AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
As our covert channel relies on manipulating the timing of keypresses to piggyback information, the keyboard needs to be in use for the channel to work and be tested

Keyboards and covert channels

USENIX Security, pp.59-+, (2006)

Cited by: 230|Views175
EI
Full Text
Bibtex
Weibo

Abstract

This paper introduces JitterBugs, a class of inline interception mechanisms that covertly transmit data by perturbing the timing of input events likely to affect externally observable network traffic. JitterBugs positioned at input devices deep within the trusted environment (e.g., hidden in cables or connectors) can leak sensitive data w...More

Code:

Data:

0
Introduction
  • Covert channels are an important theoretical construction for the analysis of information security, but they are not often regarded as a significant threat in conventional networked computing systems.
  • The sensitive system component typically gives the attacker total control over the system or an output channel, making the threat of covert channels relatively minor compared with that of whatever software vulnerability which made such a compromise possible in the first place
  • Outside of those intended explicitly to support multi-level security, conventional general purpose commercial operating systems, network components, application software, and system architectures largely ignore the threat of covert channels
Highlights
  • Covert channels are an important theoretical construction for the analysis of information security, but they are not often regarded as a significant threat in conventional networked computing systems
  • The experiments were performed with our bump-in-the-wire implementation of the Keyboard JitterBug on a Peripheral Interface Controllers microcontoller
  • As our covert channel relies on manipulating the timing of keypresses to piggyback information, the keyboard needs to be in use for the channel to work and be tested
  • The available memory of the Peripheral Interface Controllers device limits the maximum length of the replay
  • We introduced loosely-coupled network timing channels and JitterBugs, through which covert network timing channels can be exploited to leak sensitive information in general-purpose computing systems
  • We described the Keyboard JitterBug, our implementation of such a network timing channel
Results
  • The authors performed various experiments to test the Keyboard JitterBug under a variety of sender configurations, network and receiver conditions.
  • The covert timing channel can be turned on and the replay information is used to simulate a real user typing at the keyboard preserving the original user’s keystroke timing information.
  • This way the authors can test different Keyboard JitterBug parameters under the same set of conditions.
  • This does not materially affect the experiments, since the authors are concerned only with the inter-character timing, not the actual text
Conclusion
  • Conclusions and Future

