SlideShare a Scribd company logo

Keyboard covert channels

Download as PPTX, PDF
Freeman Zhang, profile picture
Freeman Zhang

This document provides an outline and overview of a research paper on covert channels using keyboard timing. It begins with an introduction to covert channels and previous work exploring network timing channels. It then outlines the key aspects of the presented scheme, which focuses on exploiting keyboard timing in interactive SSH sessions rather than modifying network protocols or payloads. An example is provided to illustrate how stolen credentials could be encoded and transmitted by modifying keystroke timings. Implementation details regarding the keyboard protocol and possible events are also summarized. Overall, the document previews the major elements and approach of the research paper on a covert channel using keyboard timing variations.

Software
1 of 102
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
Keyboards & Presented by Shijie Zhang
Keyboards & Guarav Shah, Andres Molina, Matt Blaze The Best Student Paper in 15th USEINX, 2006 Covert Channels
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
Introduction How to hide information?
Introduction How to hide information? • Cryptography • Steganography
Introduction How to hide information? e.g. an image Cryptography -- Does no hide the existence of the message Steganography -- hide the existence of the message
Introduction Applications of steganography: Steganography Protection against detection (Data hiding) Protection against removal (Watermarking) Covert channel is the network steganography
Introduction Applications of steganography: Steganography Protection against detection (Data hiding) Protection against removal (Watermarking) Covert channel is a subset of steganography
Introduction Steganography VS Covert channel Both aim to establish secret communication channels neutral bad -- violates security policies (data hiding or (data hiding) watermarking) usually focus on volatility data such as memory, network traffic
Introduction Side Channel VS Covert channel Both aim to establish secret communication channels Sender leaks data Sender leaks data unintentionally intentionally
Introduction – Applications Applications of covert channel: 1. MAC systems (Mandatory Access Control) 2. General purpose systems
Introduction – Applications Applications of covert channel: MAC systems (mandatory access control systems): Light Pink Book: Specially on Covert channel analysis in MAC systems
Introduction – Applications Applications of covert channel: MAC systems (mandatory access control systems): • Depends on the system administrator to decide which user can access which information Top Secret Secret Confidential Unclassified Top Secret Secret Confidential Unclassified user information higher
Introduction – Applications Applications of covert channel: To keep confidentiality in MAC system: Top Secret Secret Confidential Unclassified user information information information Cannot read/can write Can read/cannot write Can read/write
Introduction – Applications Applications of covert channel: To keep confidentiality in MAC system: Top Secret Secret Confidential Unclassified user information information information Cannot read/can write Can read/cannot write Can read/write Covert channels will establish secret channels!!!
Introduction – Applications Applications of covert channel: General purpose systems: To leak out sensitive information (credentials) by malwares
Introduction – Threat Model Prisoner model: Alice BobWalter prisoner prisonerWarden (passive)
Introduction – Threat Model Prisoner model: • Alice and Bob are prisoners locked up in different cells and wish to escape. • They are allowed to communicate using computers as long as the message is innocuous. • They have already shared a secret. • Walter is a warden who monitors the network. • Alice and Bob win when they escape without rousing suspicion of Walter. Alice BobWalter prisoner prisonerWarden (passive)
Introduction – Threat Model • In practical applications, Alice and Bob could be the same person Alice BobWalter prisoner prisonerwarden
Introduction – Possible Covert Channels Criteria to select communication channel: • Generality • Technical difficulty • Capacity • Detectability More like final steps in covert channel design
covert channels Storage channel Timing channel Manipulate content of a location Manipulate timing or ordering of events Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Introduction – Possible Covert Channels
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Higher capacity, Less noises, Easier to be detected Lower capacity, More noises, Harder to be detected Introduction – Possible Covert Channels
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Require Shared resources Not quite general Introduction – Possible Covert Channels
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … What about network ??? Many options Introduction – Possible Covert Channels
Which network layers and protocols should be exploited for cover channels? Introduction – Which Layers & Protocols?
Technical difficulty TCP/IP model Introduction – Which Layers & Protocols?
Diversity of protocol TCP/IP model Generality Introduction – Which Layers & Protocols?
realizing covert channels in network interface layer ??? 1. Relies on hardware and network topologies. Requires to be on the same LAN E.g. information hided may be stripped out at network devices such as router 2. More technical difficulties TCP/IP model Introduction – Which Layers & Protocols?
1. More popular the protocol is, more general the covert channel is. 2. More higher the layer is, the less technical difficulty they will encounter. TCP/IP model Introduction – Which Layers & Protocols? Two Observations:
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Introduction – Which Layers & Protocols? Most previous work focus on the protocols:
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Introduction – Which Layers & Protocols? Three options here
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. e.g. email subject, attachment Previous Work – Network Payload
