SlideShare a Scribd company logo
COVERT TIMING CHANNELS
USING HTTP CACHE HEADERS
Denis Kolegov, Oleg Broslavsky, Nikita Oleksov
Tomsk State University
Information Security and Cryptography Department
SEPTEMBER 8 - 13
EKATERINBURG
2014
Introduction
A covert channel is a mechanism for sending and
receiving information between hosts without alerting any
firewalls and IDSs
HTTP is one of the most used Internet protocol so
detections of the covert channels over the HTTP is an
important research area
2
Example – HTTP Headers
3
Using steganography methods in header values
Suppose that
Then
“en” 0
“fr” 1
Accept-Language: en,fr 01
Accept-Language: fr,en 10
Accept-Language: en,fr,en,fr,en,en,en,en 0x50
Covert Channels’ Usage
4
• Transfer illegal content
• Stealing information from “secure”
environments
• Controlling botnets
Types Of Covert Channels
5
TIME DEPENDENCE
• Storage channels – a storage location is written to and
read from
• Timing channels – transmitting information through time
values
DIRECTION
• Client – server
• Server – client
Client-Server Covert Channels
6
Client-server covert channels are easier to implement, e.g.
covert storage channel via If-Range request header
GET / HTTP/1.1
Host: 162.71.12.43
If-Range: 120c7bL-32bL-4f86d4105ac62L
…
Hex-encoded data
Server-Client Covert Channels
7
Server-client channels are more complicated and most of
them are timing channels so it is more interesting to
research
Basic HTTP Cache Headers
8
RESPONSE (SERVER) HEADERS
• Last-Modified
• ETag
REQUEST (CLIENT) HEADERS
• If-Modified-Since
• If-Unmodified-Since
• If-Match
• If-Non-Match Request
Response
Last-Modified Response Header
9
Last-Modified HTTP header stores a date of the last web
entity’s modification
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Wed, 02 Apr 2014 14:33:39 GMT
Content-Type: text/html
Content-Length: 124
Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT
Connection: keep-alive
(data)
Page
request
Response
GET / HTTP/1.1
Host: 162.71.12.43
(other headers)
ETag Response Header
10
The ETag value is formed from the hex values of
HTTP/1.1 200 OK
Server: Apache/2.2.22 (Ubuntu)
Date: Wed, 02 Apr 2014 14:33:39 GMT
Content-Type: text/html
Content-Length: 124
ETag: 120c7bL-32bL-4f86d4105ac62L
Connection: keep-alive
(data)
Page
request
Response
GET / HTTP/1.1
Host: 162.71.12.43
(other headers)
120c7bL-32bL-4f86d4105ac62L
file's inode size last-modified time (mtime)
Common Usage of Cache Request Headers
11
HTTP cache headers allows web-client not to download a
page if it hasn’t been changed since the certain time
Page
request
Page has been
changed
HTTP/1.1 200 OK
(page data)
Page has not been
changed
HTTP/1.1 304 OK
(only headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Modified-Since:
Wed, 02 Apr 2014 14:33:39 GMT
(other headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-None-Match:
120c7bL-32bL-4f86d4105ac62L
(other headers)
Common Usage of Cache Request Headers
12
Second pair of headers does the same as previous but
with logically inverse condition
Page
request
Page has been
changed
HTTP/1.1 412 OK
(page data)
Page has not been
changed
HTTP/1.1 200 OK
(only headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Unmodified-Since:
Wed, 02 Apr 2014 14:33:39 GMT
(other headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Match:
120c7bL-32bL-4f86d4105ac62L
(other headers)
Covert Timing Channel Model
13
read writet
writet
p1 p2
read writet read write
Internet
2 different threat models:
Web server is under
intruders’ control
message.txt -- read-only
some_page.html -- write-only
General Covert Channels Scheme
14
Page has not been
changed
HTTP
request
Received
‘0’
Page has been changed
Received
‘1’
Store new
header value
Covert Channels Using HTTP Cache
Headers
15
• Last-Modified header value
• Using If-Modified-Since header
• Using If-Unmodified-Since header
• ETag header value
• Using If-Match header
• Using If-None-Match header
Last-Modified based
ETag based
Last-Modified Based Channels
16
HTTP
request
Get new header value
Received ‘1’
If header value
changed
Store header value
Received ‘0’
Wait
n
seconds
then else
Last-Modified header value covert channel
Last-Modified:
Wed, 02 Apr 2014
14:33:39 GMT
Last-Modified Based Channels
17
Covert channel using If-Modified
If-Modified-Since:
Wed, 02 Apr 2014
14:33:39 GMT
If-Modified
request
Received ‘1’
If HTTP code
is “200”
Store header value
Received ‘0’
Wait
n
secondsthen else
Last-Modified Based Channels
18
If-Unmodified
request
Received ‘1’
If HTTP code
is “412”
Store header value
Received ‘0’
Wait
n
secondsthen else
Covert channel using If-Unmodified
If-Unmodified-Since:
Wed, 02 Apr 2014
14:33:39 GMT
ETag Based Channels
19
ETag header value covert channel
ETag:
120c7bL-32bL-
4f86d4105ac62L
HTTP
request
Get new header value
Received ‘1’
If header value
changed
Store header value
Received ‘0’
Wait
n
seconds
then else
ETag Based Channels
20
Covert channel using If-None-Match
If-None-Match:
120c7bL-32bL-
4f86d4105ac62L
If-None-Match
request
Received ‘1’
If HTTP code
is “200”
Store header value
Received ‘0’
Wait
n
secondsthen else
ETag Based Channels
21
Covert channel using If-Match
If-Match:
120c7bL-32bL-
4f86d4105ac62L
If-Match
request
Received ‘1’
If HTTP code
is “412”
Store header value
Received ‘0’
Wait
n
secondsthen else
Ways to Implement
In tons of possible ways we focus on
• Python – Socket library
• C++ – Boost ASIO library
• С – simple C socket library
We choose C due to its highest performance (among
these ways) and decent stability
First threat model is chosen because of minimal
requirements
22
Implementation
23
Send HTTP
request
Get host response
Write ‘1’ to output
If page has
been
modified
Store new header
Write ‘0’ to output
Sleep
N
