covert timing channels using http cache headers
DESCRIPTION
Covert timing channels using HTTP cache headers (Last-Modified and ETag) are investigated and implemented in browsersTRANSCRIPT
![Page 1: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/1.jpg)
COVERT TIMING CHANNELS
USING HTTP CACHE HEADERS
Denis Kolegov, Oleg Broslavsky, Nikita Oleksov
Tomsk State University
Information Security and Cryptography Department
SEPTEMBER 8 - 13 EKATERINBURG
2014
![Page 2: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/2.jpg)
Introduction
A covert channel is a path that can be used to transfer
information in a way not intended by the system's
designers (CWE-514)
HTTP is one of the most used Internet protocol so
detections of the covert channels over the HTTP is an
important research area
2
![Page 3: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/3.jpg)
Example – HTTP Headers
3
Using steganography methods in header values
Suppose that
Then
“en” 0
“fr” 1
Accept-Language: en,fr 01
Accept-Language: fr,en 10
Accept-Language: en,fr,en,fr,en,en,en,en 0x50
![Page 4: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/4.jpg)
Covert Channels’ Usage
4
• Implementation of prohibited information
flows in LBAC systems
• Retaining control in targeted browsers
• Timing attacks
• Botnet command and control
![Page 5: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/5.jpg)
Types Of Covert Channels
5
TIME DEPENDENCE
• A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another (CWE-515)
• Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information (CWE-385)
DIRECTION
• Unidirectional – Client – server
– Server – client
• Bidirectional
![Page 6: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/6.jpg)
Client-Server Covert Channels
6
Client-server covert channels are easier to implement, e.g.
covert storage channel via If-Range request header
GET / HTTP/1.1
Host: 162.71.12.43
If-Range: 120c7bL-32bL-4f86d4105ac62L
…
Hex-encoded data
![Page 7: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/7.jpg)
Server-Client Covert Channels
7
Server-client channels are more complicated and most of
them are timing channels so it is more interesting to
research
![Page 8: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/8.jpg)
Basic HTTP Cache Headers
8
RESPONSE (SERVER) HEADERS
• Last-Modified
• ETag
REQUEST (CLIENT) HEADERS
• If-Modified-Since
• If-Unmodified-Since
• If-Match
• If-Non-Match Request
Response
![Page 9: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/9.jpg)
Last-Modified Response Header
9
Last-Modified HTTP header stores a date of the last web
entity’s modification
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Wed, 02 Apr 2014 14:33:39 GMT
Content-Type: text/html
Content-Length: 124
Last-Modified: Wed, 02 Apr 2014 14:33:39 GMT
Connection: keep-alive
(data)
Page request
Response
GET / HTTP/1.1
Host: 162.71.12.43
(other headers)
![Page 10: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/10.jpg)
ETag Response Header
10
The ETag value is formed from the hex values of
HTTP/1.1 200 OK
Server: Apache/2.2.22 (Ubuntu)
Date: Wed, 02 Apr 2014 14:33:39 GMT
Content-Type: text/html
Content-Length: 124
ETag: 120c7bL-32bL-4f86d4105ac62L
Connection: keep-alive
(data)
Page request
Response
GET / HTTP/1.1
Host: 162.71.12.43
(other headers)
120c7bL-32bL-4f86d4105ac62L
file's inode size last-modified time (mtime)
![Page 11: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/11.jpg)
Common Usage of Cache Request Headers
11
HTTP cache headers allows web-client not to download a
page if it hasn’t been changed since the certain time
Page request
Page has been changed
HTTP/1.1 200 OK (page data)
Page has not been changed
HTTP/1.1 304 OK (only headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Modified-Since:
Wed, 02 Apr 2014 14:33:39 GMT
(other headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-None-Match:
120c7bL-32bL-4f86d4105ac62L
(other headers)
![Page 12: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/12.jpg)
Common Usage of Cache Request Headers
12
Second pair of headers does the same as previous but
with logically inverse condition
Page request
Page has been changed
HTTP/1.1 412 OK (page data)
Page has not been changed
HTTP/1.1 200 OK (only headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Unmodified-Since:
Wed, 02 Apr 2014 14:33:39 GMT
(other headers)
GET / HTTP/1.1
Host: 162.71.12.43
If-Match:
120c7bL-32bL-4f86d4105ac62L
(other headers)
![Page 13: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/13.jpg)
Covert Timing Channel Model
13
read writet
writet
p1 p2
read writet
read write
Internet
2 different threat models:
Web server is under
intruders’ control
message.txt -- read-only
some_page.html -- write-only
![Page 14: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/14.jpg)
General Covert Channels Scheme
14
Page has not been
changed
HTTP
request
Received
‘0’
Page has been changed
Received
‘1’
Store new
header value
![Page 15: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/15.jpg)
Covert Channels Using HTTP Cache
Headers
15
• Last-Modified header value
• Using If-Modified-Since header
• Using If-Unmodified-Since header
• ETag header value
• Using If-Match header
• Using If-None-Match header
Last-Modified based
ETag based
![Page 16: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/16.jpg)
Last-Modified Based Channels