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Header fields unused, or reserved for future use Previous Work – Protocol Headers
e.g. Basic TCP/IP header structure: Highlighted: could be used for covert channels Previous Work – Protocol Headers
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Previous Work – Network Timing
Previous Work – Network Timing covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Packet rate Inter-packet times
Previous Work – Network Timing Categories of network timing channel: • Packet rates: the number of arriving packets in time interval τ • Packet intervals: the time interval between two consecutive packets
Cabuk, S., Broldley, C., and Shields, C. “IP covert timing channels”. (CCS, 04) • Alice and Bob agreed a prior on a constant time interval τ Alice: • To send a “0”, Alice maintains silence through out interval τ • To send a “1”, Alice send a packet in the middle of τ Bob: • By observing each interval τ consecutively, • Bob records a “0” if no packet is received during interval τ • Bob records a “1” if one packet is received during interval τ Previous Work – Packet Rates
Bob
Previous Work – Network Timing Categories of network timing channel: • Packet rates: the number of arriving packets in time interval τ • Packet intervals: the time interval between two consecutive packets
Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) Alice and Bob agree a prior on two timing intervals τ1, τ2 Alice: • To send a “0”, Alice sleeps for τ1 and sends a packet at the end of interval τ1 • To send a “1”, Alice sleeps for τ2 and sends a packet at the end of interval τ2 Bob: • By consecutively recording the inter-arrival time, • Bob record a “0” if inter-arrival time is τ1. • Bob record a “1” if inter-arrival time is τ2. Previous Work – Packet Intervals
Bob
Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) Alice and Bob agree a prior on two timing interval bins (0,τc) ,(τc, τmax). τc is a threshold. Alice: • To send a “0”, Alice randomly selects a value τtemp from (0,τc), sleeps for τtemp and sends a packet at the end of interval τtemp • To send a “1”, Alice randomly selects a value τtemp from (τc, τmax), sleeps for τtemp and sends a packet at the end of interval τtemp Bob: • By consecutively recording the inter-arrival time, (0,τc) • Bob record a “0” if inter-arrival time falls in (0,τc). • Bob record a “1” if inter-arrival time falls in (τc, τmax). Previous Work – packet intervals 0 1
Wang, X., Chen, S., and Jajodia, S. “Tracking anonymous peer-to-peer VoIP calls on the internet. (CCS, 05)” Key idea: To de-anonymize peer-to-peer VoIP calls, embed a unique watermark into VoIP flows by slightly adjusting the timing of selected packets. Introduce the notion of passive sender, just modify timing of existing network traffic, do not create new traffic Previous Work – Passive Sender
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
Shan, G., Molina, A. and Blaze, M. ”Keyboards and Covert Channels”. (USEINX, 2006, The Best Student Paper) What makes it stands out? – quite particular perspectives • Focus on input system rather than output systems • Focus on loosely-coupled network (many intermediate layers involved) • Focus on interactive applications such as SSH instead of specific network protocols such as TCP Presented Scheme – Highlights
• Focus on input system rather than output systems Presented Scheme – Highlights JitterBug sender
• Focus on loosely-coupled network (many intermediate layers involved) Presented Scheme – Highlights Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system
• focus on interactive applications such as SSH Basic background we need to know: 1. After initial login, SSH automatically goes into interactive mode 2. In interactive mode, every keystroke a user types is sent in a separate IP packet immediately after the key is pressed. Presented Scheme – Highlights For improving interactive experience for users
• focus on interactive applications such as SSH The user types in ”su Return JuIia” Presented Scheme - Highlights
• Alice (JitterBug) is not the packet sender. Alice could just modify the packet timings indirectly by timing of keystrokes. • Bob is not the packet receiver. Bob is just on the path. Presented Scheme – Threat Model JitterBug
• Alice (JitterBug) steals credentials • Alice (JitterBug) sends out credentials • Bob extracts the credentials Presented Scheme – Steps Then I will give a simple example on how the scheme works
• JitterBug steals credentials - detects keystroke pattern e.g.: SSH 1. JitterBug detects user is typing “ssh username@host” 2. JitterBug stores the credentials Presented Scheme – An Simple Example
• JitterBug sends credentials out Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Presented Scheme – An Simple Example
• JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” 1. JitterBug transmit credential to frames character H i Ascii code (decimal) 72 151 Ascii code (binary) 1001000 10010111 Framing the binaries – add header and tailor to frames(in the paper, bit stuffing) Error correcting codes – add redundant bits To put it simple, let us suppose no framing and error correcting is used username password Presented Scheme – An Simple Example
• JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” 1. JitterBug transmit credential to frames character H i Ascii code (decimal) 72 151 Ascii code (binary) 1001000 10010111 The final string 100100010010111……. username password Presented Scheme – An Simple Example How to encode the binary string in keystroke timings?
• JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” a. JitterBug transmit credential to frames The final string 10010…….……. Suppose the window size is w=20ms The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… username password Presented Scheme – An Simple Example Inter-key stroke timings
• JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” First step. JitterBug transmit credential to frames The final string 10010…….……. Suppose the window size is w=20ms The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… username password Presented Scheme – An Simple Example