seconds
then else
Issues
24
Issue Solution
Server-client synchronization Special synchronizing function
Different time of requests Dynamic sleep time
Lateness after sleep “Active” sleep
High CPU load with “active sleep” “Dynamic” and “active” sleep
combination
Some problems we solved during implementation
Issue 1
25
Necessity of synchronization “read” (web client) and “write”
(host) services
Solution:
Synchronizing function that does requests at a maximum
speed (without sleep)
Send HTTP
request
Get host response
If page has
been changed
then else
Issue 2
26
Different time of requests can break services
synchronization
Solution:
Dynamic sleep time equals to
(sleep_time – time took for request)
Calculate time
took for request
diff_time
Sleep
(sleep_time – diff_time) µs
Issue 3
27
Inaccurate sleep - after sleep (func usleep() is used) the
program can awake with 10-200μs lateness
Solution:
Use “active sleep” - calculation time difference between last
request and current moment while it is less than
sleep_time
Calc diff_time
If diff_time <
sleep_time
thenelse
Issue 4
28
High CPU load with “active sleep”
Solution:
Combine “active” and “dynamic” sleep
Calculate diff_time
If diff_time < CONST
thenelse
Sleep
(sleep_time – CONST – request_time)
where CONST is constant about 1000 µs (or less depending on PC
performance)
Advantages
29
ADVANTAGES OF COVERT TIMING CHANNELS WITH
FIRST INTRUDER MODEL
• Does not modify common HTTP request structure
• Does not require web-server modifications
• Any read-only activity on web page that is used by the
channel do not break its work
• Information flow looks like something refreshes a web
page every n seconds
Specification – Last-Modified
1st threat model
30
Sleep
time
Min start
sequence
Avg
sequence
Max
sequence
Speed Accuracy
1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%
2 seconds 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87%
• Min start sequence – minimum number of bits passed
from the beginning of a conversation till the first mistake
• Avg and Max sequence – number of bits passed without
any mistakes in a row in average and at best
• Accuracy – percent of correctly transmitted bits
Specification – ETag
1st threat model
31
Sleep
time
Min start
sequence
Avg
sequence
Max
sequence
Speed Accuracy
1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%
0.5
seconds
2400 bits 8142 bits 18123 bits 2 bit/s 99,5%
ETag contains mtime (last modified time with microsecond
accuracy), so theoretical channel capacity is bigger than
its practically possible one.
Maximum practical speed of the covert channels is about 1
bit per (2L+T) seconds, where L is HTTP latency between
u2 and s1 and T is a time that is needed for auxiliary
operations
Covert Channels in Browsers
Kenton Born “Browser-based covert data exfiltration”
DOMAIN NAME SYSTEM (DNS)
Query: “Where is some.domain.example.com?”
Response: “It is at 88.0.13.37!”
IT’S CLIENT-SERVER CHANNEL 32
some.domain.example.com
Subdomain Domain
bigbrother.watchingme.evil.com
Information Domain
Covert Channels in Browsers
DNS TUNNEL
IT’S SERVER-CLIENT CHANNEL
33
first.bit.evil.com
Information Domain
It is 66.45.234.2 NXdomain
Received 1 Received 0
Server-Client Browser Channel
Purpose:
To implement covert timing channels using browser-side
technologies as JavaScript, AJAX and different HTML
features
34
Timing Channels in Browsers
Problems:
• Lack of any “sleep” function
• Low accuracy of existing time management
functions
• Difficulties with synchronization of covert channel’s
server and client
So implementation of the used model is pointless, but it is
possible to implement covert channels in these restrictions
using second threat model (controlled web server)
35
Timing Channels in Browsers
Use the same client-side model but in JavaScript
3636
Send HTTP
request
Get host response
Write ‘1’ to output
If page
has been
modified
Store new header
Write ‘0’ to output
Sleep
N
seconds
then else
setInterval
Timing Channels in Browsers
Some refactoring of server-side model
3737
Send new header value
If current
message bit
is ‘1’
Store header value
Send old header value
then else
WAIT for HTTP request
Issues
38
Issue Solution
Server-client synchronization Client visit special page to begin
conversation
End of message determination Client receive some special HTTP
code in response, e.g. 404 – Not
Found or 403 - Forbidden
Single client only communication Opening session that stores
transferring bit number for each
client
Specification
2nd threat model – controlled server
Browser based implementation of channels (client in
JavaScript)
39
Header
Server
version
Average
HTTP
ping
Max HTTP
ping
Speed
Max
sequence
Last-
Modified
Python 560.3 ms 1621.8 ms 0.53 bit/s
unlimited
PHP 508 ms 532.2 ms 0.58 bit/s
ETag
Python 560.3 ms 1621.8 ms 1.02 bit/s
unlimited
PHP 508 ms 532.2 ms 1.18 bit/s
Specification
2nd threat model – controlled server
Testing channels implementation in C with PHP server
Purpose: to make estimation of maximum speed
40
Header Network
Average
HTTP ping
Speed
ETag
Local host 0.55 ms 986 bit/s
Data center local
network
1.63 ms 845.65 bit/s
Local network 6.9 ms 295.69 bit/s
Internet 383.2 ms 4.89 bit/s
Proof of Concept
GitHub
– https://github.com/tsu-iscd/HttpCovertChannels
41
42
https://github.com/beefproject/beef
“BeEF allows the professional penetration tester to
assess the actual security posture of a target
environment by using client-side attack vectors.”
The Browser Exploitation Framework
Conclusions
43
Future work: implementation of the ETag based covert
timing channel as a BEEF module
writet Internet
44
Denis Kolegov
dnkolegov@gmail.com
@dnkolegov
Oleg Broslavsky
ovbroslavsky@gmail.com
@yalegko
Nikita Oleksov
neoleksov@gmail.com
@neoleksov

