KEMBAR78
Covert timing channels using HTTP cache headers | PPTX
Uploaded byyalegko
451 views

Covert timing channels using HTTP cache headers

This document discusses using HTTP cache headers to create covert timing channels for transmitting information between hosts without detection. It provides examples of encoding data in the Accept-Language header and describes how headers like Last-Modified and ETag can be used to transmit bits by checking if the page has changed. Issues in implementation are addressed, like needing synchronization. Evaluation shows channels can transmit over 1 bit/second over local networks and around 5 bits/second over the internet. Browser-based channels in JavaScript are also proposed.

Internet
Related topics:
Computer Security
COVERT TIMING CHANNELS USING HTTP CACHE HEADERS Denis Kolegov, Oleg Broslavsky, Nikita Oleksov Tomsk State University Information Security and Cryptography Department
Introduction A covert channel is a mechanism for sending and receiving information between hosts without alerting any firewalls and IDSs HTTP is one of the most used Internet protocol so detections of the covert channels over the HTTP is an important research area
Example – HTTP Headers Using steganography methods in header values Suppose that Then “en” 0 “fr” 1 Accept-Language: en,fr 01 Accept-Language: fr,en 10 Accept-Language: en,fr,en,fr,en,en,en,en 0x50
Covert Channels’ Usage • Botnet C&C channel • In-band key exchange • Transfer illegal content • Stealing information from “secure” environments
Types Of Covert Channels TIME DEPENDENCE • Storage channels – a storage location is written to and read from • Timing channels – transmitting information through time values DIRECTION • Client – server • Server – client
Client-Server Covert Channels Client-server covert channels are easier to implement, e.g. covert storage channel via If-Range request header GET / HTTP/1.1 Host: 162.71.12.43 If-Range: 120c7bL-32bL-4f86d4105ac62L … Hex-encoded data
Server-Client Covert Channels Server-client channels are more complicated and most of them are timing channels so it is more interesting to research
Basic HTTP Cache Headers RESPONSE (SERVER) HEADERS • Last-Modified • ETag REQUEST (CLIENT) HEADERS • If-Modified-Since • If-Unmodified-Since • If-Match • If-Non-Match Request Response
Last-Modified Response Header Last-Modified HTTP header stores a date of the last web entity’s modification HTTP/1.1 200 OK Server: nginx/1.1.19 Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Type: text/html Content-Length: 124 Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT Connection: keep-alive (data) GET / HTTP/1.1 Host: 162.71.12.43 (other headers)
ETag Response Header The ETag value is formed from the hex values of 120c7bL-32bL-4f86d4105ac62L file's inode size last-modified time (mtime) GET / HTTP/1.1 …. HTTP/1.1 200 OK Server: Apache/2.2.22 (Ubuntu) Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Length: 124 ETag: 120c7bL-32bL-4f86d4105ac62L (data)
Common Usage of Cache Request Headers HTTP cache headers allows web-client not to download a page if it hasn’t been changed since the certain time GET / HTTP/1.1 Host: 162.71.12.43 If-Modified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-None-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
Common Usage of Cache Request Headers Second pair of headers does the same as previous but with logically inverse condition GET / HTTP/1.1 Host: 162.71.12.43 If-Unmodified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
General Covert Channels Idea – Client Side HTTP request Get new header value Received ‘1’ If page changed Store header value Received ‘0’ Wait n seconds then else
General Covert Channels Idea – Server Side On the server side we can use two different models: First context Minimum privileges on server: • SECRET.FILE – read only • Covert channel web page – write only Second context Web server is fully controlled by an attacker
Covert Channels Using HTTP Cache Headers • Last-Modified header value • Using If-Modified-Since header • Using If-Unmodified-Since header • ETag header value • Using If-Match header • Using If-None-Match header Last-Modified based ETag based
Ways to Implement In tons of possible ways we focus on • Python – Socket library • C++ – Boost ASIO library • С – simple C socket library We choose C due to its highest performance (among these ways) and decent stability. Also we choose server model in first context for its least requirements.