• JitterBug sends credentials out Second Step. Decide when to delay key stroke timings By detecting certain keystroke patterns find a user is working in an interactive ssh session. Presented Scheme – An Simple Example
• JitterBug sends credentials out Third Step. JitterBug adds delays to the inter-keystroke timings. The original observed inter-keystroke timings are 123, 145, 333, 813, 140, …. (ms) The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… Adding delay: 7, 15, 7, 17, 0, ….. (ms) The final modified inter-key stroke timings: 130, 160, 340, 830, 140, …… (ms) Presented Scheme – An Simple Example
• Receiver extracts the credentials Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Presented Scheme – An Simple Example
• Receiver extracts the credentials 137 162 343 833 142 130 162 340 830 140 Presented Scheme – An Simple Example
• Receiver extracts the credentials Presented Scheme – An Simple Example Inter-key stroke timings
• Receiver extracts the credentials The final modified inter-key stroke timings: 130, 160, 340, 830, 140, …… (ms) The final received inter-packet stroke timings: 137, 162, 343, 833, 142, ……. (ms) Window size = 20ms, suppose ɛ = 3ms: The decoded binaries: 1, 0, 0, 1, 0, …… (ms) Bingo Presented Scheme – An Simple Example
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
Implementation Details
Implementation Details JitterBug sender SP/2 Protocol: Connector Interface
1. Data line: transmit 8-bit scan code to indicate which key was pressed. 2. Clock line: used to synchronization to indicate when data is valid 3. VCC & GND lines: power lines Implementation Details SP/2 Protocol: Connector Interface
Possible Events: • Key pressed: 11-bit code is sent -- start bit, 8-bit scan code, odd parity bit, stop bit • Key released: two 11-bit codes are sent -- first scan code is FO -- second scan code is the released key code • Key held down: 11-bit code is sent every 100 ms -- scan code is pressed key code Implementation Details
Notes: Data is valid on negative edge of the clock. Implementation Details
Implementation Details
Implementation Details
Use PIC microcontroller Hardware functionalities: • Identify certain keystroke patterns – whether to store keystrokes and when to add delay to keystrokes e.g. Detect “ssh username@host” 1. the following keystrokes should be password. --- should be stored 2. the user will be in interactive ssh session. --- is appropriate for adding delays • Delay keyboard signal External interrupt + timer interrupt Implementation Details Triggers EEPROM External interrupt Timer interrupt Input signal Output signal Store Add delays
Outlines • Introduction • Previous work • Presented scheme • Implement details • Evaluation • Conclusion
Evaluation • Accuracy • Bandwidth • Detectability
Evaluation • Accuracy • Bandwidth • Detectability
Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system
Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system High priority in OS scheduling
Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Handle small packets: Decide when to buffer data before sending it out in a network packet By default, disabled !!!
Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Biggest factor: Add most randomized noises
Evaluation - Accuracy Experiment settings: • Source machine is located in University of Pennsylvania • Interactive SSH Sessions • Timing information comes from the destination host using tcpdump
Evaluation - Accuracy How to compare difference between sent and received binaries? Raw Bit Error calculated by: Levenshtein Distance: used when sent and received binaries are of different length Definition of Levenshtein distance:
Evaluation - Accuracy Factor of geographic locations: How to set up the experiment platform?
Evaluation - Accuracy PlanetLab • Global research network – setup worldwide network services • Since 2003, more than 1000 researchers have used PlanetLab to develop new technologies
Evaluation - Accuracy Factor of geographic locations: Observations: • For a fixed window size, the channel performance does not exhibit any clear trend. In other words, geographic locations do not matter much to channel performance.
Evaluation - Accuracy Factor of geographic locations: Observations: • The smaller the window size is, the higher error rates will be. But the window size should not be too big as to perceived by the user.
Evaluation - Accuracy Factor of different applications: Observations: • The channel performance is not affected much by the choice of interactive terminal applications.
Evaluation - Accuracy Factor of different systems: Observations: • The channel performance is not affected much by the choice of operating systems.
Evaluation - Accuracy Factor of different system loads: Observations: • The channel performance is not affected much by system load.
Evaluation - Accuracy Factor of network jitters: ???
Evaluation • Accuracy • Bandwidth • Detectability
Evaluation - Bandwidth • Each keystroke could encode one bit information How to improve? • Subdivide the window further to improve encoding (but may also lead to lower accuracy)
Evaluation • Accuracy • Bandwidth • Detectability
Evaluation - Detectability Observations: • Simple plot of inter-arrival times will detect the proposed covert channel Without JitterBug With JitterBug
Evaluation - Detectability Rotating time windows: Assumes: Alice and Bob shares a sequence of integers Basically, after Alice sending one bit and Bob receiving one bit, They will move to the next shared integer. Inter-key stroke timings
Evaluation - Detectability Example: Sent binaries {1,0,1} shared sequence {s0, s1, s2}={3,9,5}
Evaluation - Detectability
Outlines • Introduction • Previous work • Presented scheme • Implement details • Evaluation • Conclusion
Conclusion • Compromising an input channel is useful not only for learning secrets, but also for leaking information over network. • Loosely coupled network timing channels are practical. Possible future works: • Better framing and error correcting schemes • Better ways to evade detection
References 1. Cabuk, S., Broldley, C., and Shields, C. “IP covert timing channels”. (CCS, 04) 2. Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) 3. Shah, Gaurav, Andres Molina, and Matt Blaze. "Keyboards and Covert Channels." USENIX Security. 2006.

