22C3 - 2.2

22nd Chaos Communication Congress
Private Investigations

Steven J. Murdoch
Day 1
Room Saal 2
Start time 22:00
Duration 01:00
ID 798
Event type Lecture
Track Hacking
Language English

Covert channels in TCP/IP: attack and defence

Creation and detection of IP steganography for covert channels and device fingerprinting

This talk will show how idiosyncrasies in TCP/IP implementations can be used to reveal the use of several steganography schemes, and how they can be fixed. The analysis can even be extended to remotely identify the physical machine being used.

A number of steganography techniques have been designed to insert a covert channel into seemingly random TCP/IP fields, such as the IP ID, TCP initial sequence number (ISN) or the least significant bits of the TCP timestamp. While compliant with the TCP/IP specification, their output is unlike that an unmodified operating system would generate. This talk will show how by taking in account the implementation of the TCP/IP stack, a number of such specification-based steganography schemes can be broken. This includes Nushu, an ISN based scheme presented at 21C3.

Firstly the talk will introduce the field of covert channels and TCP/IP steganography in particular, giving an overview of the steganographic potential of different fields in the protocol. This will show that only the IP ID and TCP ISN can be plausibly used for steganography. The talk will then describe how these fields are generated, and how steganography schemes which do not properly take in account these algorithms can be detected.

The talk will then present improved TCP/IP steganography schemes for Linux and OpenBSD which, by deriving a reversible transformation from the standard TCP/IP stacks' implementation, make a much harder to detect covert channel. Such a scheme can be shown to be as strong as the underlying encryption, when attacked by an adversary monitoring packet content.

Finally, a side effect of the steganography detection system is to reveal microsecond-level deviations in the clock speed of the device being monitored. Clock-skew varies from computer to computer so can act as a fingerprint of a particular physical device. This talk will show how this fact can be used to track physical devices across the Internet, and how the use of TCP ISNs can improve over schemes based on TCP timestamps.

This work was done in conjunction with Stephen Lewis.