Crafting Web Counters into Covert Channels

Wang, Liu; Chan, Ehw; Chang, Rocky K. C.

doi:10.1007/978-0-387-72367-9_29

Cited by 5 publications

(5 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally there are examples of exfiltration techniques that do not apply to isolated networks. For example, [36] uses a web counter as a covert channel, but this requires the DMZ target host to have (1) a shared web application between the internal and the external networks; and (2) to have a web counter in that application. [12] uses public cloud service as a covert channel, and [51] uses multiple public services as a covert channel.…”

Section: Other Side Channels and Exfiltration Techniquesmentioning

confidence: 99%

Subverting Stateful Firewalls with Protocol States (Extended Version)

Klein¹

2021

Preprint

View full text Add to dashboard Cite

We analyzed the generation of protocol header fields in the implementations of multiple TCP/IP network stacks and found new ways to leak information about global protocol states. We then demonstrated new covert channels by remotely observing and modifying the system's global state via these protocol fields. Unlike earlier works, our research focuses on hosts that reside in firewalled networks (including source address validation -SAV), which is a very common scenario nowadays. Our attacks are designed to be non-disruptive -in the exfiltration scenario, this makes the attacks stealthier and thus extends their longevity, and in case of host alias resolution and similar techniques -this ensures the techniques are ethical. We focused on ICMP, which is commonly served by firewalls, and on UDP, which is forecasted to take a more prominent share of the Internet traffic with the advent of HTTP/3 and QUIC, though we report results for TCP as well.The information leakage scenarios we discovered enable the construction of practical covert channels which directly pierce firewalls, or indirectly establish communication via hosts in firewalled networks that also employ SAV. We describe and test three novel attacks in this context: exfiltration via the firewall itself, exfiltration via a DMZ host, and exfiltration via co-resident containers. These are three generic, new use cases for covert channels that work around * This is an extended version of a paper that will be published in NDSS 2022.firewalling and enable devices that are not allowed direct communication with the Internet, to still exfiltrate data out of the network. In other words, we exfiltrate data from isolated networks to the Internet. We also explain how to mount known attacks such as host alias resolution, de-NATting and container coresidence detection, using the new information leakage techniques.

show abstract

Section: Other Side Channels and Exfiltration Techniquesmentioning

confidence: 99%

Subverting Stateful Firewalls with Protocol States (Extended Version)

Klein¹

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Most storage channels use specification-based approaches to locate possible covers [38], [39]. Existing literature and tools on storage channels have already covered many popular protocols (e.g., IP [10], [39], TCP [10], [36], [40], SSH [41], and HTTP [6]) and applications (e.g., Web counter [29], VoIP [42]). …”

Section: Camouflage Capabilitymentioning

confidence: 99%

“…To eliminate such anomalies, we propose a web group hopping (WGH) method, which is motivated by WebShare's site-hopping algorithm [29]. Using this approach, the encoder and the decoder agree on a set of web pages that can be divided into N W groups, each of which includes R web pages.…”

mentioning

confidence: 99%

A combinatorial approach to network covert communications with applications in Web Leaks

Wang

Zhou

Chan

et al. 2011

2011 IEEE/IFIP 41st International Conference on Dependable Systems &Amp; Networks (DSN)

Self Cite

View full text Add to dashboard Cite

Various effective network covert channels have recently demonstrated the feasibility of encoding messages into the timing or content of individual network objects, such as data packets and request messages. However, we show in this paper that more robust and stealthy network covert channels can be devised by exploiting the relationship of the network objects. In particular, we propose a combinatorial approach for devising a wide spectrum of covert channels which can meet different objectives based on the channel capacity and channel undetectability. To illustrate the approach, we design WebLeaks and ACKLeaks, two novel covert channels which can leak information through the data and acknowledgment traffic in a web session. We implement both channels and deploy them on the PlanetLab nodes for evaluation. Besides the channel capacity, we apply the state-of-the-art detection schemes to evaluate their camouflage capability. The experiment results show that their capacity can be boosted up by our combinatorial approach, and at the same time they can effectively evade the detection.

show abstract

“…This limitation on the detector obviates the need to steganographically embed SIN communication in packets (with one exception, discussed in §IV-A). Nevertheless, SIN draws inspiration from other works focused on embedding one type of service steganographically within another, e.g., a file system within a file system [11], a file system or wiki within a media hosting and sharing service [12], [13], or communication within web counters [14].…”

Section: Related Workmentioning

confidence: 99%

Summary-Invisible Networking: Techniques and Defenses

Wei

Reiter

Mayer-Patel

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract-Numerous network anomaly detection techniques utilize traffic summaries (e.g., NetFlow records) to detect and diagnose attacks. In this paper we investigate the limits of such approaches, by introducing a technique by which compromised hosts can communicate without altering the behavior of the network as evidenced in summary records of many common types. Our technique builds on two key observations. First, network anomaly detection based on payload-oblivious traffic summaries admits a new type of covert embedding in which compromised nodes embed content in the space vacated by compressing the payloads of packets already in transit between them. Second, point-to-point covert channels can serve as a "data link layer" over which routing protocols can be run, enabling more functional covert networking than previously explored. We investigate the combination of these ideas, which we term Summary-Invisible Networking (SIN), to determine both the covert networking capacities that an attacker can realize in various tasks and the possibilities for defenders to detect these activities.

show abstract

Crafting Web Counters into Covert Channels

Cited by 5 publications

References 14 publications

Subverting Stateful Firewalls with Protocol States (Extended Version)

Subverting Stateful Firewalls with Protocol States (Extended Version)

A combinatorial approach to network covert communications with applications in Web Leaks

Summary-Invisible Networking: Techniques and Defenses

Contact Info

Product

Resources

About