More Related Content

PDF
Firewall Defense against Covert Channels
Rochester Security Summit
 
PPTX
Path oram
Freeman Zhang
 
PDF
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
PPTX
Winnti Polymorphism
Takahiro Haruyama
 
PDF
Predictive modeling healthcare
Taposh Roy
 
PDF
Ranking the Web with Spark
Sylvain Zimmer
 
PDF
Building distributed processing system from scratch - Part 2
datamantra
 
PDF
Introduction to Structured Streaming
datamantra
 
Firewall Defense against Covert Channels
Rochester Security Summit
 
Path oram
Freeman Zhang
 
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
Winnti Polymorphism
Takahiro Haruyama
 
Predictive modeling healthcare
Taposh Roy
 
Ranking the Web with Spark
Sylvain Zimmer
 
Building distributed processing system from scratch - Part 2
datamantra
 
Introduction to Structured Streaming
datamantra
 

Viewers also liked (20)

PPTX
AMP Camp 5 Intro
jeykottalam
 
PDF
Spark sql
Freeman Zhang
 
PDF
Evolution of apache spark
datamantra
 
PDF
Introduction to dataset
datamantra
 
PPTX
Steganography
Mayank Saxena
 
PDF
Anatomy of Spark SQL Catalyst - Part 2
datamantra
 
PDF
Spark on yarn
datamantra
 
PDF
Getting Started Running Apache Spark on Apache Mesos
Paco Nathan
 
PDF
Anatomy of in memory processing in Spark
datamantra
 
PPTX
Building a modern Application with DataFrames
Spark Summit
 
PDF
Kafka and Spark Streaming
datamantra
 
PDF
Building Distributed Systems from Scratch - Part 1
datamantra
 
PDF
Introduction to Structured Data Processing with Spark SQL
datamantra
 
PPTX
Resilient Distributed DataSets - Apache SPARK
Taposh Roy
 
KEY
Building Distributed Systems in Scala
Alex Payne
 
PDF
Introduction to Spark 2.0 Dataset API
datamantra
 
PDF
Spark architecture
datamantra
 
PDF
Anatomy of Data Source API : A deep dive into Spark Data source API
datamantra
 
PDF
Productionalizing a spark application
datamantra
 
PDF
Introduction to spark 2.0
datamantra
 
AMP Camp 5 Intro
jeykottalam
 
Spark sql
Freeman Zhang
 
Evolution of apache spark
datamantra
 
Introduction to dataset
datamantra
 
Steganography
Mayank Saxena
 
Anatomy of Spark SQL Catalyst - Part 2
datamantra
 
Spark on yarn
datamantra
 
Getting Started Running Apache Spark on Apache Mesos
Paco Nathan
 
Anatomy of in memory processing in Spark
datamantra
 
Building a modern Application with DataFrames
Spark Summit
 
Kafka and Spark Streaming
datamantra
 
Building Distributed Systems from Scratch - Part 1
datamantra
 
Introduction to Structured Data Processing with Spark SQL
datamantra
 
Resilient Distributed DataSets - Apache SPARK
Taposh Roy
 
Building Distributed Systems in Scala
Alex Payne
 
Introduction to Spark 2.0 Dataset API
datamantra
 
Spark architecture
datamantra
 
Anatomy of Data Source API : A deep dive into Spark Data source API
datamantra
 
Productionalizing a spark application
datamantra
 
Introduction to spark 2.0
datamantra
 
Ad

Similar to Keyboard covert channels (20)

PDF
Implementation of Steganographic Method Based on IPv4 Identification Field ov...
IJERA Editor
 
PPTX
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
PDF
A typical analysis of hybrid covert channel using constructive entropy analy...
IJECEIAES
 
