Covert Timing Channels using HTTP Cache Headers

Transcript

1. COVERT TIMING CHANNELS USING HTTP CACHE HEADERS Denis Kolegov, Oleg

   Broslavsky, Nikita Oleksov Tomsk State University Information Security and Cryptography Department

2. Introduction A covert channel is a mechanism for sending and

   receiving information between hosts without alerting any firewalls and IDSs HTTP is one of the most used Internet protocol so detections of the covert channels over the HTTP is an important research area

3. Example – HTTP Headers Using steganography methods in header values

   Suppose that Then “en” 0 “fr” 1 Accept-Language: en,fr 01 Accept-Language: fr,en 10 Accept-Language: en,fr,en,fr,en,en,en,en 0x50

4. Covert Channels’ Usage • Botnet C&C channel • In-band key

   exchange • Transfer illegal content • Stealing information from “secure” environments

5. Types Of Covert Channels TIME DEPENDENCE • Storage channels –

   a storage location is written to and read from • Timing channels – transmitting information through time values DIRECTION • Client – server • Server – client

6. Client-Server Covert Channels Client-server covert channels are easier to implement,

   e.g. covert storage channel via If-Range request header GET / HTTP/1.1 Host: 162.71.12.43 If-Range: 120c7bL-32bL-4f86d4105ac62L … Hex-encoded data

7. Server-Client Covert Channels Server-client channels are more complicated and most

   of them are timing channels so it is more interesting to research

8. Basic HTTP Cache Headers RESPONSE (SERVER) HEADERS • Last-Modified •

   ETag REQUEST (CLIENT) HEADERS • If-Modified-Since • If-Unmodified-Since • If-Match • If-Non-Match Request Response

9. Last-Modified Response Header Last-Modified HTTP header stores a date of

   the last web entity’s modification HTTP/1.1 200 OK Server: nginx/1.1.19 Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Type: text/html Content-Length: 124 Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT Connection: keep-alive (data) Page request Response GET / HTTP/1.1 Host: 162.71.12.43 (other headers)

10. ETag Response Header The ETag value is formed from the

    hex values of 120c7bL-32bL-4f86d4105ac62L file's inode size last-modified time (mtime) GET / HTTP/1.1 …. HTTP/1.1 200 OK Server: Apache/2.2.22 (Ubuntu) Date: Wed, 02 Apr 2014 14:33:39 GMT Content-Length: 124 ETag: 120c7bL-32bL-4f86d4105ac62L (data) Page request Response

11. Common Usage of Cache Request Headers HTTP cache headers allows

    web-client not to download a page if it hasn’t been changed since the certain time Page request Page has been changed HTTP/1.1 200 OK (page data) Page has not been changed HTTP/1.1 304 OK (only headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Modified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-None-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)

12. Common Usage of Cache Request Headers Second pair of headers

    does the same as previous but with logically inverse condition Page request Page has been changed HTTP/1.1 412 OK (page data) Page has not been changed HTTP/1.1 200 OK (only headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Unmodified-Since: Wed, 02 Apr 2014 14:33:39 GMT (other headers) GET / HTTP/1.1 Host: 162.71.12.43 If-Match: 120c7bL-32bL-4f86d4105ac62L (other headers)

13. General Covert Channels Idea – Client Side HTTP request Get

    new header value Received ‘1’ If page changed Store header value Received ‘0’ Wait n seconds then else

14. General Covert Channels Idea – Server Side On the server

    side we can use two different models: First context Minimum privileges on server: • SECRET.FILE – read only • Covert channel web page – write only Second context Web server is fully controlled by an attacker

15. Covert Channels Using HTTP Cache Headers • Last-Modified header value

    • Using If-Modified-Since header • Using If-Unmodified-Since header • ETag header value • Using If-Match header • Using If-None-Match header Last-Modified based ETag based

16. Ways to Implement In tons of possible ways we focus

    on • Python – Socket library • C++ – Boost ASIO library • С – simple C socket library We choose C due to its highest performance (among these ways) and decent stability. Also we choose server model in first context for its least requirements.

