SlideShare a Scribd company logo

Keyboard covert channels

Download as PPTX, PDF
Freeman Zhang
Freeman Zhang

Secret way to transfer information on web

Software
1 of 102
Keyboards & Presented by Shijie Zhang
Keyboards & Guarav Shah, Andres Molina, Matt Blaze The Best Student Paper in 15th USEINX, 2006 Covert Channels
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
Introduction How to hide information?
Introduction How to hide information? • Cryptography • Steganography
Introduction How to hide information? e.g. an image Cryptography -- Does no hide the existence of the message Steganography -- hide the existence of the message
Introduction Applications of steganography: Steganography Protection against detection (Data hiding) Protection against removal (Watermarking) Covert channel is the network steganography
Introduction Applications of steganography: Steganography Protection against detection (Data hiding) Protection against removal (Watermarking) Covert channel is a subset of steganography
Introduction Steganography VS Covert channel Both aim to establish secret communication channels neutral bad -- violates security policies (data hiding or (data hiding) watermarking) usually focus on volatility data such as memory, network traffic
Introduction Side Channel VS Covert channel Both aim to establish secret communication channels Sender leaks data Sender leaks data unintentionally intentionally
Introduction – Applications Applications of covert channel: 1. MAC systems (Mandatory Access Control) 2. General purpose systems
Introduction – Applications Applications of covert channel: MAC systems (mandatory access control systems): Light Pink Book: Specially on Covert channel analysis in MAC systems
Introduction – Applications Applications of covert channel: MAC systems (mandatory access control systems): • Depends on the system administrator to decide which user can access which information Top Secret Secret Confidential Unclassified Top Secret Secret Confidential Unclassified user information higher
Introduction – Applications Applications of covert channel: To keep confidentiality in MAC system: Top Secret Secret Confidential Unclassified user information information information Cannot read/can write Can read/cannot write Can read/write
Introduction – Applications Applications of covert channel: To keep confidentiality in MAC system: Top Secret Secret Confidential Unclassified user information information information Cannot read/can write Can read/cannot write Can read/write Covert channels will establish secret channels!!!
Introduction – Applications Applications of covert channel: General purpose systems: To leak out sensitive information (credentials) by malwares
Introduction – Threat Model Prisoner model: Alice BobWalter prisoner prisonerWarden (passive)
Introduction – Threat Model Prisoner model: • Alice and Bob are prisoners locked up in different cells and wish to escape. • They are allowed to communicate using computers as long as the message is innocuous. • They have already shared a secret. • Walter is a warden who monitors the network. • Alice and Bob win when they escape without rousing suspicion of Walter. Alice BobWalter prisoner prisonerWarden (passive)
Introduction – Threat Model • In practical applications, Alice and Bob could be the same person Alice BobWalter prisoner prisonerwarden
Introduction – Possible Covert Channels Criteria to select communication channel: • Generality • Technical difficulty • Capacity • Detectability More like final steps in covert channel design
covert channels Storage channel Timing channel Manipulate content of a location Manipulate timing or ordering of events Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Introduction – Possible Covert Channels
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Higher capacity, Less noises, Easier to be detected Lower capacity, More noises, Harder to be detected Introduction – Possible Covert Channels
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Require Shared resources Not quite general Introduction – Possible Covert Channels
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … What about network ??? Many options Introduction – Possible Covert Channels
Which network layers and protocols should be exploited for cover channels? Introduction – Which Layers & Protocols?
Technical difficulty TCP/IP model Introduction – Which Layers & Protocols?
Diversity of protocol TCP/IP model Generality Introduction – Which Layers & Protocols?
realizing covert channels in network interface layer ??? 1. Relies on hardware and network topologies. Requires to be on the same LAN E.g. information hided may be stripped out at network devices such as router 2. More technical difficulties TCP/IP model Introduction – Which Layers & Protocols?
1. More popular the protocol is, more general the covert channel is. 2. More higher the layer is, the less technical difficulty they will encounter. TCP/IP model Introduction – Which Layers & Protocols? Two Observations:
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Introduction – Which Layers & Protocols? Most previous work focus on the protocols:
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Introduction – Which Layers & Protocols? Three options here
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. e.g. email subject, attachment Previous Work – Network Payload
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Header fields unused, or reserved for future use Previous Work – Protocol Headers
e.g. Basic TCP/IP header structure: Highlighted: could be used for covert channels Previous Work – Protocol Headers
covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Previous Work – Network Timing
Previous Work – Network Timing covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Packet rate Inter-packet times
Previous Work – Network Timing Categories of network timing channel: • Packet rates: the number of arriving packets in time interval τ • Packet intervals: the time interval between two consecutive packets
Cabuk, S., Broldley, C., and Shields, C. “IP covert timing channels”. (CCS, 04) • Alice and Bob agreed a prior on a constant time interval τ Alice: • To send a “0”, Alice maintains silence through out interval τ • To send a “1”, Alice send a packet in the middle of τ Bob: • By observing each interval τ consecutively, • Bob records a “0” if no packet is received during interval τ • Bob records a “1” if one packet is received during interval τ Previous Work – Packet Rates
Bob
Previous Work – Network Timing Categories of network timing channel: • Packet rates: the number of arriving packets in time interval τ • Packet intervals: the time interval between two consecutive packets
Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) Alice and Bob agree a prior on two timing intervals τ1, τ2 Alice: • To send a “0”, Alice sleeps for τ1 and sends a packet at the end of interval τ1 • To send a “1”, Alice sleeps for τ2 and sends a packet at the end of interval τ2 Bob: • By consecutively recording the inter-arrival time, • Bob record a “0” if inter-arrival time is τ1. • Bob record a “1” if inter-arrival time is τ2. Previous Work – Packet Intervals
Bob
Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) Alice and Bob agree a prior on two timing interval bins (0,τc) ,(τc, τmax). τc is a threshold. Alice: • To send a “0”, Alice randomly selects a value τtemp from (0,τc), sleeps for τtemp and sends a packet at the end of interval τtemp • To send a “1”, Alice randomly selects a value τtemp from (τc, τmax), sleeps for τtemp and sends a packet at the end of interval τtemp Bob: • By consecutively recording the inter-arrival time, (0,τc) • Bob record a “0” if inter-arrival time falls in (0,τc). • Bob record a “1” if inter-arrival time falls in (τc, τmax). Previous Work – packet intervals 0 1
Wang, X., Chen, S., and Jajodia, S. “Tracking anonymous peer-to-peer VoIP calls on the internet. (CCS, 05)” Key idea: To de-anonymize peer-to-peer VoIP calls, embed a unique watermark into VoIP flows by slightly adjusting the timing of selected packets. Introduce the notion of passive sender, just modify timing of existing network traffic, do not create new traffic Previous Work – Passive Sender
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
Shan, G., Molina, A. and Blaze, M. ”Keyboards and Covert Channels”. (USEINX, 2006, The Best Student Paper) What makes it stands out? – quite particular perspectives • Focus on input system rather than output systems • Focus on loosely-coupled network (many intermediate layers involved) • Focus on interactive applications such as SSH instead of specific network protocols such as TCP Presented Scheme – Highlights
• Focus on input system rather than output systems Presented Scheme – Highlights JitterBug sender
• Focus on loosely-coupled network (many intermediate layers involved) Presented Scheme – Highlights Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system