More Related Content

What's hot

Part 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsPart 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocols
Olivier Bonaventure
 
4 transport-sharing
4 transport-sharing4 transport-sharing
4 transport-sharing
Olivier Bonaventure
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure  V1.0Defeating The Network Security Infrastructure  V1.0
Defeating The Network Security Infrastructure V1.0
Philippe Bogaerts
 
Gemtalk Systems Product Roadmap
Gemtalk Systems Product RoadmapGemtalk Systems Product Roadmap
Gemtalk Systems Product Roadmap
ESUG
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
hugo lu
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basics
Juraj Hantak
 
Real-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot EngineReal-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot Engine
Fabio Alessandrelli
 
加快互联网核心协议,提高Web速度yuchungcheng
加快互联网核心协议,提高Web速度yuchungcheng加快互联网核心协议,提高Web速度yuchungcheng
加快互联网核心协议,提高Web速度yuchungcheng
Michael Zhang
 
Multi tier-app-network-topology-neutron-final
Multi tier-app-network-topology-neutron-finalMulti tier-app-network-topology-neutron-final
Multi tier-app-network-topology-neutron-final
Sadique Puthen
 
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaSOpenstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Sadique Puthen
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
Himani Singh
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
Sadique Puthen
 
Nginx Scalable Stack
Nginx Scalable StackNginx Scalable Stack
Nginx Scalable Stack
Bruno Paiuca
 
Technical Overview of QUIC
Technical  Overview of QUICTechnical  Overview of QUIC
Technical Overview of QUIC
shigeki_ohtsu
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routing
Olivier Bonaventure
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support Engineer
Jeff Anderson
 
How to Avoid Common Mistakes When Using Reactor Netty
How to Avoid Common Mistakes When Using Reactor NettyHow to Avoid Common Mistakes When Using Reactor Netty
How to Avoid Common Mistakes When Using Reactor Netty
VMware Tanzu
 
Enabling Googley microservices with HTTP/2 and gRPC.
Enabling Googley microservices with HTTP/2 and gRPC.Enabling Googley microservices with HTTP/2 and gRPC.
Enabling Googley microservices with HTTP/2 and gRPC.
Alex Borysov
 

What's hot (20)

Part 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocolsPart 5 : Sharing resources, security principles and protocols
Part 5 : Sharing resources, security principles and protocols
 