    Work

    Compromising an input channel is useful for learning secrets, but, as the authors have seen, is often sufficient for leaking them over the network.
  • The Keyboard JitterBug is a keylogger that does not require physical retrieval to exfiltrate its captured data.
  • It can leak previously captured sensitive information such as user passphrases over interactive network applications by adding small and unnoticeable delays to user keypresses.
  • It is even possible to use the Keyboard JitterBug, at low-bandwidth with other, non-interactive, network applications, such as web browsers and instant messaging systems
Tables
  • Table1: Measured Raw Bit Error Rate for different window sizes and network nodes (Levenshtein Distance Metric)
  • Table2: Measured Raw Bit Error Rate for SSH and Telnet (Levenshtein Distance Metric)
  • Table3: Measured Raw Bit Error Rate for different window sizes and operating systems (Levenshtein Distance Metric)
  • Table4: Measured Raw Bit Error Rate for different windows sizes and system loads (Levenshtein Distance Metric)
  • Table5: Measured Bit Error Rate(s) with Framing (Bit-Stuffing) (ET = Net BER, ECF : Average Correct Frame BER, EDF : Frame Discard Rate)
  • Table6: Measured Bit Error Rate(s) with Framing (Ternary Encoding) (ET = Net BER, ECF : Average Correct Frame BER, EDF : Frame Discard Rate)
  • Table7: Measured Bit Error Rate(s) with high bitrate encoding (4bits/symbol + frame delimiter) (ET = Net BER, ECF : Average Correct Frame BER, EDF : Frame Discard Rate)
Download tables as Excel
Related work
  • A common simplifying assumption in the covert channel literature is that the attacker has direct control over the timing of the events being measured by the receiver. That is, the attacker is usually assumed to compromise important system components that allow partial or total access to the output subsystem. While this may be a useful conservative assumption for those concerned with minimizing covert channel bandwidth or for abstractly modeling information leakage, we note that those seeking to exploit a timing channel may be able to do so more indirectly. In particular, network packet timing is influenced by many system components outside a host’s network subsystem, including input devices. Event timing information is propagated from one layer to another, eventually reaching the external network, where it can be measured by an adversary. We are not the first to observe that packet timing can leak sensitive information about non-network subsystems, which has been effectively exploited in remote timing “side channel” attacks against crypto systems [10] and for host fingerprinting [26, 8, 9]. Here, however, we are concerned not with incidental side channel leakage, but with leakage deliberately introduced (perhaps at somewhat higher bandwidth) by a malicious adversary.
Funding
  • This research was supported in part by grants from NSF Cybertrust (CNS-05-24047) and NSF SGER (CNS-0504159)
Reference
  • The stress project. http://weather.ou.edu/apw/projects/stress/.
    Findings
  • Trusted computer system evaluation. Tech. Rep. DOD 5200.28STD, U.S. Department of Defense, 1985.
    Google ScholarFindings
  • United States v. Scarfo, Criminal No. 00-404 (D.N.J.), 2001.
    Google ScholarFindings
  • ACHARYA, A., AND SALZ, J. A Study of Internet Round-Trip Delay. Tech. Rep. CS-TR-3736, University of Maryland, 1996.
    Google ScholarFindings
  • AGAT, J. Transforming out timing leaks. In POPL ’00: Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (New York, NY, USA, 2000), ACM Press, pp. 40–53.
    Google ScholarLocate open access versionFindings
  • ANANTHARAM, V., AND VERDU, S. Bits Through Queues. In IEEE Transactions On Information Theory (1996), vol. 42.
    Google ScholarLocate open access versionFindings
  • BERK, V., GIANI, A., AND CYBENKO, G. Detection of Covert Channel Encoding in Network Packet Delays. Tech. rep., Darthmouth College, 2005.
    Google ScholarLocate open access versionFindings
  • BROIDO, A., HYUN, Y., AND KC CLAFFY. Spectroscopy of traceroute delays. In Passive and active measurement workshop (2005).
    Google ScholarLocate open access versionFindings
  • BROIDO, A., KING, R., NEMETH, E., AND KC CLAFFY. Radon spectroscopy of inter-packet delay. In IEEE high-speed networking workshop (2003).
    Google ScholarLocate open access versionFindings
  • BRUMLEY, D., AND BONEH, D. Remote Timing Attacks are Practical. In Proceedings of the 12th USENIX Security Symposium (August 2003).
    Google ScholarLocate open access versionFindings
  • CABUK, S., BRODLEY, C. E., AND SHIELDS, C. IP covert timing channels: design and detection. In CCS ’04: Proceedings of the 11th ACM conference on Computer and communications security (New York, NY, USA, 2004), ACM Press, pp. 178–187.
    Google ScholarLocate open access versionFindings
  • CHUN, B., CULLER, D., ROSCOE, T., BAVIER, A., PETERSON, L., WAWRZONIAK, M., AND BOWMAN, M. Planetlab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33, 3 (2003), 3–12.
    Google ScholarLocate open access versionFindings
  • DAEMON9. Project Loki. Phrack Magazine 7, 49 (August 1996).
    Google ScholarLocate open access versionFindings
  • DAVEY, M. C., AND MACKAY, D. J. Reliable communication over channels with insertions, deletions, and substitutions. IEEE Transactions on Information Theory 47 (2001).
    Google ScholarLocate open access versionFindings
  • F. F. SELLERS, J. Bit loss and gain correction code. In IEEE Transactions on Information Theory (1962), vol. 8, pp. 35–38.
    Google ScholarLocate open access versionFindings
  • GILES, J., AND HAJEK, B. An Information-Theoretic and Game-Theoretic Study of Timing Channels. In IEEE Transactions on Information Theory (2002), vol. 48.
    Google ScholarLocate open access versionFindings