• focus on interactive applications such as SSH Basic background we need to know: 1. After initial login, SSH automatically goes into interactive mode 2. In interactive mode, every keystroke a user types is sent in a separate IP packet immediately after the key is pressed. Presented Scheme – Highlights For improving interactive experience for users
• focus on interactive applications such as SSH The user types in ”su Return JuIia” Presented Scheme - Highlights
• Alice (JitterBug) is not the packet sender. Alice could just modify the packet timings indirectly by timing of keystrokes. • Bob is not the packet receiver. Bob is just on the path. Presented Scheme – Threat Model JitterBug
• Alice (JitterBug) steals credentials • Alice (JitterBug) sends out credentials • Bob extracts the credentials Presented Scheme – Steps Then I will give a simple example on how the scheme works
• JitterBug steals credentials - detects keystroke pattern e.g.: SSH 1. JitterBug detects user is typing “ssh username@host” 2. JitterBug stores the credentials Presented Scheme – An Simple Example
• JitterBug sends credentials out Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Presented Scheme – An Simple Example
• JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” 1. JitterBug transmit credential to frames character H i Ascii code (decimal) 72 151 Ascii code (binary) 1001000 10010111 Framing the binaries – add header and tailor to frames(in the paper, bit stuffing) Error correcting codes – add redundant bits To put it simple, let us suppose no framing and error correcting is used username password Presented Scheme – An Simple Example
• JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” 1. JitterBug transmit credential to frames character H i Ascii code (decimal) 72 151 Ascii code (binary) 1001000 10010111 The final string 100100010010111……. username password Presented Scheme – An Simple Example How to encode the binary string in keystroke timings?
• JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” a. JitterBug transmit credential to frames The final string 10010…….……. Suppose the window size is w=20ms The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… username password Presented Scheme – An Simple Example Inter-key stroke timings
• JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” First step. JitterBug transmit credential to frames The final string 10010…….……. Suppose the window size is w=20ms The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… username password Presented Scheme – An Simple Example
• JitterBug sends credentials out Second Step. Decide when to delay key stroke timings By detecting certain keystroke patterns find a user is working in an interactive ssh session. Presented Scheme – An Simple Example
• JitterBug sends credentials out Third Step. JitterBug adds delays to the inter-keystroke timings. The original observed inter-keystroke timings are 123, 145, 333, 813, 140, …. (ms) The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… Adding delay: 7, 15, 7, 17, 0, ….. (ms) The final modified inter-key stroke timings: 130, 160, 340, 830, 140, …… (ms) Presented Scheme – An Simple Example
• Receiver extracts the credentials Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Presented Scheme – An Simple Example
• Receiver extracts the credentials 137 162 343 833 142 130 162 340 830 140 Presented Scheme – An Simple Example
• Receiver extracts the credentials Presented Scheme – An Simple Example Inter-key stroke timings
• Receiver extracts the credentials The final modified inter-key stroke timings: 130, 160, 340, 830, 140, …… (ms) The final received inter-packet stroke timings: 137, 162, 343, 833, 142, ……. (ms) Window size = 20ms, suppose ɛ = 3ms: The decoded binaries: 1, 0, 0, 1, 0, …… (ms) Bingo Presented Scheme – An Simple Example
Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
Implementation Details
Implementation Details JitterBug sender SP/2 Protocol: Connector Interface
1. Data line: transmit 8-bit scan code to indicate which key was pressed. 2. Clock line: used to synchronization to indicate when data is valid 3. VCC & GND lines: power lines Implementation Details SP/2 Protocol: Connector Interface
Possible Events: • Key pressed: 11-bit code is sent -- start bit, 8-bit scan code, odd parity bit, stop bit • Key released: two 11-bit codes are sent -- first scan code is FO -- second scan code is the released key code • Key held down: 11-bit code is sent every 100 ms -- scan code is pressed key code Implementation Details
Notes: Data is valid on negative edge of the clock. Implementation Details
Implementation Details
Implementation Details
Use PIC microcontroller Hardware functionalities: • Identify certain keystroke patterns – whether to store keystrokes and when to add delay to keystrokes e.g. Detect “ssh username@host” 1. the following keystrokes should be password. --- should be stored 2. the user will be in interactive ssh session. --- is appropriate for adding delays • Delay keyboard signal External interrupt + timer interrupt Implementation Details Triggers EEPROM External interrupt Timer interrupt Input signal Output signal Store Add delays
Outlines • Introduction • Previous work • Presented scheme • Implement details • Evaluation • Conclusion
Evaluation • Accuracy • Bandwidth • Detectability
Evaluation • Accuracy • Bandwidth • Detectability
Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system
Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system High priority in OS scheduling
Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Handle small packets: Decide when to buffer data before sending it out in a network packet By default, disabled !!!
Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Biggest factor: Add most randomized noises
Evaluation - Accuracy Experiment settings: • Source machine is located in University of Pennsylvania • Interactive SSH Sessions • Timing information comes from the destination host using tcpdump
Evaluation - Accuracy How to compare difference between sent and received binaries? Raw Bit Error calculated by: Levenshtein Distance: used when sent and received binaries are of different length Definition of Levenshtein distance:
Evaluation - Accuracy Factor of geographic locations: How to set up the experiment platform?
Evaluation - Accuracy PlanetLab • Global research network – setup worldwide network services • Since 2003, more than 1000 researchers have used PlanetLab to develop new technologies
Evaluation - Accuracy Factor of geographic locations: Observations: • For a fixed window size, the channel performance does not exhibit any clear trend. In other words, geographic locations do not matter much to channel performance.
Evaluation - Accuracy Factor of geographic locations: Observations: • The smaller the window size is, the higher error rates will be. But the window size should not be too big as to perceived by the user.
Evaluation - Accuracy Factor of different applications: Observations: • The channel performance is not affected much by the choice of interactive terminal applications.
Evaluation - Accuracy Factor of different systems: Observations: • The channel performance is not affected much by the choice of operating systems.
Evaluation - Accuracy Factor of different system loads: Observations: • The channel performance is not affected much by system load.
Evaluation - Accuracy Factor of network jitters: ???
Evaluation • Accuracy • Bandwidth • Detectability
Evaluation - Bandwidth • Each keystroke could encode one bit information How to improve? • Subdivide the window further to improve encoding (but may also lead to lower accuracy)
Evaluation • Accuracy • Bandwidth • Detectability
Evaluation - Detectability Observations: • Simple plot of inter-arrival times will detect the proposed covert channel Without JitterBug With JitterBug
Evaluation - Detectability Rotating time windows: Assumes: Alice and Bob shares a sequence of integers Basically, after Alice sending one bit and Bob receiving one bit, They will move to the next shared integer. Inter-key stroke timings
Evaluation - Detectability Example: Sent binaries {1,0,1} shared sequence {s0, s1, s2}={3,9,5}
Evaluation - Detectability
Outlines • Introduction • Previous work • Presented scheme • Implement details • Evaluation • Conclusion
Conclusion • Compromising an input channel is useful not only for learning secrets, but also for leaking information over network. • Loosely coupled network timing channels are practical. Possible future works: • Better framing and error correcting schemes • Better ways to evade detection
References 1. Cabuk, S., Broldley, C., and Shields, C. “IP covert timing channels”. (CCS, 04) 2. Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) 3. Shah, Gaurav, Andres Molina, and Matt Blaze. "Keyboards and Covert Channels." USENIX Security. 2006.

