Course: Software Defined Radio ICT SEcurity BASICS Angelo Liguori angelo.liguori@uniroma3.it SP4TE lab 1
Simple Timing Covert Channel Unintended information about data gets leaked through observing the timing of event ON-OFF scheme 2
SIMPLE Timing Covert Channels The sender/receiver agree beforehand on a timing interval and a starting protocol to signal the start of transmission The starting protocol may be a time or a network event, or a special packet could be used to signal transmission Once established if a packet is received within the time interval then this signifies a binary 1 and silence during the period signifies a 0 3
SIMPLE Timing Covert Channels Rather than creating a continuous stream of bits one method could be to create a frame. This could consist of a pre-determined number of bits within each frame. The capacity of the channel is determined by the timing interval chosen, that is: the smaller the interval the higher the transmission rate 4
Simple Timing Covert Channel 2 Levels Client-Server Architecture Active Timing Covert Channel Sender (entity that sends the message -licit and covert- and starts the connection) Receiver (entity that receives the messages -licit and covert- and waits for connections) Sender and Receiver use a TCP connection on port 20001 5
Network Service Operating system provides Application Programming Interface (API) for network application C, C++, Java offer sockets to send data over a TCP or UDP connection Stream sockets for connection oriented protocols (i.e. TCP) Datagram sockets for connectionless protocol (i.e.udp) 6
Sockets Sockets are APIs used to allow to developers the inter-process communication between different hosts A way to communicate to other programs using a descriptor that is like a file descriptor. You must: open it read/write or send/recv close it 7
Sockets Berkeley sockets is the most popular Internet Socket runs on Linux, FreeBSD, OS X, Windows fed by the popularity of TCP/IP Sockets hide the details of transport layer (ISO-OSI) 8
TCP Sockets TCP = Transmission Control Protocol reliable, connection-oriented two-way connection messages sent in order arrive in order like the telephone system a connection must be established between the sender and the receiver a conversation takes place the connection must be ended 9
Client-Server Model CLIENT Starts second Contacts a server with a request Waits for response from server SERVER Starts first Waits for contact from a client Responds to requests 10
Typical Client Program Prepare to communicate Create a socket Determine server address and port number Initiate the connection to the server (TCP) Exchange data with the server Write data to the socket Read data from the socket Note, a single socket supports both reading and writing Manipulate the data (i.e., display email, etc.) Close the socket 11
Typical server Program Prepare to communicate Create a socket Associate local address and port with the socket Wait to hear from a client Indicate how many clients-in-waiting to permit Accept an incoming connection from a client Exchange data with the client over new socket Receive data from the socket Do stuff to handle the request (i.e., get a file) Send data to the socket Close the socket Repeat with the next connection request 12
Basics Socket Calls SERVER CALLS socket() bind() listen() while (whatever) { accept() read() / recv() write() / send() CLIENT CALLs gethostbyname() socket() connect() write() / send() read() / recv() close() close() } 13
Simple Client-Server SERVER CLIENT socket() connect() send() recv() close() Connection establishment Data request Data response End-of-file notification socket() bind() listen() accept() recv() send() recv() close() 14
Socket Calls int socket(int domain, int type, int protocol) int connect(int sockfd, struct sockaddr *server_address, socketlen_t addrlen) ssize_t send(int sockfd, const void *buf, size_t len, int flags) ssize_t recv(int sockfd, void *buf, size_t len, int flags) int bind(int sockfd, struct sockaddr *my_addr, socklen_t addrlen) int listen(int sockfd, int backlog) int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) int bind(int sockfd, struct sockaddr *my_addr, socklen_t addrlen) int close(int sockfd) 15
Socket creation Operation to create a socket int socket(int domain, int type, int protocol) Return a descriptor (or handle) for the socket Originally designed to support any protocol suite Domain: protocol family Use PF_INET for the Internet Type: semantics of the communication SOCK_STREAM: reliable byte stream SOCK_DGRAM: message-oriented service Protocol: specific protocol UNSPEC: unspecified. No need for us to specify, since PF_INET plus SOCK_STREAM already implies TCP, or SOCK_DGRAM implies UDP Used by both server and client to create socket 16
Simple Timing Covert Channel - CLient Function that calculates the current time Function that sends the overt message Function that sends the COVERT message using the ON- OFF scheme NOTE: after each covert bit sent, we wait for the covert message interval time. Synchro: each 3 covert bytes we send a synchronization symbol In Main we create and manage the socket 17
Simple Timing Covert Channel - Server Function that calculates the current time 2 threads: Thread 1 reads the overt message and centers the time in the middle of the covert message interval time Thread 2 manages the time sampling and builds the covert message In Main we create and manage the socket 18
Webografia http://www.sans.org/information-security http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=53114 http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03045usen/wgl03045usen.pdf www.cisco.com/web/offer/gist_ty2_asset/cisco_2014_asr.pdf http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-trendlabs-3q- 2013-security-roundup.pdf http://www.commoncriteriaportal.org/ https://tools.ietf.org/html/rfc4949 http://web.eecs.umich.edu/~yunjing/papers/ccsw11_xu.pdf http://www.cs.uit.no/~daniels/pingtunnel/ http://www.byteboss.com/view.aspx?id=243972&name=lemay http://www.gianvecchio.com/uploads/1/0/7/8/10784991/tdsc10.pdf 19