16
HTTP
request
Get new header value
Received ‘1’
If header value
changed
Store header value
Received ‘0’
Wait
n
seconds
then else
Last-Modified header value covert channel
Last-Modified:
Wed, 02 Apr 2014
14:33:39 GMT
![Page 17: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/17.jpg)
Last-Modified Based Channels
17
Covert channel using If-Modified
If-Modified-Since:
Wed, 02 Apr 2014
14:33:39 GMT
If-Modified
request
Received ‘1’
If HTTP code
is “200”
Store header value
Received ‘0’
Wait
n
seconds then else
![Page 18: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/18.jpg)
Last-Modified Based Channels
18
If-Unmodified
request
Received ‘1’
If HTTP code
is “412”
Store header value
Received ‘0’
Wait
n
seconds then else
Covert channel using If-Unmodified
If-Unmodified-Since:
Wed, 02 Apr 2014
14:33:39 GMT
![Page 19: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/19.jpg)
ETag Based Channels
19
ETag header value covert channel
ETag:
120c7bL-32bL-
4f86d4105ac62L
HTTP
request
Get new header value
Received ‘1’
If header value
changed
Store header value
Received ‘0’
Wait
n
seconds
then else
![Page 20: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/20.jpg)
ETag Based Channels
20
Covert channel using If-None-Match
If-None-Match:
120c7bL-32bL-
4f86d4105ac62L
If-None-Match
request
Received ‘1’
If HTTP code
is “200”
Store header value
Received ‘0’
Wait
n
seconds then else
![Page 21: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/21.jpg)
ETag Based Channels
21
Covert channel using If-Match
If-Match:
120c7bL-32bL-
4f86d4105ac62L
If-Match
request
Received ‘1’
If HTTP code
is “412”
Store header value
Received ‘0’
Wait
n
seconds then else
![Page 22: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/22.jpg)
Ways to Implement
In tons of possible ways we focus on
• Python – Socket library
• C++ – Boost ASIO library
• С – simple C socket library
We choose C due to its highest performance (among
these ways) and decent stability
First threat model is chosen because of minimal
requirements
22
![Page 23: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/23.jpg)
Implementation
23
Send HTTP
request
Get host response
Write ‘1’ to output
If page has
been
modified
Store new header
Write ‘0’ to output
Sleep
N
seconds
then else
![Page 24: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/24.jpg)
Issues
24
Issue Solution
Server-client synchronization Special synchronizing function
Different time of requests Dynamic sleep time
Lateness after sleep “Active” sleep
High CPU load with “active sleep” “Dynamic” and “active” sleep
combination
Some problems we solved during implementation
![Page 25: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/25.jpg)
Issue 1
25
Necessity of synchronization “read” (web client) and “write”
(host) services
Solution:
Synchronizing function that does requests at a maximum
speed (without sleep)
Send HTTP
request
Get host response
If page has
been changed
then else
![Page 26: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/26.jpg)
Issue 2
26
Different time of requests can break services
synchronization
Solution:
Dynamic sleep time equals to
(sleep_time – time took for request)
Calculate time
took for request
diff_time
Sleep
(sleep_time – diff_time) µs
![Page 27: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/27.jpg)
Issue 3
27
Inaccurate sleep - after sleep (func usleep() is used) the
program can awake with 10-200μs lateness
Solution:
Use “active sleep” - calculation time difference between last
request and current moment while it is less than
sleep_time
Calc diff_time
If diff_time <
sleep_time
then else
![Page 28: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/28.jpg)
Issue 4
28
High CPU load with “active sleep”
Solution:
Combine “active” and “dynamic” sleep
Calculate diff_time
If diff_time < CONST
then else
Sleep
(sleep_time – CONST – request_time)
where CONST is constant about 1000 µs (or less depending on PC
performance)
![Page 29: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/29.jpg)
Advantages
29
ADVANTAGES OF COVERT TIMING CHANNELS WITH
FIRST INTRUDER MODEL
• Does not modify common HTTP request structure
• Does not require web-server modifications
• Any read-only activity on web page that is used by the
channel do not break its work
• Information flow looks like something refreshes a web
page every n seconds
![Page 30: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/30.jpg)
Specification – Last-Modified 1st threat model
30
Sleep
time
Min start
sequence
Avg
sequence
Max
sequence Speed Accuracy
1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%
2 seconds 3400 bits 10145 bits 22143 bits 0.5 bit/s 99,87%
• Min start sequence – minimum number of bits passed
from the beginning of a conversation till the first mistake
• Avg and Max sequence – number of bits passed without
any mistakes in a row in average and at best
• Accuracy – percent of correctly transmitted bits
![Page 31: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/31.jpg)
Specification – ETag 1st threat model
31
Sleep
time
Min start
sequence
Avg
sequence
Max
sequence Speed Accuracy
1 second 3200 bits 8848 bits 19712 bits 1bit/s 99,82%
0.5
seconds 2400 bits 8142 bits 18123 bits 2 bit/s 99,5%
ETag contains mtime (last modified time with microsecond accuracy), so theoretical channel capacity is bigger than its practically possible one.