Recommended

Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Rochester Security Summit
 
Path oram
Path oramPath oram
Path oramFreeman Zhang
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti PolymorphismTakahiro Haruyama
 
Predictive modeling healthcare
Predictive modeling healthcarePredictive modeling healthcare
Predictive modeling healthcareTaposh Roy
 
Ranking the Web with Spark
Ranking the Web with SparkRanking the Web with Spark
Ranking the Web with SparkSylvain Zimmer
 
Building distributed processing system from scratch - Part 2
Building distributed processing system from scratch - Part 2Building distributed processing system from scratch - Part 2
Building distributed processing system from scratch - Part 2datamantra
 
Introduction to Structured Streaming
Introduction to Structured StreamingIntroduction to Structured Streaming
Introduction to Structured Streamingdatamantra
 

Recommended

Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Rochester Security Summit
 
Path oram
Path oramPath oram
Path oramFreeman Zhang
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti PolymorphismTakahiro Haruyama
 
Predictive modeling healthcare
Predictive modeling healthcarePredictive modeling healthcare
Predictive modeling healthcareTaposh Roy
 
Ranking the Web with Spark
Ranking the Web with SparkRanking the Web with Spark
Ranking the Web with SparkSylvain Zimmer
 
Building distributed processing system from scratch - Part 2
Building distributed processing system from scratch - Part 2Building distributed processing system from scratch - Part 2
Building distributed processing system from scratch - Part 2datamantra
 
Introduction to Structured Streaming
Introduction to Structured StreamingIntroduction to Structured Streaming
Introduction to Structured Streamingdatamantra
 
AMP Camp 5 Intro
AMP Camp 5 IntroAMP Camp 5 Intro
AMP Camp 5 Introjeykottalam
 
Spark sql
Spark sqlSpark sql
Spark sqlFreeman Zhang
 
Evolution of apache spark
Evolution of apache sparkEvolution of apache spark
Evolution of apache sparkdatamantra
 
Introduction to dataset
Introduction to datasetIntroduction to dataset
Introduction to datasetdatamantra
 
Steganography
SteganographySteganography
SteganographyMayank Saxena
 
Anatomy of Spark SQL Catalyst - Part 2
Anatomy of Spark SQL Catalyst - Part 2Anatomy of Spark SQL Catalyst - Part 2
Anatomy of Spark SQL Catalyst - Part 2datamantra
 
Spark on yarn
Spark on yarnSpark on yarn
Spark on yarndatamantra
 
Getting Started Running Apache Spark on Apache Mesos
Getting Started Running Apache Spark on Apache MesosGetting Started Running Apache Spark on Apache Mesos
Getting Started Running Apache Spark on Apache MesosPaco Nathan
 
Anatomy of in memory processing in Spark
Anatomy of in memory processing in SparkAnatomy of in memory processing in Spark
Anatomy of in memory processing in Sparkdatamantra
 
Building a modern Application with DataFrames
Building a modern Application with DataFramesBuilding a modern Application with DataFrames
Building a modern Application with DataFramesSpark Summit
 
Kafka and Spark Streaming
Kafka and Spark StreamingKafka and Spark Streaming
Kafka and Spark Streamingdatamantra
 
