AI helps you reading Science
AI generates interpretation videos
AI extracts and analyses the key points of the paper to generate videos automatically
AI parses the academic lineage of this thesis
AI extracts a summary of this paper
As our covert channel relies on manipulating the timing of keypresses to piggyback information, the keyboard needs to be in use for the channel to work and be tested
Keyboards and covert channels
USENIX Security, pp.59-+, (2006)
This paper introduces JitterBugs, a class of inline interception mechanisms that covertly transmit data by perturbing the timing of input events likely to affect externally observable network traffic. JitterBugs positioned at input devices deep within the trusted environment (e.g., hidden in cables or connectors) can leak sensitive data w...More
PPT (Upload PPT)
- Covert channels are an important theoretical construction for the analysis of information security, but they are not often regarded as a significant threat in conventional networked computing systems.
- The sensitive system component typically gives the attacker total control over the system or an output channel, making the threat of covert channels relatively minor compared with that of whatever software vulnerability which made such a compromise possible in the first place
- Outside of those intended explicitly to support multi-level security, conventional general purpose commercial operating systems, network components, application software, and system architectures largely ignore the threat of covert channels
- Covert channels are an important theoretical construction for the analysis of information security, but they are not often regarded as a significant threat in conventional networked computing systems
- The experiments were performed with our bump-in-the-wire implementation of the Keyboard JitterBug on a Peripheral Interface Controllers microcontoller
- As our covert channel relies on manipulating the timing of keypresses to piggyback information, the keyboard needs to be in use for the channel to work and be tested
- The available memory of the Peripheral Interface Controllers device limits the maximum length of the replay
- We introduced loosely-coupled network timing channels and JitterBugs, through which covert network timing channels can be exploited to leak sensitive information in general-purpose computing systems
- We described the Keyboard JitterBug, our implementation of such a network timing channel
- The authors performed various experiments to test the Keyboard JitterBug under a variety of sender configurations, network and receiver conditions.
- The covert timing channel can be turned on and the replay information is used to simulate a real user typing at the keyboard preserving the original user’s keystroke timing information.
- This way the authors can test different Keyboard JitterBug parameters under the same set of conditions.
- This does not materially affect the experiments, since the authors are concerned only with the inter-character timing, not the actual text
- Conclusions and Future
Compromising an input channel is useful for learning secrets, but, as the authors have seen, is often sufficient for leaking them over the network.
- The Keyboard JitterBug is a keylogger that does not require physical retrieval to exfiltrate its captured data.
- It can leak previously captured sensitive information such as user passphrases over interactive network applications by adding small and unnoticeable delays to user keypresses.
- It is even possible to use the Keyboard JitterBug, at low-bandwidth with other, non-interactive, network applications, such as web browsers and instant messaging systems
- Table1: Measured Raw Bit Error Rate for different window sizes and network nodes (Levenshtein Distance Metric)
- Table2: Measured Raw Bit Error Rate for SSH and Telnet (Levenshtein Distance Metric)
- Table3: Measured Raw Bit Error Rate for different window sizes and operating systems (Levenshtein Distance Metric)
- Table4: Measured Raw Bit Error Rate for different windows sizes and system loads (Levenshtein Distance Metric)
- Table5: Measured Bit Error Rate(s) with Framing (Bit-Stuffing) (ET = Net BER, ECF : Average Correct Frame BER, EDF : Frame Discard Rate)
- Table6: Measured Bit Error Rate(s) with Framing (Ternary Encoding) (ET = Net BER, ECF : Average Correct Frame BER, EDF : Frame Discard Rate)
- Table7: Measured Bit Error Rate(s) with high bitrate encoding (4bits/symbol + frame delimiter) (ET = Net BER, ECF : Average Correct Frame BER, EDF : Frame Discard Rate)
- A common simplifying assumption in the covert channel literature is that the attacker has direct control over the timing of the events being measured by the receiver. That is, the attacker is usually assumed to compromise important system components that allow partial or total access to the output subsystem. While this may be a useful conservative assumption for those concerned with minimizing covert channel bandwidth or for abstractly modeling information leakage, we note that those seeking to exploit a timing channel may be able to do so more indirectly. In particular, network packet timing is influenced by many system components outside a host’s network subsystem, including input devices. Event timing information is propagated from one layer to another, eventually reaching the external network, where it can be measured by an adversary. We are not the first to observe that packet timing can leak sensitive information about non-network subsystems, which has been effectively exploited in remote timing “side channel” attacks against crypto systems  and for host fingerprinting [26, 8, 9]. Here, however, we are concerned not with incidental side channel leakage, but with leakage deliberately introduced (perhaps at somewhat higher bandwidth) by a malicious adversary.