DOCX
Covert Channels
Anton Chuvakin
 
PDF
TRENDS TOWARD REAL-TIME NETWORK DATA STEGANOGRAPHY
IJNSA Journal
 
PDF
TRENDS TOWARD REAL-TIME NETWORK DATA STEGANOGRAPHY
IJNSA Journal
 
PDF
An ensemble model to detect packet length covert channels
IJECEIAES
 
PPTX
lecture 2.pptx
MelkamuEndale1
 
PDF
COMP8045 - Project Report v.1.3
Soon Zoo Kwon
 
PDF
Telecommunications and Network Security Presentation
Wajahat Rajab
 
PPTX
CN. Presentation for submitting project term pptx
saad504633
 
PPT
chapter6 intro to telecommunications.ppt
TakudzwaM1
 
PPTX
Chapter 1.2 osi model
Naiyan Noor
 
PPTX
CCNA ppt Day 2
VISHNU N
 
PPT
12 tcp-dns
Culverton Blessy
 
PPT
01 pengenalan
Hattori Sidek
 
PPTX
Topology Chapter 2.pptx
TadeseBeyene
 
PPT
Telecom Network
ExamIUB
 
PPT
chapter1.ppt
ExamIUB
 
PDF
Network security on Cisco routers and switches
Alexandros Britzolakis
 
Implementation of Steganographic Method Based on IPv4 Identification Field ov...
IJERA Editor
 
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
A typical analysis of hybrid covert channel using constructive entropy analy...
IJECEIAES
 
Covert Channels
Anton Chuvakin
 
TRENDS TOWARD REAL-TIME NETWORK DATA STEGANOGRAPHY
IJNSA Journal
 
TRENDS TOWARD REAL-TIME NETWORK DATA STEGANOGRAPHY
IJNSA Journal
 
An ensemble model to detect packet length covert channels
IJECEIAES
 
lecture 2.pptx
MelkamuEndale1
 
COMP8045 - Project Report v.1.3
Soon Zoo Kwon
 
Telecommunications and Network Security Presentation
Wajahat Rajab
 
CN. Presentation for submitting project term pptx
saad504633
 
chapter6 intro to telecommunications.ppt
TakudzwaM1
 
Chapter 1.2 osi model
Naiyan Noor
 
CCNA ppt Day 2
VISHNU N
 
12 tcp-dns
Culverton Blessy
 
01 pengenalan
Hattori Sidek
 
Topology Chapter 2.pptx
TadeseBeyene
 
Telecom Network
ExamIUB
 
chapter1.ppt
ExamIUB
 
Network security on Cisco routers and switches
Alexandros Britzolakis
 
Ad

Recently uploaded (20)

PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 
PPTX
chapter 5 systemdesign2008.pptx for cimputer science students
KemalHussen2
 
PDF
STL Containers in C++ : Sequence Container : Vector
Mohammed Sikander
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PPTX
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PDF
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Website Design Services for Small Businesses.pdf
ecomme9
 
PPTX
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
PPTX
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PDF
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 
chapter 5 systemdesign2008.pptx for cimputer science students
KemalHussen2
 
STL Containers in C++ : Sequence Container : Vector
Mohammed Sikander
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Website Design Services for Small Businesses.pdf
ecomme9
 