Building Distributed Systems from Scratch - Part 1
Building Distributed Systems from Scratch - Part 1Building Distributed Systems from Scratch - Part 1
Building Distributed Systems from Scratch - Part 1datamantra
 
Introduction to Structured Data Processing with Spark SQL
Introduction to Structured Data Processing with Spark SQLIntroduction to Structured Data Processing with Spark SQL
Introduction to Structured Data Processing with Spark SQLdatamantra
 
Resilient Distributed DataSets - Apache SPARK
Resilient Distributed DataSets - Apache SPARKResilient Distributed DataSets - Apache SPARK
Resilient Distributed DataSets - Apache SPARKTaposh Roy
 
Building Distributed Systems in Scala
Building Distributed Systems in ScalaBuilding Distributed Systems in Scala
Building Distributed Systems in ScalaAlex Payne
 
Introduction to Spark 2.0 Dataset API
Introduction to Spark 2.0 Dataset APIIntroduction to Spark 2.0 Dataset API
Introduction to Spark 2.0 Dataset APIdatamantra
 
Spark architecture
Spark architectureSpark architecture
Spark architecturedatamantra
 
Anatomy of Data Source API : A deep dive into Spark Data source API
Anatomy of Data Source API : A deep dive into Spark Data source APIAnatomy of Data Source API : A deep dive into Spark Data source API
Anatomy of Data Source API : A deep dive into Spark Data source APIdatamantra
 
Productionalizing a spark application
Productionalizing a spark applicationProductionalizing a spark application
Productionalizing a spark applicationdatamantra
 
Introduction to spark 2.0
Introduction to spark 2.0Introduction to spark 2.0
Introduction to spark 2.0datamantra
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
lecture06-link-layer.pdf
lecture06-link-layer.pdflecture06-link-layer.pdf
lecture06-link-layer.pdfEnics
 

More Related Content

Viewers also liked

AMP Camp 5 Intro
AMP Camp 5 IntroAMP Camp 5 Intro
AMP Camp 5 Introjeykottalam
 
Evolution of apache spark
Evolution of apache sparkEvolution of apache spark
Evolution of apache sparkdatamantra
 
Introduction to dataset
Introduction to datasetIntroduction to dataset
Introduction to datasetdatamantra
 
Anatomy of Spark SQL Catalyst - Part 2
Anatomy of Spark SQL Catalyst - Part 2Anatomy of Spark SQL Catalyst - Part 2
Anatomy of Spark SQL Catalyst - Part 2datamantra
 
Getting Started Running Apache Spark on Apache Mesos
Getting Started Running Apache Spark on Apache MesosGetting Started Running Apache Spark on Apache Mesos
Getting Started Running Apache Spark on Apache MesosPaco Nathan
 
Anatomy of in memory processing in Spark
Anatomy of in memory processing in SparkAnatomy of in memory processing in Spark
Anatomy of in memory processing in Sparkdatamantra
 
Building a modern Application with DataFrames
Building a modern Application with DataFramesBuilding a modern Application with DataFrames
Building a modern Application with DataFramesSpark Summit
 
Kafka and Spark Streaming
Kafka and Spark StreamingKafka and Spark Streaming
Kafka and Spark Streamingdatamantra
 
Building Distributed Systems from Scratch - Part 1
Building Distributed Systems from Scratch - Part 1Building Distributed Systems from Scratch - Part 1
Building Distributed Systems from Scratch - Part 1datamantra
 
Introduction to Structured Data Processing with Spark SQL
Introduction to Structured Data Processing with Spark SQLIntroduction to Structured Data Processing with Spark SQL
Introduction to Structured Data Processing with Spark SQLdatamantra
 
Resilient Distributed DataSets - Apache SPARK
Resilient Distributed DataSets - Apache SPARKResilient Distributed DataSets - Apache SPARK
Resilient Distributed DataSets - Apache SPARKTaposh Roy
 
Building Distributed Systems in Scala
Building Distributed Systems in ScalaBuilding Distributed Systems in Scala
Building Distributed Systems in ScalaAlex Payne
 
Introduction to Spark 2.0 Dataset API
Introduction to Spark 2.0 Dataset APIIntroduction to Spark 2.0 Dataset API
Introduction to Spark 2.0 Dataset APIdatamantra
 
Spark architecture
Spark architectureSpark architecture
Spark architecturedatamantra
 
Anatomy of Data Source API : A deep dive into Spark Data source API
Anatomy of Data Source API : A deep dive into Spark Data source APIAnatomy of Data Source API : A deep dive into Spark Data source API
Anatomy of Data Source API : A deep dive into Spark Data source APIdatamantra
 
Productionalizing a spark application
Productionalizing a spark applicationProductionalizing a spark application
Productionalizing a spark applicationdatamantra
 
Introduction to spark 2.0
Introduction to spark 2.0Introduction to spark 2.0
Introduction to spark 2.0datamantra
 

Viewers also liked (20)

AMP Camp 5 Intro
AMP Camp 5 IntroAMP Camp 5 Intro
AMP Camp 5 Intro
 
Spark sql
Spark sqlSpark sql
Spark sql
 
Evolution of apache spark
Evolution of apache sparkEvolution of apache spark
Evolution of apache spark
 
Introduction to dataset
Introduction to datasetIntroduction to dataset
Introduction to dataset
 
Steganography
SteganographySteganography
Steganography
 
Anatomy of Spark SQL Catalyst - Part 2
Anatomy of Spark SQL Catalyst - Part 2Anatomy of Spark SQL Catalyst - Part 2
Anatomy of Spark SQL Catalyst - Part 2
 
Spark on yarn
Spark on yarnSpark on yarn
Spark on yarn
 
Getting Started Running Apache Spark on Apache Mesos
Getting Started Running Apache Spark on Apache MesosGetting Started Running Apache Spark on Apache Mesos
Getting Started Running Apache Spark on Apache Mesos
 
Anatomy of in memory processing in Spark
Anatomy of in memory processing in SparkAnatomy of in memory processing in Spark
Anatomy of in memory processing in Spark
 
