SlideShare a Scribd company logo

Covert timing channels using HTTP cache headers

Y
yalegko

This document discusses using HTTP cache headers to create covert timing channels. It describes how information can be encoded in the Last-Modified and ETag response headers and decoded using the If-Modified-Since, If-Unmodified-Since, If-Match, and If-None-Match request headers. The document outlines an implementation of these covert channels using C that achieves transmission speeds of 1-2 bits per second with over 99% accuracy. Issues in synchronization, timing, and CPU load are also addressed.

Education
Related topics:
Computer Security
1 of 44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
COVERT TIMING CHANNELS USING HTTP CACHE HEADERS Denis Kolegov, Oleg Broslavsky, Nikita Oleksov Tomsk State University Information Security and Cryptography Department SEPTEMBER 8 - 13 EKATERINBURG 2014
Introduction A covert channel is a mechanism for sending and receiving information between hosts without alerting any firewalls and IDSs HTTP is one of the most used Internet protocol so detections of the covert channels over the HTTP is an important research area 2
Example – HTTP Headers 3 Using steganography methods in header values Suppose that Then “en” 0 “fr” 1 Accept-Language: en,fr 01 Accept-Language: fr,en 10 Accept-Language: en,fr,en,fr,en,en,en,en 0x50
Covert Channels’ Usage 4 • Transfer illegal content • Stealing information from “secure” environments • Controlling botnets
Types Of Covert Channels 5 TIME DEPENDENCE • Storage channels – a storage location is written to and read from • Timing channels – transmitting information through time values DIRECTION • Client – server • Server – client
Client-Server Covert Channels 6 Client-server covert channels are easier to implement, e.g. covert storage channel via If-Range request header GET / HTTP/1.1 Host: 162.71.12.43 If-Range: 120c7bL-32bL-4f86d4105ac62L … Hex-encoded data
Server-Client Covert Channels 7 Server-client channels are more complicated and most of them are timing channels so it is more interesting to research
Basic HTTP Cache Headers 8 RESPONSE (SERVER) HEADERS • Last-Modified • ETag REQUEST (CLIENT) HEADERS • If-Modified-Since • If-Unmodified-Since • If-Match • If-Non-Match Request Response
Last-Modified Response Header 9 Last-Modified HTTP header stores a date of the last web entity’s modification HTTP/1.1 200 OK Server: nginx/1.1.19 Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Type: text/html Content-Length: 124 Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT Connection: keep-alive (data) Page request Response GET / HTTP/1.1 Host: 162.71.12.43 (other headers)
ETag Response Header 10 The ETag value is formed from the hex values of HTTP/1.1 200 OK Server: Apache/2.2.22 (Ubuntu) Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Type: text/html Content-Length: 124 ETag: 120c7bL-32bL-4f86d4105ac62L Connection: keep-alive (data) Page request Response GET / HTTP/1.1 Host: 162.71.12.43 (other headers) 120c7bL-32bL-4f86d4105ac62L file's inode size last-modified time (mtime)
Common Usage of Cache Request Headers 11 HTTP cache headers allows web-client not to download a page if it hasn’t been changed since the certain time Page request Page has been changed HTTP/1.1 200 OK (page data) Page has not been changed HTTP/1.1 304 OK (only headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Modified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-None-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
Common Usage of Cache Request Headers 12 Second pair of headers does the same as previous but with logically inverse condition Page request Page has been changed HTTP/1.1 412 OK (page data) Page has not been changed HTTP/1.1 200 OK (only headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Unmodified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
Covert Timing Channel Model 13 read writet writet p1 p2 read writet read write Internet 2 different threat models: Web server is under intruders’ control message.txt -- read-only some_page.html -- write-only
General Covert Channels Scheme 14 Page has not been changed HTTP request Received ‘0’ Page has been changed Received ‘1’ Store new header value
Covert Channels Using HTTP Cache Headers 15 • Last-Modified header value • Using If-Modified-Since header • Using If-Unmodified-Since header • ETag header value • Using If-Match header • Using If-None-Match header Last-Modified based ETag based
Last-Modified Based Channels 16 HTTP request Get new header value Received ‘1’ If header value changed Store header value Received ‘0’ Wait n seconds then else Last-Modified header value covert channel Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT
Last-Modified Based Channels 17 Covert channel using If-Modified If-Modified-Since: Wed, 02 Apr 2014 14:33:39 GMT If-Modified request Received ‘1’ If HTTP code is “200” Store header value Received ‘0’ Wait n secondsthen else
Last-Modified Based Channels 18 If-Unmodified request Received ‘1’ If HTTP code is “412” Store header value Received ‘0’ Wait n secondsthen else Covert channel using If-Unmodified If-Unmodified-Since: Wed, 02 Apr 2014 14:33:39 GMT
ETag Based Channels 19 ETag header value covert channel ETag: 120c7bL-32bL- 4f86d4105ac62L HTTP request Get new header value Received ‘1’ If header value changed Store header value Received ‘0’ Wait n seconds then else
ETag Based Channels 20 Covert channel using If-None-Match If-None-Match: 120c7bL-32bL- 4f86d4105ac62L If-None-Match request Received ‘1’ If HTTP code is “200” Store header value Received ‘0’ Wait n secondsthen else
ETag Based Channels 21 Covert channel using If-Match If-Match: 120c7bL-32bL- 4f86d4105ac62L If-Match request Received ‘1’ If HTTP code is “412” Store header value Received ‘0’ Wait n secondsthen else