4 transport-sharing
4 transport-sharing4 transport-sharing
4 transport-sharing
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure  V1.0Defeating The Network Security Infrastructure  V1.0
Defeating The Network Security Infrastructure V1.0
 
Gemtalk Systems Product Roadmap
Gemtalk Systems Product RoadmapGemtalk Systems Product Roadmap
Gemtalk Systems Product Roadmap
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basics
 
Real-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot EngineReal-time Online Multiplayer with Godot Engine
Real-time Online Multiplayer with Godot Engine
 
加快互联网核心协议,提高Web速度yuchungcheng
加快互联网核心协议,提高Web速度yuchungcheng加快互联网核心协议,提高Web速度yuchungcheng
加快互联网核心协议,提高Web速度yuchungcheng
 
Multi tier-app-network-topology-neutron-final
Multi tier-app-network-topology-neutron-finalMulti tier-app-network-topology-neutron-final
Multi tier-app-network-topology-neutron-final
 
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaSOpenstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
 
Nginx Scalable Stack
Nginx Scalable StackNginx Scalable Stack
Nginx Scalable Stack
 
Technical Overview of QUIC
Technical  Overview of QUICTechnical  Overview of QUIC
Technical Overview of QUIC
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routing
 
Troubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support EngineerTroubleshooting Tips from a Docker Support Engineer
Troubleshooting Tips from a Docker Support Engineer
 
How to Avoid Common Mistakes When Using Reactor Netty
How to Avoid Common Mistakes When Using Reactor NettyHow to Avoid Common Mistakes When Using Reactor Netty
How to Avoid Common Mistakes When Using Reactor Netty
 
Enabling Googley microservices with HTTP/2 and gRPC.
Enabling Googley microservices with HTTP/2 and gRPC.Enabling Googley microservices with HTTP/2 and gRPC.
Enabling Googley microservices with HTTP/2 and gRPC.
 

Similar to Covert timing channels using HTTP cache headers

Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Denis Kolegov
 
Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28
Xavier Lucas
 
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
Amazon Web Services
 
Computer networks module 5 content covered in this ppt
Computer networks module 5 content covered in this pptComputer networks module 5 content covered in this ppt
Computer networks module 5 content covered in this ppt
vinuthak18
 
computer networking
computer networkingcomputer networking
computer networking
seyvan rahimi
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Ontico
 
HTTP
HTTPHTTP
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
Shuya Osaki
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
inbroker
 
SFMap (TMA 2015)
SFMap (TMA 2015)SFMap (TMA 2015)
SFMap (TMA 2015)
mori_tatsuya
 
Tuning the Kernel for Varnish Cache
Tuning the Kernel for Varnish CacheTuning the Kernel for Varnish Cache
Tuning the Kernel for Varnish Cache
Per Buer
 
Network Application Performance
Network Application PerformanceNetwork Application Performance
Network Application Performance
Shumon Huque
 
Http2 kotlin
Http2   kotlinHttp2   kotlin
Http2 kotlin
Andrii Bezruchko
 
Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE
Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE
Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE
confluent
 
Kafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINE
Kafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINEKafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINE
Kafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINE
kawamuray
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
Ido Flatow
 
TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over Wireless
Farooq Khan
 
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
Edward Burns
 
HTML5, HTTP2, and You 1.1
HTML5, HTTP2, and You 1.1HTML5, HTTP2, and You 1.1
HTML5, HTTP2, and You 1.1
Daniel Austin
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Amazon Web Services
 

Similar to Covert timing channels using HTTP cache headers (20)

Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
 
Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28
 
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
(WEB401) Optimizing Your Web Server on AWS | AWS re:Invent 2014
 
Computer networks module 5 content covered in this ppt
Computer networks module 5 content covered in this pptComputer networks module 5 content covered in this ppt
Computer networks module 5 content covered in this ppt
 
computer networking
computer networkingcomputer networking
computer networking
 
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...
 
HTTP
HTTPHTTP
HTTP
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
SFMap (TMA 2015)
SFMap (TMA 2015)SFMap (TMA 2015)
SFMap (TMA 2015)
 
Tuning the Kernel for Varnish Cache
Tuning the Kernel for Varnish CacheTuning the Kernel for Varnish Cache
Tuning the Kernel for Varnish Cache
 
Network Application Performance
Network Application PerformanceNetwork Application Performance
Network Application Performance
 
Http2 kotlin
Http2   kotlinHttp2   kotlin
Http2 kotlin
 
Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE
Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE
Kafka Multi-Tenancy—160 Billion Daily Messages on One Shared Cluster at LINE
 
Kafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINE
Kafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINEKafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINE
Kafka Multi-Tenancy - 160 Billion Daily Messages on One Shared Cluster at LINE
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over Wireless
 
