ArticlePDF Available

New Covert Channels in HTTP: Adding Unwitting Web Browsers to Anonymity Sets

Authors:

Abstract

This paper presents new methods enabling anonymous communication on the Internet. We describe a new protocol that allows us to create an anonymous overlay network by exploiting the web browsing activities of regular users. We show that the overlay network provides an anonymity set greater than the set of senders and receivers in a realistic threat model. In particular, the protocol provides unobservability in our threat model.
arXiv:cs/0404054v1 [cs.CR] 26 Apr 2004
New Covert Channels in HTTP
Adding Unwitting Web Browsers to Anonymity Sets
Matthias Bauer
Institut für Informatik
Martensstrasse 3
91058 Erlangen, Germany
matthiasb@acm.org
ABSTRACT
Categories and Subject Descriptors
General Terms
Keywords
1. INTRODUCTION
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
WPES’03, October 30, 2003, Washington, DC, USA.
Copyright 2003 ACM 1-58113-776-1/03/0010 ...$5.00.
2. THREAT MODEL
3. BACKGROUND
(public key, private key)
4. RELATED WORK
5. SERVER–TO–SERVER CHANNEL
THROUGH UNWITTING CLIENTS
5.0.1 Redirects
5.0.2
5.0.3 Referer
5.0.4 HTML Elements
5.0.5 Active Content
6. THE MUTED POSTHORN A CHAU-
MIAN MIX ON BANNER ADVERTS
6.1 The Setup
(publickey, secretkey)
6.2 A first Version
m
0
n
i
m
i+1
= To :||n
i
||E
n
i
(m
i
).
E
n
(m) m n
0
1
6.3 DoS attack on the first protocol
m
i+1
= To :||n
i
||Ack :||h(m
i
)||E
n
i
(m
i
).
Ack:
To: node2 PadE_node2(mess2)
To: node1 E_node1(mess1) Pad 0x123456
0xabcdef
mbox2: message_b Pad
mbox1: Padmessage_a
Mailboxes:
ack1, ack2 PadAck: node2
Message Pool:
|h()|
h
6.4 Properties of the Protocol
7. UNSOLVED PROBLEMS AND DIREC-
TIONS FOR FUTURE RESEARCH
(Group,
Generator)
8. SUMMARY
9. ACKNOWLEDGEMENTS
10. REFERENCES
... The HTTP is a stateless network protocol that allows the transport of hypertext documents and is mostly used to deliver web-content from a web server to a client application (mostly web browsers). In [4], several HTTP-based indirect CCs have been described that allow the exchange of CI between two HTTP servers through a client system. For HTTP.1, a server forces a client to transport CI via a redirect to another server. ...
... Considered overall, it is difficult to make an exact classification of the best and most innovative covert channels, as Table 6: Naming Conventions Applied to Dead Drop Covert Channels these depend on various factors and each surveyed indirect CC contributes different ideas. If there is one to pick publication for each indirect CC pattern, in our opinion for the redirector pattern, the CCs presented in [4] are remarkable, as they are able to transmit a large amount of CI utilizing a wide spread carrier protocol. For the redirector pattern, [34] is impressive as the publication shows how redirectors can be implemented with various protocols, crossing logical separation. ...
... Each single warden is in a position to detect this violation on its own. 1 and 2 will for example only observe the SYN packet but never the ACK. 3 can detect the protocol-violating behavior of an acknowledgment sent to another host. 4 and 5 may detect an ACK in absence of a SYN, which is never supposed to happen (except for the so-called cold start problem [21]). Such a behavior is also observable with ARP.3, where the protocol is violated by broadcast source IPs that are not used for ARP-requests and can be observed by all wardens. ...
Conference Paper
Full-text available
Within the last few years, indirect network-level covert channels have experienced a renaissance with new ideas and evolving concepts. Logical network separation may now be crossed and the sending and receiving activities can be performed with temporal distance between sending and receiving operations. Despite these new developments, all indirect network covert channels share certain basic principles that allow a categorization. So far, the concepts of indirect network-level covert channels have never been systematized. In this paper, we introduce a taxonomy containing indirect covert channel patterns that allow a differentiated analysis of all known indirect network-level covert channels. We introduce additional definitions to unify the understanding of the domain and further identify crucial features of indirect covert channels to make them comparable and describable. We further discuss application scenarios as well as potential and already evaluated countermeasures against indirect covert channels. Further, we discuss observable trends and anticipated future developments in the research area of indirect network-level covert channels.
... Lastly, covert channels can be also used to elude wiretapping in regimes or to protect sources in investigative journalism [12]. Thus, IPv6CC can offer a basic privacy-enforcing communication service or can be used to test if a scenario is resistant against unwanted data leakages (e.g., for industrial espionages). ...
Article
Full-text available
IPv6CC is a suite of network covert channels targeting the IPv6 protocol. Its main scope is supporting penetration test campaigns to evaluate the security of a system against emerging information-hiding- capable attacks or steganographic malware. This paper presents the techniques used to inject data within IPv6 packets, the reference use case and the software architecture of the suite. It also showcases a performance evaluation of the different covert channels offered by IPv6CC, as well as an analysis of their ability to bypass some de-facto standard security tools.
... This also means that the data hiding approach is preserving the structure of the utilized hidden data carrier (in our case, a code). Note that currently typical techniques representing this pattern involve modification of the fields in network protocols like IPv4 (IP ID field) [22], first sequence number of a TCP connection, i.e., the Initial Sequence Number (ISN) [22], or cookie in HTTP messages [3]. However, our method is crafted to modify the web content that the web client is requesting, i.e., JavaScript code. ...