- This research was supported in part by grants from NSF Cybertrust (CNS-05-24047) and NSF SGER (CNS-0504159)
- The stress project. http://weather.ou.edu/apw/projects/stress/.
- Trusted computer system evaluation. Tech. Rep. DOD 5200.28STD, U.S. Department of Defense, 1985.
- United States v. Scarfo, Criminal No. 00-404 (D.N.J.), 2001.
- ACHARYA, A., AND SALZ, J. A Study of Internet Round-Trip Delay. Tech. Rep. CS-TR-3736, University of Maryland, 1996.
- AGAT, J. Transforming out timing leaks. In POPL ’00: Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (New York, NY, USA, 2000), ACM Press, pp. 40–53.
- ANANTHARAM, V., AND VERDU, S. Bits Through Queues. In IEEE Transactions On Information Theory (1996), vol. 42.
- BERK, V., GIANI, A., AND CYBENKO, G. Detection of Covert Channel Encoding in Network Packet Delays. Tech. rep., Darthmouth College, 2005.
- BROIDO, A., HYUN, Y., AND KC CLAFFY. Spectroscopy of traceroute delays. In Passive and active measurement workshop (2005).
- BROIDO, A., KING, R., NEMETH, E., AND KC CLAFFY. Radon spectroscopy of inter-packet delay. In IEEE high-speed networking workshop (2003).
- BRUMLEY, D., AND BONEH, D. Remote Timing Attacks are Practical. In Proceedings of the 12th USENIX Security Symposium (August 2003).
- CABUK, S., BRODLEY, C. E., AND SHIELDS, C. IP covert timing channels: design and detection. In CCS ’04: Proceedings of the 11th ACM conference on Computer and communications security (New York, NY, USA, 2004), ACM Press, pp. 178–187.
- CHUN, B., CULLER, D., ROSCOE, T., BAVIER, A., PETERSON, L., WAWRZONIAK, M., AND BOWMAN, M. Planetlab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33, 3 (2003), 3–12.
- DAEMON9. Project Loki. Phrack Magazine 7, 49 (August 1996).
- DAVEY, M. C., AND MACKAY, D. J. Reliable communication over channels with insertions, deletions, and substitutions. IEEE Transactions on Information Theory 47 (2001).
- F. F. SELLERS, J. Bit loss and gain correction code. In IEEE Transactions on Information Theory (1962), vol. 8, pp. 35–38.
- GILES, J., AND HAJEK, B. An Information-Theoretic and Game-Theoretic Study of Timing Channels. In IEEE Transactions on Information Theory (2002), vol. 48.
- HELOUET, L., JARD, C., AND ZEITOUN, M. Covert channels detection in protocols using scenarios. In Proceedings of SPV ’2003, Workshop on Security Protocols Verification (2003). Satellite of CONCUR’03. Available at http://www.loria.fr/̃rusi/spv.pdf.
- HU, W.-M. Reducing Timing Channels with Fuzzy Time. In IEEE Symposium on Security and Privacy (1991).
- JACOBSON, V., BRADEN, R., AND BORMAN, D. RFC 1323 TCP Extensions for High Performance.
- KANG, M. H., AND MOSKOWITZ, I. S. A Data Pump for Communication. Tech. rep., Naval Research Laboratory, 1995.
- KANG, M. H., MOSKOWITZ, I. S., AND LEE, D. C. A Network Version of the Pump. In IEEE Symposium on Security and Privacy (1995).