Issues in first context Some problems we solved during implementation Issue Solution Server-client synchronization Special synchronizing function Different time of requests Dynamic sleep time Lateness after sleep “Active” sleep High CPU load with “active sleep” “Dynamic” and “active” sleep combination
Issue 1 Necessity of synchronization “read” (web client) and “write” (host) services Solution: Synchronizing function that does requests at a maximum speed (without sleep) Send HTTP request Get host response If page has been changed then else
Issue 2 Different time of requests can break services synchronization Solution: Dynamic sleep time equals to (sleep_time – time took for request) Calculate time took for request diff_time Sleep (sleep_time – diff_time) µs
Issue 3 Inaccurate sleep - after sleep (usleep() is used) the program can awake with 10-200μs lateness Solution: Use “active sleep” - calculation time difference between last request and current moment while it is less than sleep_time Calc diff_time thenelse If diff_time < sleep_time
Issue 4 High CPU load with “active sleep” Solution: Combine “active” and “dynamic” sleep Calculate diff_time If diff_time < CONST thenelse Sleep (sleep_time – CONST – request_time)
Advantages Of Covert Timing Channels • Does not modify common HTTP request structure • Does not require web-server modifications • Any read-only activity on web page that is used by the channel do not break its work • If-* specified channels can work even if main header (Last-Modified and ETag) is disabled
Specification Header Sleep time Min start sequence Avg sequence Max sequence Speed Accuracy Last- Modified 2s 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87% 1s 3200 bits 8848 bits 19712 bits 1bit/s 99,82% ETag 1s 3200 bits 8848 bits 19712 bits 1bit/s 99,82% 0.5s 2400 bits 8142 bits 18123 bits 2 bit/s 99,5% Client in C, server in first context model
Second server context model In the second context we can avoid necessity of client-server synchronization by waiting for the request and responding directly: Send new header value Send old header value If current message bit is ‘1’ Store header value then else WAIT for HTTP request
Specification Second context model. Client in C, controlled web server on PHP + Header Network Average HTTP ping Speed ETag Local host 0.55 ms 986 bit/s Data center local network 1.63 ms 845.65 bit/s Local network 6.9 ms 295.69 bit/s Internet 383.2 ms 4.89 bit/s
Covert Channels in Browsers Kenton Born. «Browser-based covert data exfiltration» W. Alcorn, C. Frichot, M. Orru. «The Browser Hacker’s Handbook» DOMAIN NAME SYSTEM (DNS) Query: “Where is some.domain.example.com?” Response: “It is at 88.0.13.37!” some.domain.example.com Subdomain Domain bigbrother.watchingme.evil.com Information Domain IT’S CLIENT-SERVER CHANNEL
Browser Context Purpose: To implement covert timing channels using browser-side technologies as JavaScript, AJAX and different HTML features
Timing Channels in Browsers Problems: • Lack of any “sleep” function • Low accuracy of existing time management functions • Difficulties with synchronization of covert channel’s server and client So implementation of the used model is pointless, but it is possible to implement covert channels in these restrictions using controlled web server
Issues Issue Solution Server-client synchronization Client does special request to begin conversation End of message determination Client receive some special HTTP code in response, e.g. 404 – Not Found or 403 - Forbidden Single client communication only Open a session that stores transferring bit number for each client
The Browser Exploitation Framework “BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.”
BeEF ETag Server-to-Client Tunnel ETag Tunnel in BeEF consist of 2parts: extension in Ruby, that implements server side logic via couple of web pages mounted to BeEF webserver, and module in JS, that is responsible for receiving information from C&C at zombie client ETag Covert Channel BeEF extension BeEF module
BeEF Etag Specification BeEF ETag server-to-client tunnel testing results Network Average ping Average HTTP ping 256 bit 1024 bit Local host 0.045 ms 0.6 ms 10.11 bit/s 9.9 bit/s Local network 18 ms 19.8 ms 10.3 bit/s 9.78 bit/s Internet 176 ms 360.9 ms 5.09 bit/s 4.97 bit/s
Proof Of Concept http://youtu.be/W2qWA7XUzGQ https://github.com/beefproject/beef
Oleg Broslavsky ovbroslavsky@gmail.com @yalegko Denis Kolegov dnkolegov@gmail.com @dnkolegov Nikita Oleksov neoleksov@gmail.com @neoleksov