Maximum practical speed of the covert channels is about 1 bit per (2L+T) seconds, where L is HTTP latency between u2 and s1 and T is a time that is needed for auxiliary operations
![Page 32: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/32.jpg)
Covert Channels in Browsers
Kenton Born “Browser-based covert data exfiltration”
DOMAIN NAME SYSTEM (DNS)
Query: “Where is some.domain.example.com?”
Response: “It is at 88.0.13.37!”
IT’S CLIENT-SERVER CHANNEL 32
some.domain.example.com
Subdomain Domain
bigbrother.watchingme.evil.com
Information Domain
![Page 33: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/33.jpg)
Covert Channels in Browsers
DNS TUNNEL
IT’S SERVER-CLIENT CHANNEL
33
first.bit.evil.com
Information Domain
It is 66.45.234.2 NXdomain
Received 1 Received 0
![Page 34: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/34.jpg)
Server-Client Browser Channel
Purpose: To implement covert timing channels using browser-side
technologies as JavaScript, AJAX and different HTML
features
34
![Page 35: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/35.jpg)
Timing Channels in Browsers
Problems: • Lack of any “sleep” function
• Low accuracy of existing time management
functions
• Difficulties with synchronization of covert channel’s
server and client
So implementation of the used model is pointless, but it is
possible to implement covert channels in these restrictions
using second threat model (controlled web server)
35
![Page 36: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/36.jpg)
Timing Channels in Browsers Use the same client-side model but in JavaScript
36 36
Send HTTP
request
Get host response
Write ‘1’ to output
If page
has been
modified
Store new header
Write ‘0’ to output
Sleep
N
seconds then else
setInterval
![Page 37: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/37.jpg)
Timing Channels in Browsers Some refactoring of server-side model
37 37
Send new header value
If current
message bit
is ‘1’
Store header value
Send old header value
then else
WAIT for HTTP request
![Page 38: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/38.jpg)
Issues
38
Issue Solution
Server-client synchronization Client visit special page to begin
conversation
End of message determination Client receive some special HTTP
code in response, e.g. 404 – Not
Found or 403 - Forbidden
Single client only communication Opening session that stores
transferring bit number for each
client
![Page 39: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/39.jpg)
Specification 2nd threat model – controlled server
Browser based implementation of channels (client in
JavaScript)
39
Header Server
version
Average
HTTP
ping
Max HTTP
ping Speed
Max
sequence
Last-
Modified
Python 560.3 ms 1621.8 ms 0.53 bit/s
unlimited
PHP 508 ms 532.2 ms 0.58 bit/s
ETag
Python 560.3 ms 1621.8 ms 1.02 bit/s
unlimited
PHP 508 ms 532.2 ms 1.18 bit/s
![Page 40: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/40.jpg)
Specification 2nd threat model – controlled server
Testing channels implementation in C with PHP server
Purpose: to make estimation of maximum speed
40
Header Network Average
HTTP ping Speed
ETag
Local host 0.55 ms 986 bit/s
Data center local
network 1.63 ms 845.65 bit/s
Local network 6.9 ms 295.69 bit/s
Internet 383.2 ms 4.89 bit/s
![Page 41: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/41.jpg)
Proof of Concept
GitHub
– https://github.com/tsu-iscd/HttpCovertChannels
41
![Page 42: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/42.jpg)
42
https://github.com/beefproject/beef
“BeEF allows the professional penetration tester to
assess the actual security posture of a target
environment by using client-side attack vectors.”
The Browser Exploitation Framework
![Page 43: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/43.jpg)
Conclusions
43
Future work: implementation of the ETag based covert
timing channel as a BEEF module
writet Internet
![Page 44: Covert Timing Channels using HTTP Cache Headers](https://reader034.vdocuments.mx/reader034/viewer/2022042422/55892d24d8b42a2c388b45b3/html5/thumbnails/44.jpg)
44
Denis Kolegov
@dnkolegov
Oleg Broslavsky
@yalegko
Nikita Oleksov
@neoleksov