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
 
HTML5, HTTP2, and You 1.1
HTML5, HTTP2, and You 1.1HTML5, HTTP2, and You 1.1
HTML5, HTTP2, and You 1.1
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 

More from yalegko

SD-WAN Internet Census
SD-WAN Internet CensusSD-WAN Internet Census
SD-WAN Internet Census
yalegko
 
So Your WAF Needs a Parser
So Your WAF Needs a ParserSo Your WAF Needs a Parser
So Your WAF Needs a Parser
yalegko
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
yalegko
 
[ISC] Docker + Swarm
[ISC] Docker + Swarm[ISC] Docker + Swarm
[ISC] Docker + Swarm
yalegko
 
How to Open School For Young Hackers
How to Open School For Young HackersHow to Open School For Young Hackers
How to Open School For Young Hackers
yalegko
 
How to make school CTF
How to make school CTFHow to make school CTF
How to make school CTF
yalegko
 
AOP and Inversion of Conrol
AOP and Inversion of ConrolAOP and Inversion of Conrol
AOP and Inversion of Conrol
yalegko
 
White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.
yalegko
 
White box cryptography
White box cryptographyWhite box cryptography
White box cryptography
yalegko
 
How to admin
How to adminHow to admin
How to admin
yalegko
 
ИИ: Этические аспекты проблемы выбора
ИИ: Этические аспекты проблемы выбораИИ: Этические аспекты проблемы выбора
ИИ: Этические аспекты проблемы выбора
yalegko
 
Include and extend in Ruby
Include and extend in RubyInclude and extend in Ruby
Include and extend in Ruby
yalegko
 
Not a children in da web
Not a children in da webNot a children in da web
Not a children in da web
yalegko
 

More from yalegko (13)

SD-WAN Internet Census
SD-WAN Internet CensusSD-WAN Internet Census
SD-WAN Internet Census
 
So Your WAF Needs a Parser
So Your WAF Needs a ParserSo Your WAF Needs a Parser
So Your WAF Needs a Parser
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
[ISC] Docker + Swarm
[ISC] Docker + Swarm[ISC] Docker + Swarm
[ISC] Docker + Swarm
 
How to Open School For Young Hackers
How to Open School For Young HackersHow to Open School For Young Hackers
How to Open School For Young Hackers
 
How to make school CTF
How to make school CTFHow to make school CTF
How to make school CTF
 
AOP and Inversion of Conrol
AOP and Inversion of ConrolAOP and Inversion of Conrol
AOP and Inversion of Conrol
 
White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.White-Box HMAC. Make your cipher secure to white-box attacks.
White-Box HMAC. Make your cipher secure to white-box attacks.
 
White box cryptography
White box cryptographyWhite box cryptography
White box cryptography
 
How to admin
How to adminHow to admin
How to admin
 
ИИ: Этические аспекты проблемы выбора
ИИ: Этические аспекты проблемы выбораИИ: Этические аспекты проблемы выбора
ИИ: Этические аспекты проблемы выбора
 
Include and extend in Ruby
Include and extend in RubyInclude and extend in Ruby
Include and extend in Ruby
 
Not a children in da web
Not a children in da webNot a children in da web
Not a children in da web
 

Recently uploaded

Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
PsychoTech Services
 
How to Fix [Errno 98] address already in use
How to Fix [Errno 98] address already in useHow to Fix [Errno 98] address already in use
How to Fix [Errno 98] address already in use
Celine George
 
Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray  (9)Bonku-Babus-Friend by Sathyajith Ray  (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
nitinpv4ai
 
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
indexPub
 
220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology
Kalna College
 
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
andagarcia212
 
78 Microsoft-Publisher - Sirin Sultana Bora.pptx
78 Microsoft-Publisher - Sirin Sultana Bora.pptx78 Microsoft-Publisher - Sirin Sultana Bora.pptx
78 Microsoft-Publisher - Sirin Sultana Bora.pptx
Kalna College
 
220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx
Kalna College
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
EduSkills OECD
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
zuzanka
 
Educational Technology in the Health Sciences
Educational Technology in the Health SciencesEducational Technology in the Health Sciences
Educational Technology in the Health Sciences
Iris Thiele Isip-Tan
 
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
220711130083 SUBHASHREE RAKSHIT  Internet resources for social science220711130083 SUBHASHREE RAKSHIT  Internet resources for social science
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
Kalna College
 
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptxContiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Kalna College
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Henry Hollis
 
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
Nguyen Thanh Tu Collection
 
How to Manage Reception Report in Odoo 17
How to Manage Reception Report in Odoo 17How to Manage Reception Report in Odoo 17
How to Manage Reception Report in Odoo 17
Celine George
 
BPSC-105 important questions for june term end exam
BPSC-105 important questions for june term end examBPSC-105 important questions for june term end exam
BPSC-105 important questions for june term end exam
sonukumargpnirsadhan
 
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdfمصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
سمير بسيوني
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
Steve Thomason
 
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty  Aims and objectives of national policy on inf...220711130100 udita Chakraborty  Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
Kalna College
 

Recently uploaded (20)

Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...Gender and Mental Health - Counselling and Family Therapy Applications and In...
Gender and Mental Health - Counselling and Family Therapy Applications and In...
 