Ways to Implement In tons of possible ways we focus on • Python – Socket library • C++ – Boost ASIO library • С – simple C socket library We choose C due to its highest performance (among these ways) and decent stability First threat model is chosen because of minimal requirements 22
Implementation 23 Send HTTP request Get host response Write ‘1’ to output If page has been modified Store new header Write ‘0’ to output Sleep N seconds then else
Issues 24 Issue Solution Server-client synchronization Special synchronizing function Different time of requests Dynamic sleep time Lateness after sleep “Active” sleep High CPU load with “active sleep” “Dynamic” and “active” sleep combination Some problems we solved during implementation
Issue 1 25 Necessity of synchronization “read” (web client) and “write” (host) services Solution: Synchronizing function that does requests at a maximum speed (without sleep) Send HTTP request Get host response If page has been changed then else
Issue 2 26 Different time of requests can break services synchronization Solution: Dynamic sleep time equals to (sleep_time – time took for request) Calculate time took for request diff_time Sleep (sleep_time – diff_time) µs
Issue 3 27 Inaccurate sleep - after sleep (func usleep() is used) the program can awake with 10-200μs lateness Solution: Use “active sleep” - calculation time difference between last request and current moment while it is less than sleep_time Calc diff_time If diff_time < sleep_time thenelse
Issue 4 28 High CPU load with “active sleep” Solution: Combine “active” and “dynamic” sleep Calculate diff_time If diff_time < CONST thenelse Sleep (sleep_time – CONST – request_time) where CONST is constant about 1000 µs (or less depending on PC performance)
Advantages 29 ADVANTAGES OF COVERT TIMING CHANNELS WITH FIRST INTRUDER MODEL • Does not modify common HTTP request structure • Does not require web-server modifications • Any read-only activity on web page that is used by the channel do not break its work • Information flow looks like something refreshes a web page every n seconds
Specification – Last-Modified 1st threat model 30 Sleep time Min start sequence Avg sequence Max sequence Speed Accuracy 1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82% 2 seconds 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87% • Min start sequence – minimum number of bits passed from the beginning of a conversation till the first mistake • Avg and Max sequence – number of bits passed without any mistakes in a row in average and at best • Accuracy – percent of correctly transmitted bits
Specification – ETag 1st threat model 31 Sleep time Min start sequence Avg sequence Max sequence Speed Accuracy 1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82% 0.5 seconds 2400 bits 8142 bits 18123 bits 2 bit/s 99,5% ETag contains mtime (last modified time with microsecond accuracy), so theoretical channel capacity is bigger than its practically possible one. Maximum practical speed of the covert channels is about 1 bit per (2L+T) seconds, where L is HTTP latency between u2 and s1 and T is a time that is needed for auxiliary operations
Covert Channels in Browsers Kenton Born “Browser-based covert data exfiltration” DOMAIN NAME SYSTEM (DNS) Query: “Where is some.domain.example.com?” Response: “It is at 88.0.13.37!” IT’S CLIENT-SERVER CHANNEL 32 some.domain.example.com Subdomain Domain bigbrother.watchingme.evil.com Information Domain
Covert Channels in Browsers DNS TUNNEL IT’S SERVER-CLIENT CHANNEL 33 first.bit.evil.com Information Domain It is 66.45.234.2 NXdomain Received 1 Received 0
Server-Client Browser Channel Purpose: To implement covert timing channels using browser-side technologies as JavaScript, AJAX and different HTML features 34
Timing Channels in Browsers Problems: • Lack of any “sleep” function • Low accuracy of existing time management functions • Difficulties with synchronization of covert channel’s server and client So implementation of the used model is pointless, but it is possible to implement covert channels in these restrictions using second threat model (controlled web server) 35
Timing Channels in Browsers Use the same client-side model but in JavaScript 3636 Send HTTP request Get host response Write ‘1’ to output If page has been modified Store new header Write ‘0’ to output Sleep N seconds then else setInterval
Timing Channels in Browsers Some refactoring of server-side model 3737 Send new header value If current message bit is ‘1’ Store header value Send old header value then else WAIT for HTTP request
Issues 38 Issue Solution Server-client synchronization Client visit special page to begin conversation End of message determination Client receive some special HTTP code in response, e.g. 404 – Not Found or 403 - Forbidden Single client only communication Opening session that stores transferring bit number for each client
Specification 2nd threat model – controlled server Browser based implementation of channels (client in JavaScript) 39 Header Server version Average HTTP ping Max HTTP ping Speed Max sequence Last- Modified Python 560.3 ms 1621.8 ms 0.53 bit/s unlimited PHP 508 ms 532.2 ms 0.58 bit/s ETag Python 560.3 ms 1621.8 ms 1.02 bit/s unlimited PHP 508 ms 532.2 ms 1.18 bit/s
Specification 2nd threat model – controlled server Testing channels implementation in C with PHP server Purpose: to make estimation of maximum speed 40 Header Network Average HTTP ping Speed ETag Local host 0.55 ms 986 bit/s Data center local network 1.63 ms 845.65 bit/s Local network 6.9 ms 295.69 bit/s Internet 383.2 ms 4.89 bit/s
Proof of Concept GitHub – https://github.com/tsu-iscd/HttpCovertChannels 41
42 https://github.com/beefproject/beef “BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.” The Browser Exploitation Framework
Conclusions 43 Future work: implementation of the ETag based covert timing channel as a BEEF module writet Internet
44 Denis Kolegov dnkolegov@gmail.com @dnkolegov Oleg Broslavsky ovbroslavsky@gmail.com @yalegko Nikita Oleksov neoleksov@gmail.com @neoleksov

