This document discusses using HTTP cache headers to create covert timing channels. It describes how information can be encoded in the Last-Modified and ETag response headers and decoded using the If-Modified-Since, If-Unmodified-Since, If-Match, and If-None-Match request headers. The document outlines an implementation of these covert channels using C that achieves transmission speeds of 1-2 bits per second with over 99% accuracy. Issues in synchronization, timing, and CPU load are also addressed.

1. COVERT TIMING CHANNELS
USING HTTP CACHE HEADERS
Denis Kolegov, Oleg Broslavsky, Nikita Oleksov
Tomsk State University
Information Security and Cryptography Department
SEPTEMBER 8 - 13
EKATERINBURG
2014

2. Introduction
A covert channel is a mechanism for sending and
receiving information between hosts without alerting any
firewalls and IDSs
HTTP is one of the most used Internet protocol so
detections of the covert channels over the HTTP is an
important research area
2

3. Example – HTTP Headers
3
Using steganography methods in header values
Suppose that
Then
“en” 0
“fr” 1
Accept-Language: en,fr 01
Accept-Language: fr,en 10
Accept-Language: en,fr,en,fr,en,en,en,en 0x50

4. Covert Channels’ Usage
4
• Transfer illegal content
• Stealing information from “secure”
environments
• Controlling botnets

5. Types Of Covert Channels
5
TIME DEPENDENCE
• Storage channels – a storage location is written to and
read from
• Timing channels – transmitting information through time
values
DIRECTION
• Client – server
• Server – client

6. Client-Server Covert Channels
6
Client-server covert channels are easier to implement, e.g.
covert storage channel via If-Range request header
GET / HTTP/1.1
Host: 162.71.12.43
If-Range: 120c7bL-32bL-4f86d4105ac62L
…
Hex-encoded data

7. Server-Client Covert Channels
7
Server-client channels are more complicated and most of
them are timing channels so it is more interesting to
research

8. Basic HTTP Cache Headers
8
RESPONSE (SERVER) HEADERS
• Last-Modified
• ETag
REQUEST (CLIENT) HEADERS
• If-Modified-Since
• If-Unmodified-Since
• If-Match
• If-Non-Match Request
Response

9. Last-Modified Response Header
9
Last-Modified HTTP header stores a date of the last web
entity’s modification
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Wed, 02 Apr 2014 14:33:39 GMT
Content-Type: text/html
Content-Length: 124
Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT
Connection: keep-alive
(data)
Page
request
Response
GET / HTTP/1.1
Host: 162.71.12.43
(other headers)

10. ETag Response Header
10
The ETag value is formed from the hex values of
HTTP/1.1 200 OK
Server: Apache/2.2.22 (Ubuntu)
Date: Wed, 02 Apr 2014 14:33:39 GMT
Content-Type: text/html
Content-Length: 124
ETag: 120c7bL-32bL-4f86d4105ac62L
Connection: keep-alive
(data)
Page
request
Response
GET / HTTP/1.1
Host: 162.71.12.43
(other headers)
120c7bL-32bL-4f86d4105ac62L
file's inode size last-modified time (mtime)

11. Common Usage of Cache Request Headers
11
HTTP cache headers allows web-client not to download a
page if it hasn’t been changed since the certain time
Page
request
Page has been
changed
HTTP/1.1 200 OK
(page data)
Page has not been
changed
HTTP/1.1 304 OK
(only headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Modified-Since:
Wed, 02 Apr 2014 14:33:39 GMT
(other headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-None-Match:
120c7bL-32bL-4f86d4105ac62L
(other headers)

12. Common Usage of Cache Request Headers
12
Second pair of headers does the same as previous but
with logically inverse condition
Page
request
Page has been
changed
HTTP/1.1 412 OK
(page data)
Page has not been
changed
HTTP/1.1 200 OK
(only headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Unmodified-Since:
Wed, 02 Apr 2014 14:33:39 GMT
(other headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Match:
120c7bL-32bL-4f86d4105ac62L
(other headers)

13. Covert Timing Channel Model
13
read writet
writet
p1 p2
read writet read write
Internet
2 different threat models:
Web server is under
intruders’ control
message.txt -- read-only
some_page.html -- write-only