Building a modern Application with DataFrames
Building a modern Application with DataFramesBuilding a modern Application with DataFrames
Building a modern Application with DataFrames
 
Kafka and Spark Streaming
Kafka and Spark StreamingKafka and Spark Streaming
Kafka and Spark Streaming
 
Building Distributed Systems from Scratch - Part 1
Building Distributed Systems from Scratch - Part 1Building Distributed Systems from Scratch - Part 1
Building Distributed Systems from Scratch - Part 1
 
Introduction to Structured Data Processing with Spark SQL
Introduction to Structured Data Processing with Spark SQLIntroduction to Structured Data Processing with Spark SQL
Introduction to Structured Data Processing with Spark SQL
 
Resilient Distributed DataSets - Apache SPARK
Resilient Distributed DataSets - Apache SPARKResilient Distributed DataSets - Apache SPARK
Resilient Distributed DataSets - Apache SPARK
 
Building Distributed Systems in Scala
Building Distributed Systems in ScalaBuilding Distributed Systems in Scala
Building Distributed Systems in Scala
 
Introduction to Spark 2.0 Dataset API
Introduction to Spark 2.0 Dataset APIIntroduction to Spark 2.0 Dataset API
Introduction to Spark 2.0 Dataset API
 
Spark architecture
Spark architectureSpark architecture
Spark architecture
 
Anatomy of Data Source API : A deep dive into Spark Data source API
Anatomy of Data Source API : A deep dive into Spark Data source APIAnatomy of Data Source API : A deep dive into Spark Data source API
Anatomy of Data Source API : A deep dive into Spark Data source API
 
Productionalizing a spark application
Productionalizing a spark applicationProductionalizing a spark application
Productionalizing a spark application
 
Introduction to spark 2.0
Introduction to spark 2.0Introduction to spark 2.0
Introduction to spark 2.0
 

Similar to Keyboard covert channels

Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
lecture06-link-layer.pdf
lecture06-link-layer.pdflecture06-link-layer.pdf
lecture06-link-layer.pdfEnics
 
2018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 72018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 7FRSecure
 
DATA COMMUNICATION PPT
DATA COMMUNICATION PPTDATA COMMUNICATION PPT
DATA COMMUNICATION PPTMajane Padua
 
Quantum Cryptography: from Theory to Practice
Quantum Cryptography: from Theory to Practice Quantum Cryptography: from Theory to Practice
Quantum Cryptography: from Theory to PracticeXequeMateShannon
 
Quantum cryptography
Quantum cryptographyQuantum cryptography
Quantum cryptographyAnisur Rahman
 
Chapter8 27 nov_2010
Chapter8 27 nov_2010Chapter8 27 nov_2010
Chapter8 27 nov_2010Umang Gupta
 
Anon p2p slides
Anon p2p slidesAnon p2p slides
Anon p2p slideschintaan
 
Cryptography IEEE 2015 Projects
Cryptography IEEE 2015 ProjectsCryptography IEEE 2015 Projects
Cryptography IEEE 2015 ProjectsVijay Karan
 
Cryptography IEEE 2015 Projects
Cryptography IEEE 2015 ProjectsCryptography IEEE 2015 Projects
Cryptography IEEE 2015 ProjectsVijay Karan
 
An Introduction and Comparison of Dante, AVB and CobraNet Methodologies
An Introduction and Comparison of Dante, AVB and CobraNet MethodologiesAn Introduction and Comparison of Dante, AVB and CobraNet Methodologies
An Introduction and Comparison of Dante, AVB and CobraNet MethodologiesrAVe [PUBS]
 
Practical Attacks Against Encrypted VoIP Communications
Practical Attacks Against Encrypted VoIP CommunicationsPractical Attacks Against Encrypted VoIP Communications
Practical Attacks Against Encrypted VoIP Communicationsiphonepentest
 
2019 FRSecure CISSP Mentor Program: Class Six
2019 FRSecure CISSP Mentor Program: Class Six2019 FRSecure CISSP Mentor Program: Class Six
2019 FRSecure CISSP Mentor Program: Class SixFRSecure
 
Advances In Cryptography
Advances In CryptographyAdvances In Cryptography
Advances In CryptographyRare Input
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)GulshanKumar368
 
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio TransceiversScreaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio TransceiversPriyanka Aash
 

Similar to Keyboard covert channels (20)

Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
 
lecture06-link-layer.pdf
lecture06-link-layer.pdflecture06-link-layer.pdf
lecture06-link-layer.pdf
 
2018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 72018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 7
 
DATA COMMUNICATION PPT
DATA COMMUNICATION PPTDATA COMMUNICATION PPT
DATA COMMUNICATION PPT
 
Quantum Cryptography: from Theory to Practice
Quantum Cryptography: from Theory to Practice Quantum Cryptography: from Theory to Practice
Quantum Cryptography: from Theory to Practice
 
quantumcrypto
quantumcryptoquantumcrypto
quantumcrypto
 
Quantum cryptography
Quantum cryptographyQuantum cryptography
Quantum cryptography
 
Lecture
LectureLecture
Lecture
 
Chapter8 27 nov_2010
Chapter8 27 nov_2010Chapter8 27 nov_2010
Chapter8 27 nov_2010
 
Anon p2p slides
Anon p2p slidesAnon p2p slides
Anon p2p slides
 
Cryptography IEEE 2015 Projects
Cryptography IEEE 2015 ProjectsCryptography IEEE 2015 Projects
Cryptography IEEE 2015 Projects
 
Cryptography IEEE 2015 Projects
Cryptography IEEE 2015 ProjectsCryptography IEEE 2015 Projects
Cryptography IEEE 2015 Projects
 
An Introduction and Comparison of Dante, AVB and CobraNet Methodologies
An Introduction and Comparison of Dante, AVB and CobraNet MethodologiesAn Introduction and Comparison of Dante, AVB and CobraNet Methodologies
An Introduction and Comparison of Dante, AVB and CobraNet Methodologies
 