More Related Content

PDF
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
PDF
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
PPTX
Covert timing channels using HTTP cache headers
yalegko
 
PPTX
DPNHTW
metaldart
 
PDF
Lecture set 7
Gopi Saiteja
 
PPT
6 app-tcp
Olivier Bonaventure
 
PPT
5 sharing-app
Olivier Bonaventure
 
PPT
Bo2004
Dan Kaminsky
 
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
Covert timing channels using HTTP cache headers
yalegko
 
DPNHTW
metaldart
 
Lecture set 7
Gopi Saiteja
 
6 app-tcp
Olivier Bonaventure
 
5 sharing-app
Olivier Bonaventure
 
Bo2004
Dan Kaminsky
 

What's hot (20)

PPTX
Part 5 : Sharing resources, security principles and protocols
Olivier Bonaventure
 
PPTX
4 transport-sharing
Olivier Bonaventure
 
PPTX
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
PDF
Defeating The Network Security Infrastructure V1.0
Philippe Bogaerts
 
PDF
Gemtalk Systems Product Roadmap
ESUG
 
PDF
The linux networking architecture
hugo lu
 
PDF
Kubernetes networking - basics
Juraj Hantak
 
PDF
Real-time Online Multiplayer with Godot Engine
Fabio Alessandrelli
 
PDF
加快互联网核心协议,提高Web速度yuchungcheng
Michael Zhang
 
PPTX
Multi tier-app-network-topology-neutron-final
Sadique Puthen
 
PDF
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Sadique Puthen
 
DOCX
Type of DDoS attacks with hping3 example
Himani Singh
 
PPTX
Troubleshooting containerized triple o deployment
Sadique Puthen
 
PPTX
Nginx Scalable Stack
Bruno Paiuca
 
PDF
Technical Overview of QUIC
shigeki_ohtsu
 
PDF
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
PPTX
9 ipv6-routing
Olivier Bonaventure
 