How to Fix [Errno 98] address already in use
How to Fix [Errno 98] address already in useHow to Fix [Errno 98] address already in use
How to Fix [Errno 98] address already in use
 
Bonku-Babus-Friend by Sathyajith Ray (9)
Bonku-Babus-Friend by Sathyajith Ray  (9)Bonku-Babus-Friend by Sathyajith Ray  (9)
Bonku-Babus-Friend by Sathyajith Ray (9)
 
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...
 
220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology
 
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
欧洲杯下注-欧洲杯下注押注官网-欧洲杯下注押注网站|【​网址​🎉ac44.net🎉​】
 
78 Microsoft-Publisher - Sirin Sultana Bora.pptx
78 Microsoft-Publisher - Sirin Sultana Bora.pptx78 Microsoft-Publisher - Sirin Sultana Bora.pptx
78 Microsoft-Publisher - Sirin Sultana Bora.pptx
 
220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx220711130088 Sumi Basak Virtual University EPC 3.pptx
220711130088 Sumi Basak Virtual University EPC 3.pptx
 
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...
 
SWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptxSWOT analysis in the project Keeping the Memory @live.pptx
SWOT analysis in the project Keeping the Memory @live.pptx
 
Educational Technology in the Health Sciences
Educational Technology in the Health SciencesEducational Technology in the Health Sciences
Educational Technology in the Health Sciences
 
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
220711130083 SUBHASHREE RAKSHIT  Internet resources for social science220711130083 SUBHASHREE RAKSHIT  Internet resources for social science
220711130083 SUBHASHREE RAKSHIT Internet resources for social science
 
Contiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptxContiguity Of Various Message Forms - Rupam Chandra.pptx
Contiguity Of Various Message Forms - Rupam Chandra.pptx
 
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.pptLevel 3 NCEA - NZ: A  Nation In the Making 1872 - 1900 SML.ppt
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.ppt
 
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
CHUYÊN ĐỀ ÔN TẬP VÀ PHÁT TRIỂN CÂU HỎI TRONG ĐỀ MINH HỌA THI TỐT NGHIỆP THPT ...
 
How to Manage Reception Report in Odoo 17
How to Manage Reception Report in Odoo 17How to Manage Reception Report in Odoo 17
How to Manage Reception Report in Odoo 17
 
BPSC-105 important questions for june term end exam
BPSC-105 important questions for june term end examBPSC-105 important questions for june term end exam
BPSC-105 important questions for june term end exam
 
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdfمصحف القراءات العشر   أعد أحرف الخلاف سمير بسيوني.pdf
مصحف القراءات العشر أعد أحرف الخلاف سمير بسيوني.pdf
 
A Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two HeartsA Visual Guide to 1 Samuel | A Tale of Two Hearts
A Visual Guide to 1 Samuel | A Tale of Two Hearts
 
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty  Aims and objectives of national policy on inf...220711130100 udita Chakraborty  Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
 