More Related Content

PDF
Covert Timing Channels using HTTP Cache Headers
byDenis Kolegov
 
PDF
Covert Timing Channels using HTTP Cache Headers
byDenis Kolegov
 
PDF
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
byDenis Kolegov
 
PPTX
Covert timing channels using HTTP cache headers
byyalegko
 
KEY
Load Balancing with Apache
byBradley Holt
 
PDF
Hidden Gems in HTTP
byBen Ramsey
 
PDF
Lecture set 7
byGopi Saiteja
 
PPTX
Nginx Scalable Stack
byBruno Paiuca
 
Covert Timing Channels using HTTP Cache Headers
byDenis Kolegov
 
Covert Timing Channels using HTTP Cache Headers
byDenis Kolegov
 
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
byDenis Kolegov
 
Covert timing channels using HTTP cache headers
byyalegko
 
Load Balancing with Apache
byBradley Holt
 
Hidden Gems in HTTP
byBen Ramsey
 
Lecture set 7
byGopi Saiteja
 
Nginx Scalable Stack
byBruno Paiuca
 

What's hot

PPTX
An Introduction to HTTP
byKeerthana Krishnan
 
PDF
HTTP2:新的机遇与挑战
byJerry Qu
 
PDF
21 HTTP Protocol #burningkeyboards
byDenis Ristic
 
PDF
HTTP2 & HPACK #pyfes 2013-11-30
byJxck Jxck
 
PPTX
Performance #4 network
byVitali Pekelis
 
ODP
Building Netty Servers
byDani Solà Lagares
 
PPTX
Service workers - Velocity 2016 Training
byPatrick Meenan
 
PPTX
HTTP/2 for Developers
bySvetlin Nakov
 
PDF
HTTP/2 Update - FOSDEM 2016
byDaniel Stenberg
 
PDF
Web Performance Optimization with HTTP/3
bySangJin Kang
 
PDF
HTTP - The Protocol of Our Lives
byBrent Shaffer
 
ODT
Load Balancing with HAproxy
byBrendan Jennings
 
PDF
Building scalable network applications with Netty (as presented on NLJUG JFal...
byJaap ter Woerds
 
PPT
Bo2004
byDan Kaminsky
 
PDF
Stuart Larsen, attacking http2implementations-rev1
byPacSecJP
 
PPT
Netty 4-based RPC System Development
byAllan Huang
 
PDF
Attacking http2 implementations (1)
byJohn Villamil
 
PDF
02 wireshark http-sept_15_2009
byVothe Dung
 
PDF
Revisiting HTTP/2
byFastly
 
PPTX
DPNHTW
bymetaldart
 
An Introduction to HTTP
byKeerthana Krishnan
 
HTTP2:新的机遇与挑战
byJerry Qu
 
21 HTTP Protocol #burningkeyboards
byDenis Ristic
 
HTTP2 & HPACK #pyfes 2013-11-30
byJxck Jxck
 
Performance #4 network
byVitali Pekelis
 
Building Netty Servers
byDani Solà Lagares
 
Service workers - Velocity 2016 Training
byPatrick Meenan
 
HTTP/2 for Developers
bySvetlin Nakov
 
HTTP/2 Update - FOSDEM 2016
byDaniel Stenberg
 
Web Performance Optimization with HTTP/3
bySangJin Kang
 
HTTP - The Protocol of Our Lives
byBrent Shaffer
 
Load Balancing with HAproxy
byBrendan Jennings
 
Building scalable network applications with Netty (as presented on NLJUG JFal...
byJaap ter Woerds
 