PDF
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
PDF
How to Avoid Common Mistakes When Using Reactor Netty
VMware Tanzu
 
PDF
Enabling Googley microservices with HTTP/2 and gRPC.
Alex Borysov
 
Part 5 : Sharing resources, security principles and protocols
Olivier Bonaventure
 
4 transport-sharing
Olivier Bonaventure
 
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
Defeating The Network Security Infrastructure V1.0
Philippe Bogaerts
 
Gemtalk Systems Product Roadmap
ESUG
 
The linux networking architecture
hugo lu
 
Kubernetes networking - basics
Juraj Hantak
 
Real-time Online Multiplayer with Godot Engine
Fabio Alessandrelli
 
加快互联网核心协议,提高Web速度yuchungcheng
Michael Zhang
 
Multi tier-app-network-topology-neutron-final
Sadique Puthen
 
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Sadique Puthen
 
Type of DDoS attacks with hping3 example
Himani Singh
 
Troubleshooting containerized triple o deployment
Sadique Puthen
 
Nginx Scalable Stack
Bruno Paiuca
 
Technical Overview of QUIC
shigeki_ohtsu
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
9 ipv6-routing
Olivier Bonaventure
 
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
How to Avoid Common Mistakes When Using Reactor Netty
VMware Tanzu
 
Enabling Googley microservices with HTTP/2 and gRPC.
Alex Borysov
 
Ad

Similar to Covert timing channels using HTTP cache headers (20)

PDF
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Denis Kolegov
 
PDF
Openstack meetup lyon_2017-09-28
Xavier Lucas
 
PDF
Computer networks module 5 content covered in this ppt
vinuthak18
 
PPT
computer networking
seyvan rahimi
 
PDF
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Ontico
 
PDF
HTTP
Daniel Kummer
 
PDF
Primer to Browser Netwroking
Shuya Osaki
 
PPTX
Network tunneling techniques
inbroker
 
PDF
SFMap (TMA 2015)
mori_tatsuya
 
PDF
Tuning the Kernel for Varnish Cache
Per Buer
 
PPT
Network Application Performance
Shumon Huque
 
PPTX
Http2 kotlin
Andrii Bezruchko
 
PPT
lecture03for socket programming college.ppt
SoumabhaRoy
 
PPT
lecture03 on socket programming000000.ppt
SoumabhaRoy
 
PDF
Kafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINE
kawamuray
 
PDF
Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE
confluent
 
PPTX
Introduction to HTTP/2
Ido Flatow
 
PPT
TCP Over Wireless
Farooq Khan
 
PDF
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
Edward Burns
 
PPTX
HTML5, HTTP2, and You 1.1
Daniel Austin
 
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Denis Kolegov
 
Openstack meetup lyon_2017-09-28
Xavier Lucas
 
Computer networks module 5 content covered in this ppt
vinuthak18
 
computer networking
seyvan rahimi
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Ontico
 
HTTP
Daniel Kummer
 
Primer to Browser Netwroking
Shuya Osaki
 
Network tunneling techniques
inbroker
 
SFMap (TMA 2015)
mori_tatsuya
 
Tuning the Kernel for Varnish Cache
Per Buer
 
Network Application Performance
Shumon Huque
 
Http2 kotlin
Andrii Bezruchko
 
lecture03for socket programming college.ppt
SoumabhaRoy
 
lecture03 on socket programming000000.ppt
SoumabhaRoy
 
Kafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINE
kawamuray
 
Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE
confluent
 
Introduction to HTTP/2
Ido Flatow
 
TCP Over Wireless
Farooq Khan
 
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
Edward Burns
 
HTML5, HTTP2, and You 1.1
Daniel Austin
 
Ad

More from yalegko (13)