Practical Attacks Against Encrypted VoIP Communications
Practical Attacks Against Encrypted VoIP CommunicationsPractical Attacks Against Encrypted VoIP Communications
Practical Attacks Against Encrypted VoIP Communications
 
2019 FRSecure CISSP Mentor Program: Class Six
2019 FRSecure CISSP Mentor Program: Class Six2019 FRSecure CISSP Mentor Program: Class Six
2019 FRSecure CISSP Mentor Program: Class Six
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For Engineers
 
Advances In Cryptography
Advances In CryptographyAdvances In Cryptography
Advances In Cryptography
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
 
WEEK-01.pdf
WEEK-01.pdfWEEK-01.pdf
WEEK-01.pdf
 
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio TransceiversScreaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
 

Recently uploaded

Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 

Recently uploaded (20)

Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 

Keyboard covert channels

  • 2. Keyboards & Guarav Shah, Andres Molina, Matt Blaze The Best Student Paper in 15th USEINX, 2006 Covert Channels
  • 3. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 4. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 6. Introduction How to hide information? • Cryptography • Steganography
  • 7. Introduction How to hide information? e.g. an image Cryptography -- Does no hide the existence of the message Steganography -- hide the existence of the message
  • 8. Introduction Applications of steganography: Steganography Protection against detection (Data hiding) Protection against removal (Watermarking) Covert channel is the network steganography
  • 9. Introduction Applications of steganography: Steganography Protection against detection (Data hiding) Protection against removal (Watermarking) Covert channel is a subset of steganography
  • 10. Introduction Steganography VS Covert channel Both aim to establish secret communication channels neutral bad -- violates security policies (data hiding or (data hiding) watermarking) usually focus on volatility data such as memory, network traffic
  • 11. Introduction Side Channel VS Covert channel Both aim to establish secret communication channels Sender leaks data Sender leaks data unintentionally intentionally
  • 12. Introduction – Applications Applications of covert channel: 1. MAC systems (Mandatory Access Control) 2. General purpose systems
  • 13. Introduction – Applications Applications of covert channel: MAC systems (mandatory access control systems): Light Pink Book: Specially on Covert channel analysis in MAC systems
  • 14. Introduction – Applications Applications of covert channel: MAC systems (mandatory access control systems): • Depends on the system administrator to decide which user can access which information Top Secret Secret Confidential Unclassified Top Secret Secret Confidential Unclassified user information higher
  • 15. Introduction – Applications Applications of covert channel: To keep confidentiality in MAC system: Top Secret Secret Confidential Unclassified user information information information Cannot read/can write Can read/cannot write Can read/write
  • 16. Introduction – Applications Applications of covert channel: To keep confidentiality in MAC system: Top Secret Secret Confidential Unclassified user information information information Cannot read/can write Can read/cannot write Can read/write Covert channels will establish secret channels!!!
  • 17. Introduction – Applications Applications of covert channel: General purpose systems: To leak out sensitive information (credentials) by malwares
  • 18. Introduction – Threat Model Prisoner model: Alice BobWalter prisoner prisonerWarden (passive)
  • 19. Introduction – Threat Model Prisoner model: • Alice and Bob are prisoners locked up in different cells and wish to escape. • They are allowed to communicate using computers as long as the message is innocuous. • They have already shared a secret. • Walter is a warden who monitors the network. • Alice and Bob win when they escape without rousing suspicion of Walter. Alice BobWalter prisoner prisonerWarden (passive)
  • 20. Introduction – Threat Model • In practical applications, Alice and Bob could be the same person Alice BobWalter prisoner prisonerwarden
  • 21. Introduction – Possible Covert Channels Criteria to select communication channel: • Generality • Technical difficulty • Capacity • Detectability More like final steps in covert channel design
  • 22. covert channels Storage channel Timing channel Manipulate content of a location Manipulate timing or ordering of events Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Introduction – Possible Covert Channels
  • 23. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Higher capacity, Less noises, Easier to be detected Lower capacity, More noises, Harder to be detected Introduction – Possible Covert Channels
  • 24. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Require Shared resources Not quite general Introduction – Possible Covert Channels
  • 25. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … What about network ??? Many options Introduction – Possible Covert Channels
  • 26. Which network layers and protocols should be exploited for cover channels? Introduction – Which Layers & Protocols?
  • 28. Diversity of protocol TCP/IP model Generality Introduction – Which Layers & Protocols?
  • 29. realizing covert channels in network interface layer ??? 1. Relies on hardware and network topologies. Requires to be on the same LAN E.g. information hided may be stripped out at network devices such as router 2. More technical difficulties TCP/IP model Introduction – Which Layers & Protocols?
  • 30. 1. More popular the protocol is, more general the covert channel is. 2. More higher the layer is, the less technical difficulty they will encounter. TCP/IP model Introduction – Which Layers & Protocols? Two Observations:
  • 31. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 32. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Introduction – Which Layers & Protocols? Most previous work focus on the protocols:
  • 33. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Introduction – Which Layers & Protocols? Three options here
  • 34. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. e.g. email subject, attachment Previous Work – Network Payload
  • 35. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Header fields unused, or reserved for future use Previous Work – Protocol Headers
  • 36. e.g. Basic TCP/IP header structure: Highlighted: could be used for covert channels Previous Work – Protocol Headers
  • 37. covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … TCP, IP, ICMP, HTTP/FTP, DNS, etc. Previous Work – Network Timing
  • 38. Previous Work – Network Timing covert channels Storage channel Timing channel Disk Memory Network protocol headers Network payload … … Disk accesses Memory accesses Network Packet arrivals … … Packet rate Inter-packet times