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 

Keyboard covert channels

  • 2. Keyboards & Guarav Shah, Andres Molina, Matt Blaze The Best Student Paper in 15th USEINX, 2006 Covert Channels
  • 3. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 4. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 6. Introduction How to hide information? • Cryptography • Steganography
  • 7. Introduction How to hide information? e.g. an image Cryptography -- Does no hide the existence of the message Steganography -- hide the existence of the message
  • 8. Introduction Applications of steganography: Steganography Protection against detection (Data hiding) Protection against removal (Watermarking) Covert channel is the network steganography
  • 9. Introduction Applications of steganography: Steganography Protection against detection (Data hiding) Protection against removal (Watermarking) Covert channel is a subset of steganography
  • 10. Introduction Steganography VS Covert channel Both aim to establish secret communication channels neutral bad -- violates security policies (data hiding or (data hiding) watermarking) usually focus on volatility data such as memory, network traffic
  • 11. Introduction Side Channel VS Covert channel Both aim to establish secret communication channels Sender leaks data Sender leaks data unintentionally intentionally
  • 12. Introduction – Applications Applications of covert channel: 1. MAC systems (Mandatory Access Control) 2. General purpose systems
  • 13. Introduction – Applications Applications of covert channel: MAC systems (mandatory access control systems): Light Pink Book: Specially on Covert channel analysis in MAC systems
  • 14. Introduction – Applications Applications of covert channel: MAC systems (mandatory access control systems): • Depends on the system administrator to decide which user can access which information Top Secret Secret Confidential Unclassified Top Secret Secret Confidential Unclassified user information higher
  • 15. Introduction – Applications Applications of covert channel: To keep confidentiality in MAC system: Top Secret Secret Confidential Unclassified user information information information Cannot read/can write Can read/cannot write Can read/write
  • 16. Introduction – Applications Applications of covert channel: To keep confidentiality in MAC system: Top Secret Secret Confidential Unclassified user information information information Cannot read/can write Can read/cannot write Can read/write Covert channels will establish secret channels!!!
  • 17. Introduction – Applications Applications of covert channel: General purpose systems: To leak out sensitive information (credentials) by malwares
  • 18. Introduction – Threat Model Prisoner model: Alice BobWalter prisoner prisonerWarden (passive)
  • 19. Introduction – Threat Model Prisoner model: • Alice and Bob are prisoners locked up in different cells and wish to escape. • They are allowed to communicate using computers as long as the message is innocuous. • They have already shared a secret. • Walter is a warden who monitors the network. • Alice and Bob win when they escape without rousing suspicion of Walter. Alice BobWalter prisoner prisonerWarden (passive)
  • 20. Introduction – Threat Model • In practical applications, Alice and Bob could be the same person Alice BobWalter prisoner prisonerwarden
  • 21. Introduction – Possible Covert Channels Criteria to select communication channel: • Generality • Technical difficulty • Capacity • Detectability More like final steps in covert channel design
  • 22. covert channels Storage channel Timing channel Manipulate content of a location Manipulate timing or ordering of events Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Introduction – Possible Covert Channels
  • 23. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Higher capacity, Less noises, Easier to be detected Lower capacity, More noises, Harder to be detected Introduction – Possible Covert Channels
  • 24. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Require Shared resources Not quite general Introduction – Possible Covert Channels
  • 25. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … What about network ??? Many options Introduction – Possible Covert Channels
  • 26. Which network layers and protocols should be exploited for cover channels? Introduction – Which Layers & Protocols?
  • 28. Diversity of protocol TCP/IP model Generality Introduction – Which Layers & Protocols?
  • 29. realizing covert channels in network interface layer ??? 1. Relies on hardware and network topologies. Requires to be on the same LAN E.g. information hided may be stripped out at network devices such as router 2. More technical difficulties TCP/IP model Introduction – Which Layers & Protocols?
  • 30. 1. More popular the protocol is, more general the covert channel is. 2. More higher the layer is, the less technical difficulty they will encounter. TCP/IP model Introduction – Which Layers & Protocols? Two Observations:
  • 31. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 32. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Introduction – Which Layers & Protocols? Most previous work focus on the protocols:
  • 33. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Introduction – Which Layers & Protocols? Three options here
  • 34. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. e.g. email subject, attachment Previous Work – Network Payload
  • 35. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Header fields unused, or reserved for future use Previous Work – Protocol Headers
  • 36. e.g. Basic TCP/IP header structure: Highlighted: could be used for covert channels Previous Work – Protocol Headers
  • 37. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Previous Work – Network Timing
  • 38. Previous Work – Network Timing covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Packet rate Inter-packet times
  • 39. Previous Work – Network Timing Categories of network timing channel: • Packet rates: the number of arriving packets in time interval τ • Packet intervals: the time interval between two consecutive packets
  • 40. Cabuk, S., Broldley, C., and Shields, C. “IP covert timing channels”. (CCS, 04) • Alice and Bob agreed a prior on a constant time interval τ Alice: • To send a “0”, Alice maintains silence through out interval τ • To send a “1”, Alice send a packet in the middle of τ Bob: • By observing each interval τ consecutively, • Bob records a “0” if no packet is received during interval τ • Bob records a “1” if one packet is received during interval τ Previous Work – Packet Rates