PDF
SD-WAN Internet Census
yalegko
 
PDF
So Your WAF Needs a Parser
yalegko
 
PDF
WebGoat.SDWAN.Net in Depth
yalegko
 
PDF
[ISC] Docker + Swarm
yalegko
 
PDF
How to Open School For Young Hackers
yalegko
 
PDF
How to make school CTF
yalegko
 
PPTX
AOP and Inversion of Conrol
yalegko
 
PDF
White-Box HMAC. Make your cipher secure to white-box attacks.
yalegko
 
PDF
White box cryptography
yalegko
 
PDF
How to admin
yalegko
 
PPTX
ИИ: Этические аспекты проблемы выбора
yalegko
 
PPTX
Include and extend in Ruby
yalegko
 
PPTX
Not a children in da web
yalegko
 
SD-WAN Internet Census
yalegko
 
So Your WAF Needs a Parser
yalegko
 
WebGoat.SDWAN.Net in Depth
yalegko
 
[ISC] Docker + Swarm
yalegko
 
How to Open School For Young Hackers
yalegko
 
How to make school CTF
yalegko
 
AOP and Inversion of Conrol
yalegko
 
White-Box HMAC. Make your cipher secure to white-box attacks.
yalegko
 
White box cryptography
yalegko
 
How to admin
yalegko
 
ИИ: Этические аспекты проблемы выбора
yalegko
 
Include and extend in Ruby
yalegko
 
Not a children in da web
yalegko
 

Recently uploaded (20)

PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Lesson notes of climatology university.
sgladness67
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Classroom Observation Tools for Teachers
Nicaramirez
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
GENETICS IN BIOLOGY IN SECONDARY LEVEL FORM 3
ElishamichaelSamwel
 