17. Issues in first context Some problems we solved during implementation

    Issue Solution Server-client synchronization Special synchronizing function Different time of requests Dynamic sleep time Lateness after sleep “Active” sleep High CPU load with “active sleep” “Dynamic” and “active” sleep combination

18. Issue 1 Necessity of synchronization “read” (web client) and “write”

    (host) services Solution: Synchronizing function that does requests at a maximum speed (without sleep) Send HTTP request Get host response If page has been changed then else

19. Issue 2 Different time of requests can break services synchronization

    Solution: Dynamic sleep time equals to (sleep_time – time took for request) Calculate time took for request diff_time Sleep (sleep_time – diff_time) µs

20. Issue 3 Inaccurate sleep - after sleep (usleep() is used)

    the program can awake with 10-200μs lateness Solution: Use “active sleep” - calculation time difference between last request and current moment while it is less than sleep_time Calc diff_time then else If diff_time < sleep_time

21. Issue 4 High CPU load with “active sleep” Solution: Combine

    “active” and “dynamic” sleep Calculate diff_time If diff_time < CONST then else Sleep (sleep_time – CONST – request_time)

22. Advantages Of Covert Timing Channels • Does not modify common

    HTTP request structure • Does not require web-server modifications • Any read-only activity on web page that is used by the channel do not break its work • If-* specified channels can work even if main header (Last-Modified and ETag) is disabled

23. Specification Header Sleep time Min start sequence Avg sequence Max

    sequence Speed Accuracy Last- Modified 2s 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87% 1s 3200 bits 8848 bits 19712 bits 1bit/s 99,82% ETag 1s 3200 bits 8848 bits 19712 bits 1bit/s 99,82% 0.5s 2400 bits 8142 bits 18123 bits 2 bit/s 99,5% Client in C, server in first context model

24. Second server context model In the second context we can

    avoid necessity of client-server synchronization by waiting for the request and responding directly: Send new header value Send old header value If current message bit is ‘1’ Store header value then else WAIT for HTTP request

25. Specification Second context model. Client in C, controlled web server

    on PHP + Header Network Average HTTP ping Speed ETag Local host 0.55 ms 986 bit/s Data center local network 1.63 ms 845.65 bit/s Local network 6.9 ms 295.69 bit/s Internet 383.2 ms 4.89 bit/s

26. Covert Channels in Browsers Kenton Born. «Browser-based covert data exfiltration»

    W. Alcorn, C. Frichot, M. Orru. «The Browser Hacker’s Handbook» DOMAIN NAME SYSTEM (DNS) Query: “Where is some.domain.example.com?” Response: “It is at 88.0.13.37!” some.domain.example.com Subdomain Domain bigbrother.watchingme.evil.com Information Domain IT’S CLIENT-SERVER CHANNEL

27. Browser Context Purpose: To implement covert timing channels using browser-side

    technologies as JavaScript, AJAX and different HTML features

28. Timing Channels in Browsers Problems: • Lack of any “sleep”

    function • Low accuracy of existing time management functions • Difficulties with synchronization of covert channel’s server and client So implementation of the used model is pointless, but it is possible to implement covert channels in these restrictions using controlled web server

29. Issues Issue Solution Server-client synchronization Client does special request to

    begin conversation End of message determination Client receive some special HTTP code in response, e.g. 404 – Not Found or 403 - Forbidden Single client communication only Open a session that stores transferring bit number for each client

30. The Browser Exploitation Framework “BeEF allows the professional penetration tester

    to assess the actual security posture of a target environment by using client-side attack vectors.”

31. BeEF ETag Server-to-Client Tunnel ETag Tunnel in BeEF consist of

    2parts: extension in Ruby, that implements server side logic via couple of web pages mounted to BeEF webserver, and module in JS, that is responsible for receiving information from C&C at zombie client ETag Covert Channel BeEF extension BeEF module

32. BeEF Etag Specification BeEF ETag server-to-client tunnel testing results Network

    Average ping Average HTTP ping 256 bit 1024 bit Local host 0.045 ms 0.6 ms 10.11 bit/s 9.9 bit/s Local network 18 ms 19.8 ms 10.3 bit/s 9.78 bit/s Internet 176 ms 360.9 ms 5.09 bit/s 4.97 bit/s

33. Proof Of Concept http://youtu.be/W2qWA7XUzGQ https://github.com/beefproject/beef

34. Oleg Broslavsky [email protected] @yalegko Denis Kolegov [email protected] @dnkolegov Nikita Oleksov

    [email protected] @neoleksov