Bo2004
byDan Kaminsky
 
Stuart Larsen, attacking http2implementations-rev1
byPacSecJP
 
Netty 4-based RPC System Development
byAllan Huang
 
Attacking http2 implementations (1)
byJohn Villamil
 
02 wireshark http-sept_15_2009
byVothe Dung
 
Revisiting HTTP/2
byFastly
 
DPNHTW
bymetaldart
 

Similar to Covert timing channels using HTTP cache headers

PDF
Lec 7(HTTP Protocol)
bymaamir farooq
 
PPT
computer networking
byseyvan rahimi
 
PDF
HTTP Caching in Web Application
byMartins Sipenko
 
PDF
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
byAlessandro Nadalin
 
PDF
HTTP colon slash slash: the end of the road?
byAlessandro Nadalin
 
PPTX
User server interaction-Cookies
byJoy Patel
 
PDF
加快互联网核心协议,提高Web速度yuchungcheng
byMichael Zhang
 
PPTX
Application Layer protocols --Basics.pptx
byparvathyvinod2005
 
PDF
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
byNoNameCon
 
PPTX
User server interaction
bybhavanatmithun
 
PPS
Aditya - Hacking Client Side Insecurities - ClubHack2008
byClubHack
 
PPTX
application of http.pptx
byssuseraf60311
 
PDF
02 - Asassssssspplication Layer (HTTP).pdf
byHasibTurjo
 
PDF
SPDY - http reloaded - WebTechConference 2012
byFabian Lange
 
PPTX
Http - All you need to know
byGökhan Şengün
 
PPTX
NY Web Perf Meetup: Peeling the Web Performance Onion
byCatchpoint Systems
 
PDF
Improving performance by changing the rules from fast to SPDY
byCotendo
 
PDF
From Fast To SPDY
byMike Belshe
 
PPTX
The Most Frequently Used Caching Headers
byHTS Hosting
 
PDF
Computer network (10)
byNYversity
 
Lec 7(HTTP Protocol)
bymaamir farooq
 
computer networking
byseyvan rahimi
 
HTTP Caching in Web Application
byMartins Sipenko
 
HTTP colon slash slash: end of the road? @ CakeFest 2013 in San Francisco
byAlessandro Nadalin
 
HTTP colon slash slash: the end of the road?
byAlessandro Nadalin
 
User server interaction-Cookies
byJoy Patel
 
加快互联网核心协议,提高Web速度yuchungcheng
byMichael Zhang
 
Application Layer protocols --Basics.pptx
byparvathyvinod2005
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
byNoNameCon
 
User server interaction
bybhavanatmithun
 
Aditya - Hacking Client Side Insecurities - ClubHack2008
byClubHack
 
application of http.pptx
byssuseraf60311
 
02 - Asassssssspplication Layer (HTTP).pdf
byHasibTurjo
 
SPDY - http reloaded - WebTechConference 2012
byFabian Lange
 
Http - All you need to know
byGökhan Şengün
 
NY Web Perf Meetup: Peeling the Web Performance Onion
byCatchpoint Systems
 
Improving performance by changing the rules from fast to SPDY
byCotendo
 
From Fast To SPDY
byMike Belshe
 
The Most Frequently Used Caching Headers
byHTS Hosting
 
Computer network (10)
byNYversity
 

More from yalegko

PDF
SD-WAN Internet Census
byyalegko
 
PDF
So Your WAF Needs a Parser
byyalegko
 
PDF
WebGoat.SDWAN.Net in Depth
byyalegko
 
PDF
[ISC] Docker + Swarm
byyalegko
 
PDF
How to Open School For Young Hackers
byyalegko
 
PDF
How to make school CTF
byyalegko
 
PPTX
AOP and Inversion of Conrol
byyalegko
 
PDF
White-Box HMAC. Make your cipher secure to white-box attacks.
byyalegko
 
PDF
White box cryptography
byyalegko
 
PDF
How to admin
byyalegko
 
PPTX
ИИ: Этические аспекты проблемы выбора
byyalegko
 
PPTX
Include and extend in Ruby
byyalegko
 
PPTX
Not a children in da web
byyalegko
 
SD-WAN Internet Census
byyalegko
 
So Your WAF Needs a Parser
byyalegko
 
WebGoat.SDWAN.Net in Depth
byyalegko
 
[ISC] Docker + Swarm
byyalegko
 
How to Open School For Young Hackers
byyalegko
 
How to make school CTF
byyalegko
 
AOP and Inversion of Conrol
byyalegko
 
White-Box HMAC. Make your cipher secure to white-box attacks.
byyalegko
 
White box cryptography
byyalegko
 
How to admin
byyalegko
 
ИИ: Этические аспекты проблемы выбора
byyalegko
 
Include and extend in Ruby
byyalegko
 
Not a children in da web
byyalegko
 

Recently uploaded

PPTX
Generating-Patterns: Arithmetic Sequences, Arithmetic Mean,
byChanelleObate
 
PPTX
Pembagian kelompok menentuan tema yntuk paud.pptx
bywiwiktriwahyuni13
 
PDF
Reality Drift: Cultural and Academic Footprints Across Media, Classrooms, and...
byDr. Samuel Wellington
 