  • 41. Bob
  • 42. Previous Work – Network Timing Categories of network timing channel: • Packet rates: the number of arriving packets in time interval τ • Packet intervals: the time interval between two consecutive packets
  • 43. Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) Alice and Bob agree a prior on two timing intervals τ1, τ2 Alice: • To send a “0”, Alice sleeps for τ1 and sends a packet at the end of interval τ1 • To send a “1”, Alice sleeps for τ2 and sends a packet at the end of interval τ2 Bob: • By consecutively recording the inter-arrival time, • Bob record a “0” if inter-arrival time is τ1. • Bob record a “1” if inter-arrival time is τ2. Previous Work – Packet Intervals
  • 44. Bob
  • 45. Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) Alice and Bob agree a prior on two timing interval bins (0,τc) ,(τc, τmax). τc is a threshold. Alice: • To send a “0”, Alice randomly selects a value τtemp from (0,τc), sleeps for τtemp and sends a packet at the end of interval τtemp • To send a “1”, Alice randomly selects a value τtemp from (τc, τmax), sleeps for τtemp and sends a packet at the end of interval τtemp Bob: • By consecutively recording the inter-arrival time, (0,τc) • Bob record a “0” if inter-arrival time falls in (0,τc). • Bob record a “1” if inter-arrival time falls in (τc, τmax). Previous Work – packet intervals 0 1
  • 46. Wang, X., Chen, S., and Jajodia, S. “Tracking anonymous peer-to-peer VoIP calls on the internet. (CCS, 05)” Key idea: To de-anonymize peer-to-peer VoIP calls, embed a unique watermark into VoIP flows by slightly adjusting the timing of selected packets. Introduce the notion of passive sender, just modify timing of existing network traffic, do not create new traffic Previous Work – Passive Sender
  • 47. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 48. Shan, G., Molina, A. and Blaze, M. ”Keyboards and Covert Channels”. (USEINX, 2006, The Best Student Paper) What makes it stands out? – quite particular perspectives • Focus on input system rather than output systems • Focus on loosely-coupled network (many intermediate layers involved) • Focus on interactive applications such as SSH instead of specific network protocols such as TCP Presented Scheme – Highlights
  • 49. • Focus on input system rather than output systems Presented Scheme – Highlights JitterBug sender
  • 50. • Focus on loosely-coupled network (many intermediate layers involved) Presented Scheme – Highlights Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system
  • 51. • focus on interactive applications such as SSH Basic background we need to know: 1. After initial login, SSH automatically goes into interactive mode 2. In interactive mode, every keystroke a user types is sent in a separate IP packet immediately after the key is pressed. Presented Scheme – Highlights For improving interactive experience for users
  • 52. • focus on interactive applications such as SSH The user types in ”su Return JuIia” Presented Scheme - Highlights
  • 53. • Alice (JitterBug) is not the packet sender. Alice could just modify the packet timings indirectly by timing of keystrokes. • Bob is not the packet receiver. Bob is just on the path. Presented Scheme – Threat Model JitterBug
  • 54. • Alice (JitterBug) steals credentials • Alice (JitterBug) sends out credentials • Bob extracts the credentials Presented Scheme – Steps Then I will give a simple example on how the scheme works
  • 55. • JitterBug steals credentials - detects keystroke pattern e.g.: SSH 1. JitterBug detects user is typing “ssh username@host” 2. JitterBug stores the credentials Presented Scheme – An Simple Example
  • 56. • JitterBug sends credentials out Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Presented Scheme – An Simple Example
  • 57. • JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” 1. JitterBug transmit credential to frames character H i Ascii code (decimal) 72 151 Ascii code (binary) 1001000 10010111 Framing the binaries – add header and tailor to frames(in the paper, bit stuffing) Error correcting codes – add redundant bits To put it simple, let us suppose no framing and error correcting is used username password Presented Scheme – An Simple Example
  • 58. • JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” 1. JitterBug transmit credential to frames character H i Ascii code (decimal) 72 151 Ascii code (binary) 1001000 10010111 The final string 100100010010111……. username password Presented Scheme – An Simple Example How to encode the binary string in keystroke timings?
  • 59. • JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” a. JitterBug transmit credential to frames The final string 10010…….……. Suppose the window size is w=20ms The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… username password Presented Scheme – An Simple Example Inter-key stroke timings
  • 60. • JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” First step. JitterBug transmit credential to frames The final string 10010…….……. Suppose the window size is w=20ms The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… username password Presented Scheme – An Simple Example
  • 61. • JitterBug sends credentials out Second Step. Decide when to delay key stroke timings By detecting certain keystroke patterns find a user is working in an interactive ssh session. Presented Scheme – An Simple Example
  • 62. • JitterBug sends credentials out Third Step. JitterBug adds delays to the inter-keystroke timings. The original observed inter-keystroke timings are 123, 145, 333, 813, 140, …. (ms) The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… Adding delay: 7, 15, 7, 17, 0, ….. (ms) The final modified inter-key stroke timings: 130, 160, 340, 830, 140, …… (ms) Presented Scheme – An Simple Example
  • 63. • Receiver extracts the credentials Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Presented Scheme – An Simple Example
  • 64. • Receiver extracts the credentials 137 162 343 833 142 130 162 340 830 140 Presented Scheme – An Simple Example
  • 65. • Receiver extracts the credentials Presented Scheme – An Simple Example Inter-key stroke timings
  • 66. • Receiver extracts the credentials The final modified inter-key stroke timings: 130, 160, 340, 830, 140, …… (ms) The final received inter-packet stroke timings: 137, 162, 343, 833, 142, ……. (ms) Window size = 20ms, suppose ɛ = 3ms: The decoded binaries: 1, 0, 0, 1, 0, …… (ms) Bingo Presented Scheme – An Simple Example