  • 39. Previous Work – Network Timing Categories of network timing channel: • Packet rates: the number of arriving packets in time interval τ • Packet intervals: the time interval between two consecutive packets
  • 40. Cabuk, S., Broldley, C., and Shields, C. “IP covert timing channels”. (CCS, 04) • Alice and Bob agreed a prior on a constant time interval τ Alice: • To send a “0”, Alice maintains silence through out interval τ • To send a “1”, Alice send a packet in the middle of τ Bob: • By observing each interval τ consecutively, • Bob records a “0” if no packet is received during interval τ • Bob records a “1” if one packet is received during interval τ Previous Work – Packet Rates
  • 41. Bob
  • 42. Previous Work – Network Timing Categories of network timing channel: • Packet rates: the number of arriving packets in time interval τ • Packet intervals: the time interval between two consecutive packets
  • 43. Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) Alice and Bob agree a prior on two timing intervals τ1, τ2 Alice: • To send a “0”, Alice sleeps for τ1 and sends a packet at the end of interval τ1 • To send a “1”, Alice sleeps for τ2 and sends a packet at the end of interval τ2 Bob: • By consecutively recording the inter-arrival time, • Bob record a “0” if inter-arrival time is τ1. • Bob record a “1” if inter-arrival time is τ2. Previous Work – Packet Intervals
  • 44. Bob
  • 45. Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) Alice and Bob agree a prior on two timing interval bins (0,τc) ,(τc, τmax). τc is a threshold. Alice: • To send a “0”, Alice randomly selects a value τtemp from (0,τc), sleeps for τtemp and sends a packet at the end of interval τtemp • To send a “1”, Alice randomly selects a value τtemp from (τc, τmax), sleeps for τtemp and sends a packet at the end of interval τtemp Bob: • By consecutively recording the inter-arrival time, (0,τc) • Bob record a “0” if inter-arrival time falls in (0,τc). • Bob record a “1” if inter-arrival time falls in (τc, τmax). Previous Work – packet intervals 0 1
  • 46. Wang, X., Chen, S., and Jajodia, S. “Tracking anonymous peer-to-peer VoIP calls on the internet. (CCS, 05)” Key idea: To de-anonymize peer-to-peer VoIP calls, embed a unique watermark into VoIP flows by slightly adjusting the timing of selected packets. Introduce the notion of passive sender, just modify timing of existing network traffic, do not create new traffic Previous Work – Passive Sender
  • 47. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 48. Shan, G., Molina, A. and Blaze, M. ”Keyboards and Covert Channels”. (USEINX, 2006, The Best Student Paper) What makes it stands out? – quite particular perspectives • Focus on input system rather than output systems • Focus on loosely-coupled network (many intermediate layers involved) • Focus on interactive applications such as SSH instead of specific network protocols such as TCP Presented Scheme – Highlights
  • 49. • Focus on input system rather than output systems Presented Scheme – Highlights JitterBug sender
  • 50. • Focus on loosely-coupled network (many intermediate layers involved) Presented Scheme – Highlights Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system
  • 51. • focus on interactive applications such as SSH Basic background we need to know: 1. After initial login, SSH automatically goes into interactive mode 2. In interactive mode, every keystroke a user types is sent in a separate IP packet immediately after the key is pressed. Presented Scheme – Highlights For improving interactive experience for users
  • 52. • focus on interactive applications such as SSH The user types in ”su Return JuIia” Presented Scheme - Highlights
  • 53. • Alice (JitterBug) is not the packet sender. Alice could just modify the packet timings indirectly by timing of keystrokes. • Bob is not the packet receiver. Bob is just on the path. Presented Scheme – Threat Model JitterBug
  • 54. • Alice (JitterBug) steals credentials • Alice (JitterBug) sends out credentials • Bob extracts the credentials Presented Scheme – Steps Then I will give a simple example on how the scheme works
  • 55. • JitterBug steals credentials - detects keystroke pattern e.g.: SSH 1. JitterBug detects user is typing “ssh username@host” 2. JitterBug stores the credentials Presented Scheme – An Simple Example
  • 56. • JitterBug sends credentials out Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Presented Scheme – An Simple Example
  • 57. • JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” 1. JitterBug transmit credential to frames character H i Ascii code (decimal) 72 151 Ascii code (binary) 1001000 10010111 Framing the binaries – add header and tailor to frames(in the paper, bit stuffing) Error correcting codes – add redundant bits To put it simple, let us suppose no framing and error correcting is used username password Presented Scheme – An Simple Example
  • 58. • JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” 1. JitterBug transmit credential to frames character H i Ascii code (decimal) 72 151 Ascii code (binary) 1001000 10010111 The final string 100100010010111……. username password Presented Scheme – An Simple Example How to encode the binary string in keystroke timings?
  • 59. • JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” a. JitterBug transmit credential to frames The final string 10010…….……. Suppose the window size is w=20ms The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… username password Presented Scheme – An Simple Example Inter-key stroke timings
  • 60. • JitterBug sends credentials out Suppose the stolen credential is “ Hi mom” First step. JitterBug transmit credential to frames The final string 10010…….……. Suppose the window size is w=20ms The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… username password Presented Scheme – An Simple Example
  • 61. • JitterBug sends credentials out Second Step. Decide when to delay key stroke timings By detecting certain keystroke patterns find a user is working in an interactive ssh session. Presented Scheme – An Simple Example
  • 62. • JitterBug sends credentials out Third Step. JitterBug adds delays to the inter-keystroke timings. The original observed inter-keystroke timings are 123, 145, 333, 813, 140, …. (ms) The modified inter-key stroke timings (modulo 20) should be 10, 0, 0, 10, 0, …… Adding delay: 7, 15, 7, 17, 0, ….. (ms) The final modified inter-key stroke timings: 130, 160, 340, 830, 140, …… (ms) Presented Scheme – An Simple Example
  • 63. • Receiver extracts the credentials Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Presented Scheme – An Simple Example
  • 64. • Receiver extracts the credentials 137 162 343 833 142 130 162 340 830 140 Presented Scheme – An Simple Example
  • 65. • Receiver extracts the credentials Presented Scheme – An Simple Example Inter-key stroke timings