PPTX
一比一原版(StuttgartH毕业证书)斯图加特工程应用技术大学毕业证办理成绩单学历认证
by办硕士文凭昆士兰科技大学学历认证【Q微号:1954 292 140】QUT毕业证成绩单
 
PDF
Dark Humanism 200 Principles for living a life in shadow
byhikariaoki1
 
PDF
WHMCS Croster 2.1.2 Nulled Pre Activated
byCroster 2.1.2 Nulled
 
PPTX
The First Internet Message was sent on 29 Oct 1969. However . . .
byBob Mayer
 
PDF
Buying, Aged Twitter Accounts_ The Secret to Instant Growth.pdf
byBEST IT SMM
 
PDF
The 13 satanic codes for Self Power and Sovereignty
byhikariaoki1
 
PPTX
Viva_Digitally_Online_Meeting_Presentation.pptx
byHubraSEO
 
PPTX
Presentation contoso chart 1 2 3 4 5 6 7 8
byJohannReyes3
 
PPTX
UNIT –I community health CHN P.B.Sc ppt.pptx
byDr.Anjalatchi Muthukumaran
 
PPTX
Hathway_Fiber_Bajaj_wi-Fi_Best internet_
byHATHWAY FIBER INTERNET SERVICE PROVIDER in Bajaj enclave
 
PDF
Unlocking-the-Future-AI-Software-Development-Services.pdf
byPrologicTechnologies
 
PDF
Nome completo de Laurence Gregory Watkins
bydiariodocentrodomundo
 
PDF
kjhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkjhkkkkkkkkkkkkkkkkjh
bybishnoijordan29
 
PPTX
TREC_2024_Lateral_Reading_Purpose_and_Need.pptx
byGichxIocHiIvdug
 
PPTX
Protection from Cyber attacks and Security Firewall
byAjayTiwari684365
 
Generating-Patterns: Arithmetic Sequences, Arithmetic Mean,
byChanelleObate
 
Pembagian kelompok menentuan tema yntuk paud.pptx
bywiwiktriwahyuni13
 
Reality Drift: Cultural and Academic Footprints Across Media, Classrooms, and...
byDr. Samuel Wellington
 
一比一原版(StuttgartH毕业证书)斯图加特工程应用技术大学毕业证办理成绩单学历认证
by办硕士文凭昆士兰科技大学学历认证【Q微号:1954 292 140】QUT毕业证成绩单
 
Dark Humanism 200 Principles for living a life in shadow
byhikariaoki1
 
WHMCS Croster 2.1.2 Nulled Pre Activated
byCroster 2.1.2 Nulled
 
The First Internet Message was sent on 29 Oct 1969. However . . .
byBob Mayer
 
Buying, Aged Twitter Accounts_ The Secret to Instant Growth.pdf
byBEST IT SMM
 
The 13 satanic codes for Self Power and Sovereignty
byhikariaoki1
 
Viva_Digitally_Online_Meeting_Presentation.pptx
byHubraSEO
 
Presentation contoso chart 1 2 3 4 5 6 7 8
byJohannReyes3
 
UNIT –I community health CHN P.B.Sc ppt.pptx
byDr.Anjalatchi Muthukumaran
 
Hathway_Fiber_Bajaj_wi-Fi_Best internet_
byHATHWAY FIBER INTERNET SERVICE PROVIDER in Bajaj enclave
 
Unlocking-the-Future-AI-Software-Development-Services.pdf
byPrologicTechnologies
 
Nome completo de Laurence Gregory Watkins
bydiariodocentrodomundo
 
kjhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkjhkkkkkkkkkkkkkkkkjh
bybishnoijordan29
 