Covert timing channels using HTTP cache headers

  • 1. COVERT TIMING CHANNELS USING HTTP CACHE HEADERS Denis Kolegov, Oleg Broslavsky, Nikita Oleksov Tomsk State University Information Security and Cryptography Department SEPTEMBER 8 - 13 EKATERINBURG 2014
  • 2. Introduction A covert channel is a mechanism for sending and receiving information between hosts without alerting any firewalls and IDSs HTTP is one of the most used Internet protocol so detections of the covert channels over the HTTP is an important research area 2
  • 3. Example – HTTP Headers 3 Using steganography methods in header values Suppose that Then “en” 0 “fr” 1 Accept-Language: en,fr 01 Accept-Language: fr,en 10 Accept-Language: en,fr,en,fr,en,en,en,en 0x50
  • 4. Covert Channels’ Usage 4 • Transfer illegal content • Stealing information from “secure” environments • Controlling botnets
  • 5. Types Of Covert Channels 5 TIME DEPENDENCE • Storage channels – a storage location is written to and read from • Timing channels – transmitting information through time values DIRECTION • Client – server • Server – client
  • 6. Client-Server Covert Channels 6 Client-server covert channels are easier to implement, e.g. covert storage channel via If-Range request header GET / HTTP/1.1 Host: 162.71.12.43 If-Range: 120c7bL-32bL-4f86d4105ac62L … Hex-encoded data
  • 7. Server-Client Covert Channels 7 Server-client channels are more complicated and most of them are timing channels so it is more interesting to research
  • 8. Basic HTTP Cache Headers 8 RESPONSE (SERVER) HEADERS • Last-Modified • ETag REQUEST (CLIENT) HEADERS • If-Modified-Since • If-Unmodified-Since • If-Match • If-Non-Match Request Response
  • 9. Last-Modified Response Header 9 Last-Modified HTTP header stores a date of the last web entity’s modification HTTP/1.1 200 OK Server: nginx/1.1.19 Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Type: text/html Content-Length: 124 Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT Connection: keep-alive (data) Page request Response GET / HTTP/1.1 Host: 162.71.12.43 (other headers)
  • 10. ETag Response Header 10 The ETag value is formed from the hex values of HTTP/1.1 200 OK Server: Apache/2.2.22 (Ubuntu) Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Type: text/html Content-Length: 124 ETag: 120c7bL-32bL-4f86d4105ac62L Connection: keep-alive (data) Page request Response GET / HTTP/1.1 Host: 162.71.12.43 (other headers) 120c7bL-32bL-4f86d4105ac62L file's inode size last-modified time (mtime)
  • 11. Common Usage of Cache Request Headers 11 HTTP cache headers allows web-client not to download a page if it hasn’t been changed since the certain time Page request Page has been changed HTTP/1.1 200 OK (page data) Page has not been changed HTTP/1.1 304 OK (only headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Modified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-None-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
  • 12. Common Usage of Cache Request Headers 12 Second pair of headers does the same as previous but with logically inverse condition Page request Page has been changed HTTP/1.1 412 OK (page data) Page has not been changed HTTP/1.1 200 OK (only headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Unmodified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
  • 13. Covert Timing Channel Model 13 read writet writet p1 p2 read writet read write Internet 2 different threat models: Web server is under intruders’ control message.txt -- read-only some_page.html -- write-only
  • 14. General Covert Channels Scheme 14 Page has not been changed HTTP request Received ‘0’ Page has been changed Received ‘1’ Store new header value
  • 15. Covert Channels Using HTTP Cache Headers 15 • Last-Modified header value • Using If-Modified-Since header • Using If-Unmodified-Since header • ETag header value • Using If-Match header • Using If-None-Match header Last-Modified based ETag based
  • 16. Last-Modified Based Channels 16 HTTP request Get new header value Received ‘1’ If header value changed Store header value Received ‘0’ Wait n seconds then else Last-Modified header value covert channel Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT
  • 17. Last-Modified Based Channels 17 Covert channel using If-Modified If-Modified-Since: Wed, 02 Apr 2014 14:33:39 GMT If-Modified request Received ‘1’ If HTTP code is “200” Store header value Received ‘0’ Wait n secondsthen else
  • 18. Last-Modified Based Channels 18 If-Unmodified request Received ‘1’ If HTTP code is “412” Store header value Received ‘0’ Wait n secondsthen else Covert channel using If-Unmodified If-Unmodified-Since: Wed, 02 Apr 2014 14:33:39 GMT
  • 19. ETag Based Channels 19 ETag header value covert channel ETag: 120c7bL-32bL- 4f86d4105ac62L HTTP request Get new header value Received ‘1’ If header value changed Store header value Received ‘0’ Wait n seconds then else
  • 20. ETag Based Channels 20 Covert channel using If-None-Match If-None-Match: 120c7bL-32bL- 4f86d4105ac62L If-None-Match request Received ‘1’ If HTTP code is “200” Store header value Received ‘0’ Wait n secondsthen else
  • 21. ETag Based Channels 21 Covert channel using If-Match If-Match: 120c7bL-32bL- 4f86d4105ac62L If-Match request Received ‘1’ If HTTP code is “412” Store header value Received ‘0’ Wait n secondsthen else
  • 22. Ways to Implement In tons of possible ways we focus on • Python – Socket library • C++ – Boost ASIO library • С – simple C socket library We choose C due to its highest performance (among these ways) and decent stability First threat model is chosen because of minimal requirements 22
  • 23. Implementation 23 Send HTTP request Get host response Write ‘1’ to output If page has been modified Store new header Write ‘0’ to output Sleep N seconds then else
