model , 2011, Encyclopedia of Cryptography and Security.

[9]  Wojciech Mazurczyk,et al.  Hidden and Uncontrolled - On the Emergence of Network Steganographic Threats , 2014, ISSE.

[10]  Sebastian Zander,et al.  Pattern-Based Survey and Categorization of Network Covert Channel Techniques , 2014, ACM Comput. Surv..

[11]  Steffen Wendzel,et al.  Towards Reversible Storage Network Covert Channels , 2019, ARES.

[12]  Emiliano Sisinni,et al.  Evaluation of the impact on industrial applications of NTP Used by IoT devices , 2020, 2020 IEEE International Workshop on Metrology for Industry 4.0 & IoT.

[13]  Otto-von,et al.  THREAT ANALYSIS OF STEGANOGRAPHIC AND COVERT COMMUNICATION IN NUCLEAR I&C SYSTEMS , 2019 .

[14]  Sebastian Zander,et al.  Covert channels and countermeasures in computer network protocols [Reprinted from IEEE Communications Surveys and Tutorials] , 2007, IEEE Communications Magazine.

[15]  Wojciech Mazurczyk,et al.  Towards Deriving Insights into Data Hiding Methods Using Pattern-based Approach , 2018, ARES.

[16]  Matt Bishop A security analysis of the NTP protocol version 2 , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[17]  Jana Dittmann,et al.  Information Hiding in Industrial Control Systems: An OPC UA based Supply Chain Attack and its Detection , 2020, IH&MMSec.

[18]  Michael Waidner,et al.  Pitfalls of Provably Secure Systems in Internet the Case of Chronos-NTP , 2020, 2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S).

[19]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[20]  Jessica Fridrich,et al.  Steganography in Digital Media: References , 2009 .

[21]  David L. Mills,et al.  Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI , 1996, RFC.

[22]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[23]  Martin S. Fridson,et al.  Trends , 1948, Bankmagazin.

[24]  Daryl Johnson,et al.  Covert Channel over Network Time Protocol , 2017, ICCSP '17.

[25]  Sebastian Zander,et al.  Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures , 2016 .

[26]  N. D. Memon,et al.  Steganography capacity: a steganalysis perspective , 2003, IS&T/SPIE Electronic Imaging.

[27]  Christian Cachin,et al.  An information-theoretic model for steganography , 1998, Inf. Comput..

[28]  Steffen Wendzel,et al.  Get Me Cited, Scotty!: Analysis of Citations in Covert Channel/Steganography Research , 2018, ARES.

[29]  Wojciech Mazurczyk,et al.  Trends in steganography , 2014, Commun. ACM.

[30]  Michael Waidner,et al.  The Impact of DNS Insecurity on Time , 2020, 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[31]  David L. Mills,et al.  Control Messages Protocol for Use with Network Time Protocol Version 4 , 2020, RFC.

[32]  Steffen Wendzel,et al.  Covert storage caches using the NTP protocol , 2020, ARES.

[33]  Aleksandra Mileva,et al.  Covert channels in TCP/IP protocol stack - extended version- , 2014, Central European Journal of Computer Science.

[34]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[35]  A. James 2010 , 2011, Philo of Alexandria: an Annotated Bibliography 2007-2016.

[36]  Grzegorz Lewandowski,et al.  Covert Channels in IPv6 , 2005, Privacy Enhancing Technologies.

[37]  Wojciech Mazurczyk,et al.  Seeing the Unseen: Revealing Mobile Malware Hidden Communications via Energy Consumption and Artificial Intelligence , 2016, IEEE Transactions on Information Forensics and Security.

[38]  Wojciech Mazurczyk,et al.  Comprehensive analysis of MQTT 5.0 susceptibility to network covert channels , 2021, Comput. Secur..

[39]  Wojciech Mazurczyk,et al.  Information Hiding as a Challenge for Malware Detection , 2015, IEEE Security & Privacy.

[40]  Nurit Zarchi,et al.  1948 , 2009, Charlotte Delbo.