Covert timing channels using HTTP cache headers

  • 1. COVERT TIMING CHANNELS USING HTTP CACHE HEADERS Denis Kolegov, Oleg Broslavsky, Nikita Oleksov Tomsk State University Information Security and Cryptography Department SEPTEMBER 8 - 13 EKATERINBURG 2014
  • 2. Introduction A covert channel is a mechanism for sending and receiving information between hosts without alerting any firewalls and IDSs HTTP is one of the most used Internet protocol so detections of the covert channels over the HTTP is an important research area 2
  • 3. Example – HTTP Headers 3 Using steganography methods in header values Suppose that Then “en” 0 “fr” 1 Accept-Language: en,fr 01 Accept-Language: fr,en 10 Accept-Language: en,fr,en,fr,en,en,en,en 0x50
  • 4. Covert Channels’ Usage 4 • Transfer illegal content • Stealing information from “secure” environments • Controlling botnets
  • 5. Types Of Covert Channels 5 TIME DEPENDENCE • Storage channels – a storage location is written to and read from • Timing channels – transmitting information through time values DIRECTION • Client – server • Server – client
  • 6. Client-Server Covert Channels 6 Client-server covert channels are easier to implement, e.g. covert storage channel via If-Range request header GET / HTTP/1.1 Host: 162.71.12.43 If-Range: 120c7bL-32bL-4f86d4105ac62L … Hex-encoded data
  • 7. Server-Client Covert Channels 7 Server-client channels are more complicated and most of them are timing channels so it is more interesting to research
  • 8. Basic HTTP Cache Headers 8 RESPONSE (SERVER) HEADERS • Last-Modified • ETag REQUEST (CLIENT) HEADERS • If-Modified-Since • If-Unmodified-Since • If-Match • If-Non-Match Request Response
  • 9. Last-Modified Response Header 9 Last-Modified HTTP header stores a date of the last web entity’s modification HTTP/1.1 200 OK Server: nginx/1.1.19 Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Type: text/html Content-Length: 124 Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT Connection: keep-alive (data) Page request Response GET / HTTP/1.1 Host: 162.71.12.43 (other headers)
  • 10. ETag Response Header 10 The ETag value is formed from the hex values of HTTP/1.1 200 OK Server: Apache/2.2.22 (Ubuntu) Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Type: text/html Content-Length: 124 ETag: 120c7bL-32bL-4f86d4105ac62L Connection: keep-alive (data) Page request Response GET / HTTP/1.1 Host: 162.71.12.43 (other headers) 120c7bL-32bL-4f86d4105ac62L file's inode size last-modified time (mtime)
  • 11. Common Usage of Cache Request Headers 11 HTTP cache headers allows web-client not to download a page if it hasn’t been changed since the certain time Page request Page has been changed HTTP/1.1 200 OK (page data) Page has not been changed HTTP/1.1 304 OK (only headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Modified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-None-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
  • 12. Common Usage of Cache Request Headers 12 Second pair of headers does the same as previous but with logically inverse condition Page request Page has been changed HTTP/1.1 412 OK (page data) Page has not been changed HTTP/1.1 200 OK (only headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Unmodified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)
  • 13. Covert Timing Channel Model 13 read writet writet p1 p2 read writet read write Internet 2 different threat models: Web server is under intruders’ control message.txt -- read-only some_page.html -- write-only
  • 14. General Covert Channels Scheme 14 Page has not been changed HTTP request Received ‘0’ Page has been changed Received ‘1’ Store new header value
  • 15. Covert Channels Using HTTP Cache Headers 15 • Last-Modified header value • Using If-Modified-Since header • Using If-Unmodified-Since header • ETag header value • Using If-Match header • Using If-None-Match header Last-Modified based ETag based
  • 16. Last-Modified Based Channels 16 HTTP request Get new header value Received ‘1’ If header value changed Store header value Received ‘0’ Wait n seconds then else Last-Modified header value covert channel Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT
  • 17. Last-Modified Based Channels 17 Covert channel using If-Modified If-Modified-Since: Wed, 02 Apr 2014 14:33:39 GMT If-Modified request Received ‘1’ If HTTP code is “200” Store header value Received ‘0’ Wait n secondsthen else
  • 18. Last-Modified Based Channels 18 If-Unmodified request Received ‘1’ If HTTP code is “412” Store header value Received ‘0’ Wait n secondsthen else Covert channel using If-Unmodified If-Unmodified-Since: Wed, 02 Apr 2014 14:33:39 GMT
  • 19. ETag Based Channels 19 ETag header value covert channel ETag: 120c7bL-32bL- 4f86d4105ac62L HTTP request Get new header value Received ‘1’ If header value changed Store header value Received ‘0’ Wait n seconds then else
  • 20. ETag Based Channels 20 Covert channel using If-None-Match If-None-Match: 120c7bL-32bL- 4f86d4105ac62L If-None-Match request Received ‘1’ If HTTP code is “200” Store header value Received ‘0’ Wait n secondsthen else
  • 21. ETag Based Channels 21 Covert channel using If-Match If-Match: 120c7bL-32bL- 4f86d4105ac62L If-Match request Received ‘1’ If HTTP code is “412” Store header value Received ‘0’ Wait n secondsthen else
  • 22. Ways to Implement In tons of possible ways we focus on • Python – Socket library • C++ – Boost ASIO library • С – simple C socket library We choose C due to its highest performance (among these ways) and decent stability First threat model is chosen because of minimal requirements 22