  • 66. • Receiver extracts the credentials The final modified inter-key stroke timings: 130, 160, 340, 830, 140, …… (ms) The final received inter-packet stroke timings: 137, 162, 343, 833, 142, ……. (ms) Window size = 20ms, suppose ɛ = 3ms: The decoded binaries: 1, 0, 0, 1, 0, …… (ms) Bingo Presented Scheme – An Simple Example
  • 67. Outlines • Introduction • Previous work • Presented scheme • Implementation details • Evaluation • Conclusion
  • 69. Implementation Details JitterBug sender SP/2 Protocol: Connector Interface
  • 70. 1. Data line: transmit 8-bit scan code to indicate which key was pressed. 2. Clock line: used to synchronization to indicate when data is valid 3. VCC & GND lines: power lines Implementation Details SP/2 Protocol: Connector Interface
  • 71. Possible Events: • Key pressed: 11-bit code is sent -- start bit, 8-bit scan code, odd parity bit, stop bit • Key released: two 11-bit codes are sent -- first scan code is FO -- second scan code is the released key code • Key held down: 11-bit code is sent every 100 ms -- scan code is pressed key code Implementation Details
  • 72. Notes: Data is valid on negative edge of the clock. Implementation Details
  • 75. Use PIC microcontroller Hardware functionalities: • Identify certain keystroke patterns – whether to store keystrokes and when to add delay to keystrokes e.g. Detect “ssh username@host” 1. the following keystrokes should be password. --- should be stored 2. the user will be in interactive ssh session. --- is appropriate for adding delays • Delay keyboard signal External interrupt + timer interrupt Implementation Details Triggers EEPROM External interrupt Timer interrupt Input signal Output signal Store Add delays
  • 76. Outlines • Introduction • Previous work • Presented scheme • Implement details • Evaluation • Conclusion
  • 79. Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system
  • 80. Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system High priority in OS scheduling
  • 81. Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Handle small packets: Decide when to buffer data before sending it out in a network packet By default, disabled !!!
  • 82. Data flow: Evaluation - Accuracy Covert Channel Sender Covert Channel Receiver Keyboard buffering & network buffering OS Scheduling Nagle’s algorithm Network jitter Inside the host system Outside the host system Biggest factor: Add most randomized noises
  • 83. Evaluation - Accuracy Experiment settings: • Source machine is located in University of Pennsylvania • Interactive SSH Sessions • Timing information comes from the destination host using tcpdump
  • 84. Evaluation - Accuracy How to compare difference between sent and received binaries? Raw Bit Error calculated by: Levenshtein Distance: used when sent and received binaries are of different length Definition of Levenshtein distance:
  • 85. Evaluation - Accuracy Factor of geographic locations: How to set up the experiment platform?
  • 86. Evaluation - Accuracy PlanetLab • Global research network – setup worldwide network services • Since 2003, more than 1000 researchers have used PlanetLab to develop new technologies
  • 87. Evaluation - Accuracy Factor of geographic locations: Observations: • For a fixed window size, the channel performance does not exhibit any clear trend. In other words, geographic locations do not matter much to channel performance.
  • 88. Evaluation - Accuracy Factor of geographic locations: Observations: • The smaller the window size is, the higher error rates will be. But the window size should not be too big as to perceived by the user.
  • 89. Evaluation - Accuracy Factor of different applications: Observations: • The channel performance is not affected much by the choice of interactive terminal applications.
  • 90. Evaluation - Accuracy Factor of different systems: Observations: • The channel performance is not affected much by the choice of operating systems.
  • 91. Evaluation - Accuracy Factor of different system loads: Observations: • The channel performance is not affected much by system load.
  • 92. Evaluation - Accuracy Factor of network jitters: ???
  • 94. Evaluation - Bandwidth • Each keystroke could encode one bit information How to improve? • Subdivide the window further to improve encoding (but may also lead to lower accuracy)
  • 96. Evaluation - Detectability Observations: • Simple plot of inter-arrival times will detect the proposed covert channel Without JitterBug With JitterBug
  • 97. Evaluation - Detectability Rotating time windows: Assumes: Alice and Bob shares a sequence of integers Basically, after Alice sending one bit and Bob receiving one bit, They will move to the next shared integer. Inter-key stroke timings
  • 98. Evaluation - Detectability Example: Sent binaries {1,0,1} shared sequence {s0, s1, s2}={3,9,5}
  • 100. Outlines • Introduction • Previous work • Presented scheme • Implement details • Evaluation • Conclusion
  • 101. Conclusion • Compromising an input channel is useful not only for learning secrets, but also for leaking information over network. • Loosely coupled network timing channels are practical. Possible future works: • Better framing and error correcting schemes • Better ways to evade detection
  • 102. References 1. Cabuk, S., Broldley, C., and Shields, C. “IP covert timing channels”. (CCS, 04) 2. Cabuk, S. “Network Covert Channels: Design, Analysis, Detection and Elimination”. (PhD Thesis, Purdue University, 2006) 3. Shah, Gaurav, Andres Molina, and Matt Blaze. "Keyboards and Covert Channels." USENIX Security. 2006.

Editor's Notes

  1. The notion of covert channel was popularized by the Rainbow Series. The Rainbow Series are a series of computer security guidelines and processes to certificate that a computer system is secure. They were developed by US government in 1980s and 1990s. Basically different colors deal with different aspects of security. Among them, the Light Pink Book focuses on analysis of covert channels. Light Pink Book - specifically focus on covert channel analysis Orange Book - Centerpiece of the Rainbow Series - Has requirements on covert channel analysis for specific systems
  2. In a practical instantiation of this problem, Alice and Bob may well be the same person. Consider a machine to which an attacker has unrestricted access for only a short amount of time, and which lies within a closely monitored network. The attacker installs a keylogger on the machine, and wishes to leak passwords to himself in such a way that the owner of the network does not observe that anything untoward is happening.
  3. In a practical instantiation of this problem, Alice and Bob may well be the same person. Consider a machine to which an attacker has unrestricted access for only a short amount of time, and which lies within a closely monitored network. The attacker installs a keylogger on the machine, and wishes to leak passwords to himself in such a way that the owner of the network does not observe that anything untoward is happening.