  • HELOUET, L., JARD, C., AND ZEITOUN, M. Covert channels detection in protocols using scenarios. In Proceedings of SPV ’2003, Workshop on Security Protocols Verification (2003). Satellite of CONCUR’03. Available at http://www.loria.fr/̃rusi/spv.pdf.
    Locate open access versionFindings
  • HU, W.-M. Reducing Timing Channels with Fuzzy Time. In IEEE Symposium on Security and Privacy (1991).
    Google ScholarLocate open access versionFindings
  • JACOBSON, V., BRADEN, R., AND BORMAN, D. RFC 1323 TCP Extensions for High Performance.
    Google ScholarFindings
  • KANG, M. H., AND MOSKOWITZ, I. S. A Data Pump for Communication. Tech. rep., Naval Research Laboratory, 1995.
    Google ScholarFindings
  • KANG, M. H., MOSKOWITZ, I. S., AND LEE, D. C. A Network Version of the Pump. In IEEE Symposium on Security and Privacy (1995).
    Google ScholarLocate open access versionFindings
  • KANG, M. H., MOSKOWITZ, I. S., MONTROSE, B. E., AND PARSONESE, J. J. A Case Study Of Two NRL Pump Prototypes. In ACSAC ’96: Proceedings of the 12th Annual Computer Security Applications Conference (Washington, DC, USA, 1996), IEEE Computer Society, p. 32.
    Google ScholarLocate open access versionFindings
  • KELSEY, J., SCHNEIER, B., WAGNER, D., AND HALL, C. Side Channel Cryptanalysis of Product Ciphers. In ESORICS ’98 (1998).
    Google ScholarLocate open access versionFindings
  • KEMMERER, R. A. A Practical Approach to Identifying Storage and Timing Channels: Twenty Years Later. In ACSAC ’02: Proceedings of the 18th Annual Computer Security Applications Conference (Washington, DC, USA, 2002), IEEE Computer Society, p. 109.
    Google ScholarLocate open access versionFindings
  • KOCHER, P. C. Timing Attacks on Implementations of DiffieHellman, RSA, DSS, and Other Systems. In CRYPTO (1996), pp. 104–113.
    Google ScholarLocate open access versionFindings
  • KOHNO, T., BROIDO, A., AND KC CLAFFY. Remote Physical Device Fingerprinting. In IEEE Symposium on Security and Privacy (2005).
    Google ScholarLocate open access versionFindings
  • LAMPSON, B. W. A Note on the Confinement Problem. In Communications of the ACM (1973), vol. 16.
    Google ScholarLocate open access versionFindings
  • LEE, P. Combined error-correcting/modulation recording codes. PhD thesis, Univesity of California, San Diego, 1988.
    Google ScholarFindings
  • LEVENSHTEIN, V. I. Binary codes capable of correcting deletions, insertions and reversals. In Soviet Physics Doklady (1966), vol. 10, pp. 707–710.
    Google ScholarLocate open access versionFindings
  • LEVINE, B., REITER, M., WANG, C., AND WRIGHT, M. Timing Attacks in Low-Latency Mix Systems. In Proceedings of Financial Cryptography: 8th International Conference (FC 2004): LNCS-3110 (2004).
    Google ScholarLocate open access versionFindings
  • MILLEN, J. 20 years of covert channel modeling and analysis. In IEEE Symposium on Security and Privacy (1999).
    Google ScholarLocate open access versionFindings
  • MILLER, R. B. Response time in man-computer conversational transactions. In AFIPS Fall Joint Computer Conference (1968), vol. 33.
    Google ScholarLocate open access versionFindings
  • MOSKOWITZ, I. S., AND KANG, M. H. Covert Channels – Here to Stay ? In COMPASS (1994).
    Google ScholarLocate open access versionFindings
  • MOSKOWITZ, I. S., AND MILLER, A. R. The Influence of Delay Upon an Idealized Channel’s Bandwidth. In SP ’92: Proceedings of the 1992 IEEE Symposium on Security and Privacy (Washington, DC, USA, 1992), IEEE Computer Society, p. 62.
    Google ScholarLocate open access versionFindings
  • MOSKOWITZ, I. S., AND MILLER, A. R. Simple timing channels. In IEEE Symposium on Security and Privacy (1994).
    Google ScholarLocate open access versionFindings
  • MURDOCH, S., AND DANEZIS, G. Low-cost traffic analysis of tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (2005).
    Google ScholarLocate open access versionFindings
  • NAGLE, J. RFC 896 - Congestion Control in IP/TCP Internetworks.
    Google ScholarFindings
  • PROCTOR, N. E., AND NEUMANN, P. G. Architectural Implications of Covert Channels. In 15th National Computer Security Conference (1992).
    Google ScholarLocate open access versionFindings
  • RATZER, E. A., AND MACKAY, D. J. C. Codes for channels with insertions, deletions and substitutions. In Proceedings of 2nd International Symposium on Turbo Codes and Related Topics, Brest, France, 2000 (2000), pp. 149–156.
    Google ScholarLocate open access versionFindings
  • SHANNON, C. E. A mathematical theory of communication. Bell System Technical Journal (1948), 379–423 and 623–656.
    Google ScholarLocate open access versionFindings
  • SONG, D. X., WAGNER, D., AND TIAN, X. Timing analysis of keystrokes and timing attacks on ssh. In USENIX Security Symposium (2001).
    Google ScholarLocate open access versionFindings
  • TANAKA, E., AND KASAI, T. Synchronization and substitution error-correcting codes for the Levenshtein metric. In IEEE Transactions on Information Theory (March 1976), vol. 22, pp. 156– 162.
    Google ScholarLocate open access versionFindings
  • VENKATRAMAN, B. R., AND NEWMAN-WOLFE, R. Capacity Estimation and Auditability of Network Covert Channels. In IEEE Symposium on Security and Privacy (1995).
    Google ScholarLocate open access versionFindings
  • WANG, X., CHEN, S., AND JAJODIA, S. Tracking anonymous peer-to-peer VoIP calls on the internet. In CCS ’05: Proceedings of the 12th ACM conference on Computer and communications security (New York, NY, USA, 2005), ACM Press, pp. 81–91.
    Google ScholarLocate open access versionFindings
  • WANG, X., AND REEVES, D. Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003) (2003).
    Google ScholarLocate open access versionFindings
  • WRAY, J. C. An Analysis of Covert Timing Channels. In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California (1991).
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科