  • 23. Implementation 23 Send HTTP request Get host response Write ‘1’ to output If page has been modified Store new header Write ‘0’ to output Sleep N seconds then else
  • 24. Issues 24 Issue Solution Server-client synchronization Special synchronizing function Different time of requests Dynamic sleep time Lateness after sleep “Active” sleep High CPU load with “active sleep” “Dynamic” and “active” sleep combination Some problems we solved during implementation
  • 25. Issue 1 25 Necessity of synchronization “read” (web client) and “write” (host) services Solution: Synchronizing function that does requests at a maximum speed (without sleep) Send HTTP request Get host response If page has been changed then else
  • 26. Issue 2 26 Different time of requests can break services synchronization Solution: Dynamic sleep time equals to (sleep_time – time took for request) Calculate time took for request diff_time Sleep (sleep_time – diff_time) µs
  • 27. Issue 3 27 Inaccurate sleep - after sleep (func usleep() is used) the program can awake with 10-200μs lateness Solution: Use “active sleep” - calculation time difference between last request and current moment while it is less than sleep_time Calc diff_time If diff_time < sleep_time thenelse
  • 28. Issue 4 28 High CPU load with “active sleep” Solution: Combine “active” and “dynamic” sleep Calculate diff_time If diff_time < CONST thenelse Sleep (sleep_time – CONST – request_time) where CONST is constant about 1000 µs (or less depending on PC performance)
  • 29. Advantages 29 ADVANTAGES OF COVERT TIMING CHANNELS WITH FIRST INTRUDER MODEL • Does not modify common HTTP request structure • Does not require web-server modifications • Any read-only activity on web page that is used by the channel do not break its work • Information flow looks like something refreshes a web page every n seconds
  • 30. Specification – Last-Modified 1st threat model 30 Sleep time Min start sequence Avg sequence Max sequence Speed Accuracy 1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82% 2 seconds 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87% • Min start sequence – minimum number of bits passed from the beginning of a conversation till the first mistake • Avg and Max sequence – number of bits passed without any mistakes in a row in average and at best • Accuracy – percent of correctly transmitted bits
  • 31. Specification – ETag 1st threat model 31 Sleep time Min start sequence Avg sequence Max sequence Speed Accuracy 1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82% 0.5 seconds 2400 bits 8142 bits 18123 bits 2 bit/s 99,5% ETag contains mtime (last modified time with microsecond accuracy), so theoretical channel capacity is bigger than its practically possible one. Maximum practical speed of the covert channels is about 1 bit per (2L+T) seconds, where L is HTTP latency between u2 and s1 and T is a time that is needed for auxiliary operations
  • 32. Covert Channels in Browsers Kenton Born “Browser-based covert data exfiltration” DOMAIN NAME SYSTEM (DNS) Query: “Where is some.domain.example.com?” Response: “It is at 88.0.13.37!” IT’S CLIENT-SERVER CHANNEL 32 some.domain.example.com Subdomain Domain bigbrother.watchingme.evil.com Information Domain
  • 33. Covert Channels in Browsers DNS TUNNEL IT’S SERVER-CLIENT CHANNEL 33 first.bit.evil.com Information Domain It is 66.45.234.2 NXdomain Received 1 Received 0
  • 34. Server-Client Browser Channel Purpose: To implement covert timing channels using browser-side technologies as JavaScript, AJAX and different HTML features 34
  • 35. Timing Channels in Browsers Problems: • Lack of any “sleep” function • Low accuracy of existing time management functions • Difficulties with synchronization of covert channel’s server and client So implementation of the used model is pointless, but it is possible to implement covert channels in these restrictions using second threat model (controlled web server) 35
  • 36. Timing Channels in Browsers Use the same client-side model but in JavaScript 3636 Send HTTP request Get host response Write ‘1’ to output If page has been modified Store new header Write ‘0’ to output Sleep N seconds then else setInterval
  • 37. Timing Channels in Browsers Some refactoring of server-side model 3737 Send new header value If current message bit is ‘1’ Store header value Send old header value then else WAIT for HTTP request
  • 38. Issues 38 Issue Solution Server-client synchronization Client visit special page to begin conversation End of message determination Client receive some special HTTP code in response, e.g. 404 – Not Found or 403 - Forbidden Single client only communication Opening session that stores transferring bit number for each client
  • 39. Specification 2nd threat model – controlled server Browser based implementation of channels (client in JavaScript) 39 Header Server version Average HTTP ping Max HTTP ping Speed Max sequence Last- Modified Python 560.3 ms 1621.8 ms 0.53 bit/s unlimited PHP 508 ms 532.2 ms 0.58 bit/s ETag Python 560.3 ms 1621.8 ms 1.02 bit/s unlimited PHP 508 ms 532.2 ms 1.18 bit/s
  • 40. Specification 2nd threat model – controlled server Testing channels implementation in C with PHP server Purpose: to make estimation of maximum speed 40 Header Network Average HTTP ping Speed ETag Local host 0.55 ms 986 bit/s Data center local network 1.63 ms 845.65 bit/s Local network 6.9 ms 295.69 bit/s Internet 383.2 ms 4.89 bit/s
  • 41. Proof of Concept GitHub – https://github.com/tsu-iscd/HttpCovertChannels 41
  • 42. 42 https://github.com/beefproject/beef “BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.” The Browser Exploitation Framework
  • 43. Conclusions 43 Future work: implementation of the ETag based covert timing channel as a BEEF module writet Internet