  • 67. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 69. Implementation Details JitterBug sender SP/2 Protocol: Connector Interface
  • 70. 1. Data line: transmit 8-bit scan code to indicate which key was pressed. 2. Clock line: used to synchronization to indicate when data is valid 3. VCC & GND lines: power lines Implementation Details SP/2 Protocol: Connector Interface
  • 71. Possible Events: • Key pressed: 11-bit code is sent -- start bit, 8-bit scan code, odd parity bit, stop bit • Key released: two 11-bit codes are sent -- first scan code is FO -- second scan code is the released key code • Key held down: 11-bit code is sent every 100 ms -- scan code is pressed key code Implementation Details
  • 72. Notes: Data is valid on negative edge of the clock. Implementation Details
  • 75. Use PIC microcontroller Hardware functionalities: • Identify certain keystroke patterns – whether to store keystrokes and when to add delay to keystrokes e.g. Detect “ssh username@host” 1. the following keystrokes should be password. --- should be stored 2. the user will be in interactive ssh session. --- is appropriate for adding delays • Delay keyboard signal External interrupt + timer interrupt Implementation Details Triggers EEPROM External interrupt Timer interrupt Input signal Output signal Store Add delays
  • 76. Outlines • Introduction • Previous work • Presented scheme • Implement details • Evaluation • Conclusion
  • 79. Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system
  • 80. Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system High priority in OS scheduling
  • 81. Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Handle small packets: Decide when to buffer data before sending it out in a network packet By default, disabled !!!
  • 82. Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Biggest factor: Add most randomized noises
  • 83. Evaluation - Accuracy Experiment settings: • Source machine is located in University of Pennsylvania • Interactive SSH Sessions • Timing information comes from the destination host using tcpdump
  • 84. Evaluation - Accuracy How to compare difference between sent and received binaries? Raw Bit Error calculated by: Levenshtein Distance: used when sent and received binaries are of different length Definition of Levenshtein distance:
  • 85. Evaluation - Accuracy Factor of geographic locations: How to set up the experiment platform?
  • 86. Evaluation - Accuracy PlanetLab • Global research network – setup worldwide network services • Since 2003, more than 1000 researchers have used PlanetLab to develop new technologies
  • 87. Evaluation - Accuracy Factor of geographic locations: Observations: • For a fixed window size, the channel performance does not exhibit any clear trend. In other words, geographic locations do not matter much to channel performance.
  • 88. Evaluation - Accuracy Factor of geographic locations: Observations: • The smaller the window size is, the higher error rates will be. But the window size should not be too big as to perceived by the user.
  • 89. Evaluation - Accuracy Factor of different applications: Observations: • The channel performance is not affected much by the choice of interactive terminal applications.
  • 90. Evaluation - Accuracy Factor of different systems: Observations: • The channel performance is not affected much by the choice of operating systems.
  • 91. Evaluation - Accuracy Factor of different system loads: Observations: • The channel performance is not affected much by system load.
  • 92. Evaluation - Accuracy Factor of network jitters: ???
  • 94. Evaluation - Bandwidth • Each keystroke could encode one bit information How to improve? • Subdivide the window further to improve encoding (but may also lead to lower accuracy)
  • 96. Evaluation - Detectability Observations: • Simple plot of inter-arrival times will detect the proposed covert channel Without JitterBug With JitterBug
  • 97. Evaluation - Detectability Rotating time windows: Assumes: Alice and Bob shares a sequence of integers Basically, after Alice sending one bit and Bob receiving one bit, They will move to the next shared integer. Inter-key stroke timings
  • 98. Evaluation - Detectability Example: Sent binaries {1,0,1} shared sequence {s0, s1, s2}={3,9,5}
  • 100. Outlines • Introduction • Previous work • Presented scheme • Implement details • Evaluation • Conclusion
  • 101. Conclusion • Compromising an input channel is useful not only for learning secrets, but also for leaking information over network. • Loosely coupled network timing channels are practical. Possible future works: • Better framing and error correcting schemes • Better ways to evade detection
  • 102. References 1. Cabuk, S., Broldley, C., and Shields, C. “IP covert timing channels”. (CCS, 04) 2. Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) 3. Shah, Gaurav, Andres Molina, and Matt Blaze. "Keyboards and Covert Channels." USENIX Security. 2006.

Editor's Notes

  • #14: The notion of covert channel was popularized by the Rainbow Series. The Rainbow Series are a series of computer security guidelines and processes to certificate that a computer system is secure. They were developed by US government in 1980s and 1990s. Basically different colors deal with different aspects of security. Among them, the Light Pink Book focuses on analysis of covert channels. Light Pink Book - specifically focus on covert channel analysis Orange Book - Centerpiece of the Rainbow Series - Has requirements on covert channel analysis for specific systems
  • #21: In a practical instantiation of this problem, Alice and Bob may well be the same person. Consider a machine to which an attacker has unrestricted access for only a short amount of time, and which lies within a closely monitored network. The attacker installs a keylogger on the machine, and wishes to leak passwords to himself in such a way that the owner of the network does not observe that anything untoward is happening.
  • #22: In a practical instantiation of this problem, Alice and Bob may well be the same person. Consider a machine to which an attacker has unrestricted access for only a short amount of time, and which lies within a closely monitored network. The attacker installs a keylogger on the machine, and wishes to leak passwords to himself in such a way that the owner of the network does not observe that anything untoward is happening.