TREC_2024_Lateral_Reading_Purpose_and_Need.pptx
byGichxIocHiIvdug
 
Protection from Cyber attacks and Security Firewall
byAjayTiwari684365
 

Covert timing channels using HTTP cache headers

  • 1.
    COVERT TIMING CHANNELSUSING HTTP CACHE HEADERS Denis Kolegov, Oleg Broslavsky, Nikita Oleksov Tomsk State University Information Security and Cryptography Department
  • 2.
    Introduction A covert channelis a mechanism for sending and receiving information between hosts without alerting any firewalls and IDSs HTTP is one of the most used Internet protocol so detections of the covert channels over the HTTP is an important research area
  • 3.
    Example – HTTPHeaders Using steganography methods in header values Suppose that Then “en” 0 “fr” 1 Accept-Language: en,fr 01 Accept-Language: fr,en 10 Accept-Language: en,fr,en,fr,en,en,en,en 0x50
  • 4.
    Covert Channels’ Usage •Botnet C&C channel • In-band key exchange • Transfer illegal content • Stealing information from “secure” environments
  • 5.
    Types Of CovertChannels TIME DEPENDENCE • Storage channels – a storage location is written to and read from • Timing channels – transmitting information through time values DIRECTION • Client – server • Server – client
  • 6.
    Client-Server Covert Channels Client-servercovert channels are easier to implement, e.g. covert storage channel via If-Range request header GET / HTTP/1.1 Host: 162.71.12.43 If-Range: 120c7bL-32bL-4f86d4105ac62L … Hex-encoded data
  • 7.
    Server-Client Covert Channels Server-clientchannels are more complicated and most of them are timing channels so it is more interesting to research
  • 8.
    Basic HTTP CacheHeaders RESPONSE (SERVER) HEADERS • Last-Modified • ETag REQUEST (CLIENT) HEADERS • If-Modified-Since • If-Unmodified-Since • If-Match • If-Non-Match Request Response
  • 9.
    Last-Modified Response Header Last-ModifiedHTTP header stores a date of the last web entity’s modification HTTP/1.1 200 OK Server: nginx/1.1.19 Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Type: text/html Content-Length: 124 Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT Connection: keep-alive (data) GET / HTTP/1.1 Host: 162.71.12.43 (other headers)
  • 10.
    ETag Response Header TheETag value is formed from the hex values of 120c7bL-32bL-4f86d4105ac62L file's inode size last-modified time (mtime) GET / HTTP/1.1 …. HTTP/1.1 200 OK Server: Apache/2.2.22 (Ubuntu) Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Length: 124 ETag: 120c7bL-32bL-4f86d4105ac62L (data)
  • 11.
    Common Usage ofCache Request Headers HTTP cache headers allows web-client not to download a page if it hasn’t been changed since the certain time GET / HTTP/1.1 Host: 162.71.12.43 If-Modified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-None-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
  • 12.
    Common Usage ofCache Request Headers Second pair of headers does the same as previous but with logically inverse condition GET / HTTP/1.1 Host: 162.71.12.43 If-Unmodified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
  • 13.
    General Covert ChannelsIdea – Client Side HTTP request Get new header value Received ‘1’ If page changed Store header value Received ‘0’ Wait n seconds then else
  • 14.
    General Covert ChannelsIdea – Server Side On the server side we can use two different models: First context Minimum privileges on server: • SECRET.FILE – read only • Covert channel web page – write only Second context Web server is fully controlled by an attacker
  • 15.
    Covert Channels UsingHTTP Cache Headers • Last-Modified header value • Using If-Modified-Since header • Using If-Unmodified-Since header • ETag header value • Using If-Match header • Using If-None-Match header Last-Modified based ETag based
  • 16.
    Ways to Implement Intons of possible ways we focus on • Python – Socket library • C++ – Boost ASIO library • С – simple C socket library We choose C due to its highest performance (among these ways) and decent stability. Also we choose server model in first context for its least requirements.
  • 17.
    Issues in firstcontext Some problems we solved during implementation Issue Solution Server-client synchronization Special synchronizing function Different time of requests Dynamic sleep time Lateness after sleep “Active” sleep High CPU load with “active sleep” “Dynamic” and “active” sleep combination
