NetWarden: Mitigating Network Covert Channels without Performance Loss

Network covert channels are an advanced threat to the security and privacy of cloud systems. One common limitation of existing defenses is that they all come at the cost of performance. This presents significant barriers to their practical deployment in high-speed networks. We sketch the design of NetWarden, a novel defense whose key design goal is to preserve TCP performance while mitigating covert channels. The use of programmable data planes makes it possible for NetWarden to adapt defenses that were only demonstrated before as proof of concept, and apply them at linespeed. Moreover, NetWarden uses a set of performance boosting techniques to temporarily increase the performance of connections that have been affected by channel mitigation, with the ultimate goal of neutralizing its impact on performance. Our simulation provides initial evidence that NetWarden can mitigate several covert channels with little performance disturbance. As ongoing work, we are working on a full system design and implementation of NetWarden.

[1]  George Varghese,et al.  Detecting evasion attacks at high speeds without reassembly , 2006, SIGCOMM 2006.

[2]  Jennifer Rexford,et al.  Dapper: Data Plane Performance Diagnosis of TCP , 2016, SOSR.

[3]  David Watson,et al.  Transport and application protocol scrubbing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[4]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[5]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[6]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[7]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[8]  Prashant R. Deshmukh,et al.  Active warden for TCP sequence number base covert channel , 2015, 2015 International Conference on Pervasive Computing (ICPC).

[9]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.

[10]  Xiapu Luo,et al.  A combinatorial approach to network covert communications with applications in Web Leaks , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[11]  Rachel Greenstadt,et al.  Covert Messaging through TCP Timestamps , 2002, Privacy Enhancing Technologies.

[12]  Drew Hintz,et al.  Covert Channels in TCP and IP headers , 2009 .

[13]  Nate Foster,et al.  NetCache: Balancing Key-Value Stores with Fast In-Network Caching , 2017, SOSP.

[14]  Belozubova Anna,et al.  Random Delays to Limit Timing Covert Channel , 2016 .

[15]  Hari Balakrishnan,et al.  Efficient and Robust TCP Stream Normalization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[16]  Fernando Pedone,et al.  NetPaxos: consensus at network speed , 2015, SOSR.

[17]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[18]  Cristina Nita-Rotaru,et al.  Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach. , 2018 .

[19]  Mike Fisk,et al.  Eliminating Steganography in Internet Traffic with Active Wardens , 2002, Information Hiding.

[20]  Anirudh Sivaraman,et al.  Language-Directed Hardware Design for Network Performance Monitoring , 2017, SIGCOMM.

[21]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[22]  Jean-Marc Robert,et al.  IP traceback solutions based on time to live covert channel , 2004, Proceedings. 2004 12th IEEE International Conference on Networks (ICON 2004) (IEEE Cat. No.04EX955).

[23]  Xiapu Luo,et al.  TCP covert timing channels: Design and detection , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[24]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[25]  Hakim Weatherspoon,et al.  PHY Covert Channels: Can you see the Idles? , 2014, NSDI.

[26]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[27]  Jacob Nelson,et al.  IncBricks: Toward In-Network Computation with an In-Network Cache , 2017, ASPLOS.

[28]  C. Brodley,et al.  Network covert channels: design, analysis, detection, and elimination , 2006 .

[29]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[30]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[31]  Xiaozhou Li,et al.  NetChain: Scale-Free Sub-RTT Coordination , 2018, NSDI.

[32]  Grzegorz Lewandowski,et al.  Analyzing Network-Aware Active Wardens in IPv6 , 2006, Information Hiding.

[33]  Xiapu Luo,et al.  CLACK: A Network Covert Channel Based on Partial Acknowledgment Encoding , 2009, 2009 IEEE International Conference on Communications.

[34]  Vincent Liu,et al.  Synchronized network snapshots , 2018, SIGCOMM.