- KANG, M. H., MOSKOWITZ, I. S., MONTROSE, B. E., AND PARSONESE, J. J. A Case Study Of Two NRL Pump Prototypes. In ACSAC ’96: Proceedings of the 12th Annual Computer Security Applications Conference (Washington, DC, USA, 1996), IEEE Computer Society, p. 32.
- KELSEY, J., SCHNEIER, B., WAGNER, D., AND HALL, C. Side Channel Cryptanalysis of Product Ciphers. In ESORICS ’98 (1998).
- KEMMERER, R. A. A Practical Approach to Identifying Storage and Timing Channels: Twenty Years Later. In ACSAC ’02: Proceedings of the 18th Annual Computer Security Applications Conference (Washington, DC, USA, 2002), IEEE Computer Society, p. 109.
- KOCHER, P. C. Timing Attacks on Implementations of DiffieHellman, RSA, DSS, and Other Systems. In CRYPTO (1996), pp. 104–113.
- KOHNO, T., BROIDO, A., AND KC CLAFFY. Remote Physical Device Fingerprinting. In IEEE Symposium on Security and Privacy (2005).
- LAMPSON, B. W. A Note on the Confinement Problem. In Communications of the ACM (1973), vol. 16.
- LEE, P. Combined error-correcting/modulation recording codes. PhD thesis, Univesity of California, San Diego, 1988.
- LEVENSHTEIN, V. I. Binary codes capable of correcting deletions, insertions and reversals. In Soviet Physics Doklady (1966), vol. 10, pp. 707–710.
- LEVINE, B., REITER, M., WANG, C., AND WRIGHT, M. Timing Attacks in Low-Latency Mix Systems. In Proceedings of Financial Cryptography: 8th International Conference (FC 2004): LNCS-3110 (2004).
- MILLEN, J. 20 years of covert channel modeling and analysis. In IEEE Symposium on Security and Privacy (1999).
- MILLER, R. B. Response time in man-computer conversational transactions. In AFIPS Fall Joint Computer Conference (1968), vol. 33.
- MOSKOWITZ, I. S., AND KANG, M. H. Covert Channels – Here to Stay ? In COMPASS (1994).
- MOSKOWITZ, I. S., AND MILLER, A. R. The Influence of Delay Upon an Idealized Channel’s Bandwidth. In SP ’92: Proceedings of the 1992 IEEE Symposium on Security and Privacy (Washington, DC, USA, 1992), IEEE Computer Society, p. 62.
- MOSKOWITZ, I. S., AND MILLER, A. R. Simple timing channels. In IEEE Symposium on Security and Privacy (1994).
- MURDOCH, S., AND DANEZIS, G. Low-cost traffic analysis of tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (2005).
- NAGLE, J. RFC 896 - Congestion Control in IP/TCP Internetworks.
- PROCTOR, N. E., AND NEUMANN, P. G. Architectural Implications of Covert Channels. In 15th National Computer Security Conference (1992).
- RATZER, E. A., AND MACKAY, D. J. C. Codes for channels with insertions, deletions and substitutions. In Proceedings of 2nd International Symposium on Turbo Codes and Related Topics, Brest, France, 2000 (2000), pp. 149–156.
- SHANNON, C. E. A mathematical theory of communication. Bell System Technical Journal (1948), 379–423 and 623–656.
- SONG, D. X., WAGNER, D., AND TIAN, X. Timing analysis of keystrokes and timing attacks on ssh. In USENIX Security Symposium (2001).
- TANAKA, E., AND KASAI, T. Synchronization and substitution error-correcting codes for the Levenshtein metric. In IEEE Transactions on Information Theory (March 1976), vol. 22, pp. 156– 162.
- VENKATRAMAN, B. R., AND NEWMAN-WOLFE, R. Capacity Estimation and Auditability of Network Covert Channels. In IEEE Symposium on Security and Privacy (1995).
- WANG, X., CHEN, S., AND JAJODIA, S. Tracking anonymous peer-to-peer VoIP calls on the internet. In CCS ’05: Proceedings of the 12th ACM conference on Computer and communications security (New York, NY, USA, 2005), ACM Press, pp. 81–91.
- WANG, X., AND REEVES, D. Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003) (2003).
- WRAY, J. C. An Analysis of Covert Timing Channels. In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California (1991).