  • 24. Issues 24 Issue Solution Server-client synchronization Special synchronizing function Different time of requests Dynamic sleep time Lateness after sleep “Active” sleep High CPU load with “active sleep” “Dynamic” and “active” sleep combination Some problems we solved during implementation
  • 25. Issue 1 25 Necessity of synchronization “read” (web client) and “write” (host) services Solution: Synchronizing function that does requests at a maximum speed (without sleep) Send HTTP request Get host response If page has been changed then else
  • 26. Issue 2 26 Different time of requests can break services synchronization Solution: Dynamic sleep time equals to (sleep_time – time took for request) Calculate time took for request diff_time Sleep (sleep_time – diff_time) µs
  • 27. Issue 3 27 Inaccurate sleep - after sleep (func usleep() is used) the program can awake with 10-200μs lateness Solution: Use “active sleep” - calculation time difference between last request and current moment while it is less than sleep_time Calc diff_time If diff_time < sleep_time thenelse
  • 28. Issue 4 28 High CPU load with “active sleep” Solution: Combine “active” and “dynamic” sleep Calculate diff_time If diff_time < CONST thenelse Sleep (sleep_time – CONST – request_time) where CONST is constant about 1000 µs (or less depending on PC performance)
  • 29. Advantages 29 ADVANTAGES OF COVERT TIMING CHANNELS WITH FIRST INTRUDER MODEL • Does not modify common HTTP request structure • Does not require web-server modifications • Any read-only activity on web page that is used by the channel do not break its work • Information flow looks like something refreshes a web page every n seconds
  • 30. Specification – Last-Modified 1st threat model 30 Sleep time Min start sequence Avg sequence Max sequence Speed Accuracy 1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82% 2 seconds 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87% • Min start sequence – minimum number of bits passed from the beginning of a conversation till the first mistake • Avg and Max sequence – number of bits passed without any mistakes in a row in average and at best • Accuracy – percent of correctly transmitted bits
  • 31. Specification – ETag 1st threat model 31 Sleep time Min start sequence Avg sequence Max sequence Speed Accuracy 1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82% 0.5 seconds 2400 bits 8142 bits 18123 bits 2 bit/s 99,5% ETag contains mtime (last modified time with microsecond accuracy), so theoretical channel capacity is bigger than its practically possible one. Maximum practical speed of the covert channels is about 1 bit per (2L+T) seconds, where L is HTTP latency between u2 and s1 and T is a time that is needed for auxiliary operations
  • 32. Covert Channels in Browsers Kenton Born “Browser-based covert data exfiltration” DOMAIN NAME SYSTEM (DNS) Query: “Where is some.domain.example.com?” Response: “It is at 88.0.13.37!” IT’S CLIENT-SERVER CHANNEL 32 some.domain.example.com Subdomain Domain bigbrother.watchingme.evil.com Information Domain
  • 33. Covert Channels in Browsers DNS TUNNEL IT’S SERVER-CLIENT CHANNEL 33 first.bit.evil.com Information Domain It is 66.45.234.2 NXdomain Received 1 Received 0
  • 34. Server-Client Browser Channel Purpose: To implement covert timing channels using browser-side technologies as JavaScript, AJAX and different HTML features 34
  • 35. Timing Channels in Browsers Problems: • Lack of any “sleep” function • Low accuracy of existing time management functions • Difficulties with synchronization of covert channel’s server and client So implementation of the used model is pointless, but it is possible to implement covert channels in these restrictions using second threat model (controlled web server) 35
  • 36. Timing Channels in Browsers Use the same client-side model but in JavaScript 3636 Send HTTP request Get host response Write ‘1’ to output If page has been modified Store new header Write ‘0’ to output Sleep N seconds then else setInterval
  • 37. Timing Channels in Browsers Some refactoring of server-side model 3737 Send new header value If current message bit is ‘1’ Store header value Send old header value then else WAIT for HTTP request
  • 38. Issues 38 Issue Solution Server-client synchronization Client visit special page to begin conversation End of message determination Client receive some special HTTP code in response, e.g. 404 – Not Found or 403 - Forbidden Single client only communication Opening session that stores transferring bit number for each client
  • 39. Specification 2nd threat model – controlled server Browser based implementation of channels (client in JavaScript) 39 Header Server version Average HTTP ping Max HTTP ping Speed Max sequence Last- Modified Python 560.3 ms 1621.8 ms 0.53 bit/s unlimited PHP 508 ms 532.2 ms 0.58 bit/s ETag Python 560.3 ms 1621.8 ms 1.02 bit/s unlimited PHP 508 ms 532.2 ms 1.18 bit/s
  • 40. Specification 2nd threat model – controlled server Testing channels implementation in C with PHP server Purpose: to make estimation of maximum speed 40 Header Network Average HTTP ping Speed ETag Local host 0.55 ms 986 bit/s Data center local network 1.63 ms 845.65 bit/s Local network 6.9 ms 295.69 bit/s Internet 383.2 ms 4.89 bit/s
  • 41. Proof of Concept GitHub – https://github.com/tsu-iscd/HttpCovertChannels 41
  • 42. 42 https://github.com/beefproject/beef “BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.” The Browser Exploitation Framework
  • 43. Conclusions 43 Future work: implementation of the ETag based covert timing channel as a BEEF module writet Internet