14. General Covert Channels Scheme
14
Page has not been
changed
HTTP
request
Received
‘0’
Page has been changed
Received
‘1’
Store new
header value

15. Covert Channels Using HTTP Cache
Headers
15
• Last-Modified header value
• Using If-Modified-Since header
• Using If-Unmodified-Since header
• ETag header value
• Using If-Match header
• Using If-None-Match header
Last-Modified based
ETag based

16. Last-Modified Based Channels
16
HTTP
request
Get new header value
Received ‘1’
If header value
changed
Store header value
Received ‘0’
Wait
n
seconds
then else
Last-Modified header value covert channel
Last-Modified:
Wed, 02 Apr 2014
14:33:39 GMT

17. Last-Modified Based Channels
17
Covert channel using If-Modified
If-Modified-Since:
Wed, 02 Apr 2014
14:33:39 GMT
If-Modified
request
Received ‘1’
If HTTP code
is “200”
Store header value
Received ‘0’
Wait
n
secondsthen else

18. Last-Modified Based Channels
18
If-Unmodified
request
Received ‘1’
If HTTP code
is “412”
Store header value
Received ‘0’
Wait
n
secondsthen else
Covert channel using If-Unmodified
If-Unmodified-Since:
Wed, 02 Apr 2014
14:33:39 GMT

19. ETag Based Channels
19
ETag header value covert channel
ETag:
120c7bL-32bL-
4f86d4105ac62L
HTTP
request
Get new header value
Received ‘1’
If header value
changed
Store header value
Received ‘0’
Wait
n
seconds
then else

20. ETag Based Channels
20
Covert channel using If-None-Match
If-None-Match:
120c7bL-32bL-
4f86d4105ac62L
If-None-Match
request
Received ‘1’
If HTTP code
is “200”
Store header value
Received ‘0’
Wait
n
secondsthen else

21. ETag Based Channels
21
Covert channel using If-Match
If-Match:
120c7bL-32bL-
4f86d4105ac62L
If-Match
request
Received ‘1’
If HTTP code
is “412”
Store header value
Received ‘0’
Wait
n
secondsthen else

22. Ways to Implement
In tons of possible ways we focus on
• Python – Socket library
• C++ – Boost ASIO library
• С – simple C socket library
We choose C due to its highest performance (among
these ways) and decent stability
First threat model is chosen because of minimal
requirements
22

23. Implementation
23
Send HTTP
request
Get host response
Write ‘1’ to output
If page has
been
modified
Store new header
Write ‘0’ to output
Sleep
N
seconds
then else

24. Issues
24
Issue Solution
Server-client synchronization Special synchronizing function
Different time of requests Dynamic sleep time
Lateness after sleep “Active” sleep
High CPU load with “active sleep” “Dynamic” and “active” sleep
combination
Some problems we solved during implementation

25. Issue 1
25
Necessity of synchronization “read” (web client) and “write”
(host) services
Solution:
Synchronizing function that does requests at a maximum
speed (without sleep)
Send HTTP
request
Get host response
If page has
been changed
then else

26. Issue 2
26
Different time of requests can break services
synchronization
Solution:
Dynamic sleep time equals to
(sleep_time – time took for request)
Calculate time
took for request
diff_time
Sleep
(sleep_time – diff_time) µs

27. Issue 3
27
Inaccurate sleep - after sleep (func usleep() is used) the
program can awake with 10-200μs lateness
Solution:
Use “active sleep” - calculation time difference between last
request and current moment while it is less than
sleep_time
Calc diff_time
If diff_time <
sleep_time
thenelse

28. Issue 4
28
High CPU load with “active sleep”
Solution:
Combine “active” and “dynamic” sleep
Calculate diff_time
If diff_time < CONST
thenelse
Sleep
(sleep_time – CONST – request_time)
where CONST is constant about 1000 µs (or less depending on PC
performance)

29. Advantages
29
ADVANTAGES OF COVERT TIMING CHANNELS WITH
FIRST INTRUDER MODEL
• Does not modify common HTTP request structure
• Does not require web-server modifications
• Any read-only activity on web page that is used by the
channel do not break its work
• Information flow looks like something refreshes a web
page every n seconds