  • 18.
    Issue 1 Necessity ofsynchronization “read” (web client) and “write” (host) services Solution: Synchronizing function that does requests at a maximum speed (without sleep) Send HTTP request Get host response If page has been changed then else
  • 19.
    Issue 2 Different timeof requests can break services synchronization Solution: Dynamic sleep time equals to (sleep_time – time took for request) Calculate time took for request diff_time Sleep (sleep_time – diff_time) µs
  • 20.
    Issue 3 Inaccurate sleep- after sleep (usleep() is used) the program can awake with 10-200μs lateness Solution: Use “active sleep” - calculation time difference between last request and current moment while it is less than sleep_time Calc diff_time thenelse If diff_time < sleep_time
  • 21.
    Issue 4 High CPUload with “active sleep” Solution: Combine “active” and “dynamic” sleep Calculate diff_time If diff_time < CONST thenelse Sleep (sleep_time – CONST – request_time)
  • 22.
    Advantages Of CovertTiming Channels • Does not modify common HTTP request structure • Does not require web-server modifications • Any read-only activity on web page that is used by the channel do not break its work • If-* specified channels can work even if main header (Last-Modified and ETag) is disabled
  • 23.
    Specification Header Sleep time Min start sequence Avg sequence Max sequence SpeedAccuracy Last- Modified 2s 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87% 1s 3200 bits 8848 bits 19712 bits 1bit/s 99,82% ETag 1s 3200 bits 8848 bits 19712 bits 1bit/s 99,82% 0.5s 2400 bits 8142 bits 18123 bits 2 bit/s 99,5% Client in C, server in first context model
  • 24.
    Second server contextmodel In the second context we can avoid necessity of client-server synchronization by waiting for the request and responding directly: Send new header value Send old header value If current message bit is ‘1’ Store header value then else WAIT for HTTP request
  • 25.
    Specification Second context model.Client in C, controlled web server on PHP + Header Network Average HTTP ping Speed ETag Local host 0.55 ms 986 bit/s Data center local network 1.63 ms 845.65 bit/s Local network 6.9 ms 295.69 bit/s Internet 383.2 ms 4.89 bit/s
  • 26.
    Covert Channels inBrowsers Kenton Born. «Browser-based covert data exfiltration» W. Alcorn, C. Frichot, M. Orru. «The Browser Hacker’s Handbook» DOMAIN NAME SYSTEM (DNS) Query: “Where is some.domain.example.com?” Response: “It is at 88.0.13.37!” some.domain.example.com Subdomain Domain bigbrother.watchingme.evil.com Information Domain IT’S CLIENT-SERVER CHANNEL
  • 27.
    Browser Context Purpose: To implementcovert timing channels using browser-side technologies as JavaScript, AJAX and different HTML features
  • 28.
    Timing Channels inBrowsers Problems: • Lack of any “sleep” function • Low accuracy of existing time management functions • Difficulties with synchronization of covert channel’s server and client So implementation of the used model is pointless, but it is possible to implement covert channels in these restrictions using controlled web server
  • 29.
    Issues Issue Solution Server-client synchronizationClient does special request to begin conversation End of message determination Client receive some special HTTP code in response, e.g. 404 – Not Found or 403 - Forbidden Single client communication only Open a session that stores transferring bit number for each client
  • 30.
    The Browser ExploitationFramework “BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.”
  • 31.
    BeEF ETag Server-to-ClientTunnel ETag Tunnel in BeEF consist of 2parts: extension in Ruby, that implements server side logic via couple of web pages mounted to BeEF webserver, and module in JS, that is responsible for receiving information from C&C at zombie client ETag Covert Channel BeEF extension BeEF module
  • 32.
    BeEF Etag Specification BeEFETag server-to-client tunnel testing results Network Average ping Average HTTP ping 256 bit 1024 bit Local host 0.045 ms 0.6 ms 10.11 bit/s 9.9 bit/s Local network 18 ms 19.8 ms 10.3 bit/s 9.78 bit/s Internet 176 ms 360.9 ms 5.09 bit/s 4.97 bit/s
  • 33.
  • 34.