30. Specification – Last-Modified
1st threat model
30
Sleep
time
Min start
sequence
Avg
sequence
Max
sequence
Speed Accuracy
1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%
2 seconds 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87%
• Min start sequence – minimum number of bits passed
from the beginning of a conversation till the first mistake
• Avg and Max sequence – number of bits passed without
any mistakes in a row in average and at best
• Accuracy – percent of correctly transmitted bits

31. Specification – ETag
1st threat model
31
Sleep
time
Min start
sequence
Avg
sequence
Max
sequence
Speed Accuracy
1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%
0.5
seconds
2400 bits 8142 bits 18123 bits 2 bit/s 99,5%
ETag contains mtime (last modified time with microsecond
accuracy), so theoretical channel capacity is bigger than
its practically possible one.
Maximum practical speed of the covert channels is about 1
bit per (2L+T) seconds, where L is HTTP latency between
u2 and s1 and T is a time that is needed for auxiliary
operations

32. Covert Channels in Browsers
Kenton Born “Browser-based covert data exfiltration”
DOMAIN NAME SYSTEM (DNS)
Query: “Where is some.domain.example.com?”
Response: “It is at 88.0.13.37!”
IT’S CLIENT-SERVER CHANNEL 32
some.domain.example.com
Subdomain Domain
bigbrother.watchingme.evil.com
Information Domain

33. Covert Channels in Browsers
DNS TUNNEL
IT’S SERVER-CLIENT CHANNEL
33
first.bit.evil.com
Information Domain
It is 66.45.234.2 NXdomain
Received 1 Received 0

34. Server-Client Browser Channel
Purpose:
To implement covert timing channels using browser-side
technologies as JavaScript, AJAX and different HTML
features
34

35. Timing Channels in Browsers
Problems:
• Lack of any “sleep” function
• Low accuracy of existing time management
functions
• Difficulties with synchronization of covert channel’s
server and client
So implementation of the used model is pointless, but it is
possible to implement covert channels in these restrictions
using second threat model (controlled web server)
35

36. Timing Channels in Browsers
Use the same client-side model but in JavaScript
3636
Send HTTP
request
Get host response
Write ‘1’ to output
If page
has been
modified
Store new header
Write ‘0’ to output
Sleep
N
seconds
then else
setInterval

37. Timing Channels in Browsers
Some refactoring of server-side model
3737
Send new header value
If current
message bit
is ‘1’
Store header value
Send old header value
then else
WAIT for HTTP request

38. Issues
38
Issue Solution
Server-client synchronization Client visit special page to begin
conversation
End of message determination Client receive some special HTTP
code in response, e.g. 404 – Not
Found or 403 - Forbidden
Single client only communication Opening session that stores
transferring bit number for each
client

39. Specification
2nd threat model – controlled server
Browser based implementation of channels (client in
JavaScript)
39
Header
Server
version
Average
HTTP
ping
Max HTTP
ping
Speed
Max
sequence
Last-
Modified
Python 560.3 ms 1621.8 ms 0.53 bit/s
unlimited
PHP 508 ms 532.2 ms 0.58 bit/s
ETag
Python 560.3 ms 1621.8 ms 1.02 bit/s
unlimited
PHP 508 ms 532.2 ms 1.18 bit/s

40. Specification
2nd threat model – controlled server
Testing channels implementation in C with PHP server
Purpose: to make estimation of maximum speed
40
Header Network
Average
HTTP ping
Speed
ETag
Local host 0.55 ms 986 bit/s
Data center local
network
1.63 ms 845.65 bit/s
Local network 6.9 ms 295.69 bit/s
Internet 383.2 ms 4.89 bit/s

41. Proof of Concept
GitHub
– https://github.com/tsu-iscd/HttpCovertChannels
41

42. 42
https://github.com/beefproject/beef
“BeEF allows the professional penetration tester to
assess the actual security posture of a target
environment by using client-side attack vectors.”
The Browser Exploitation Framework

43. Conclusions
43
Future work: implementation of the ETag based covert
timing channel as a BEEF module
writet Internet

44. 44
Denis Kolegov
dnkolegov@gmail.com
@dnkolegov
Oleg Broslavsky
ovbroslavsky@gmail.com
@yalegko
Nikita Oleksov
neoleksov@gmail.com
@neoleksov