... Most authors considered encapsulation of hidden communications in application-layer network protocols. Being the main application level protocol, HTTP is the primary target for covert channel implementations, e.g., see [70]. Nevertheless, the entire TCP/IP ecosystem can be at risk, and we refer the interest reader to [71] for a survey. ...
Preprint
Full-text available
Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. In this paper, we put forward a novel attacker model aiming at turning FL systems into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants, and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a single bit.
... Bauer [11] suggests a protocol "Muted Posthorn" that allows to create an anonymous overlay network by exploiting the web browsing activities of regular users. The protocol uses five HTTP/HTML mechanisms: redirects, cookies, Referer headers, HTML elements and Active contents. ...
Article
Full-text available
Network steganography consists of different steganographic technics that utilize network protocols for hiding data. We present nine new covert channels which utilize the new standard, HTTP/2, and which can be used regardless its transport carrier (TLS or clear TCP). These covert channels use a protocol feature that has dual nature (for example, no padding can be represented in two ways); or a feature that is not mandatory (as streams prioritization and dependencies); or random value field (as PING frame payload field); or there is no strict rule how to obtain new values for some fields (as stream identifiers). As far as we know, this is the first research about hiding data in HTTP/2. Also, we give a small survey of existing covert channels that can be created using HTTP/1.x, with the analysis do they work or not work with the HTTP/2.
Article
Conventional mobile communication systems often use one single channel for data transmission, i.e., mobile devices use cellular network to transfer multimedia information. However, if attackers successfully hijack the single transmission channel, they can recover the communicated data. Focused on this issue, we introduce a Multichannel Communication System (MSYM), which aims to improve the data communication security for Android devices. The key idea of our approach is to leverage the diversity of communication mechanisms (e.g., Wi-Fi/cellular network, Bluetooth, and SMS) for transferring sensitive data in a secure way. More specifically, we use the VpnService interface provided by the Android platform to intercept the network data delivered by a sender program. Then, we split the network data into different fragments and improve the security by disordering and encrypting them via multiple transmission channels. When the target Android device receives the data fragments from different channels, it can decrypt and reorder them to reassemble the original data. In the end, we reuse the VpnService interface to inject the network data into the receiver program. Our approach can be deployed in Android devices to secure communication without the need of modifying the communication programs. In the evaluation, as a proof of concept, we implemented our approach on Android system. The experimental results show that our prototype system can secure data transmission with moderate performance cost.
Chapter
Browser Fingerprinting is the process in which the device and browser-related properties (or attributes) are collected through the browser for various reasons, especially, for user identification. The user is monitored through the tracking and collection of technical information, also detecting intrinsic properties of the device being analyzed. In particular, the collected results provide, if properly combined, sufficient information to profile and even identify a device. Those attributes include system information, such as screen dimensions, software versions and plugins, user-installed system fonts list, time zone, language and browser configuration. Browser profiling techniques are activities that typically invade user privacy. The objective of this work is to use those technologies underlying profiling systems for a purpose opposite to the one just indicated, i.e., to provide a mechanism for protecting user privacy by creating hidden communication channels. Usually, privacy protection is achieved by using cryptographic techniques. The main limitation of those techniques consists in exposing not the content of the communication but the communication itself. In this paper, the use of Steganography is motivated by this. Considering the wide use of the web technologies, in addition to the increased attention to the privacy of users connected to the Network, the aim is to analyze and design a steganographic system in order to create a covert channel between two communicating peers through the HTTP protocol.
Chapter
This paper introduces a novel attack that can covertly exfiltrate data from a compromised network to a blocked external endpoint, using public web services as the intermediaries and exploiting both HTTP requests and DNS queries. We first identify at least 16 public web services and 2 public HTTP proxies that can serve this purpose. Then we build a prototype attack using these public services and experimentally confirm its effectiveness, including an average data transfer rate of 361 bits per second. Finally, we present the design, implementation and evaluation of a proof-of-concept defense that uses information-theoretic entropy of the DNS queries to detect this novel attack.
Article
Application-layer covert channels have been extensively studied in recent years. Ubiquitous application packets serving as covert carriers contain a considerable potential channel capacity. However, undetectability is still a challenging task to be resolved for practicability, as almost all existing covert channels are frustrated by specific detection methods. In this paper, we focus on the problem of undetectable application-layer covert channels. We found a natural HTTP behavior that distribution relationships between HTTP requests and flows are dynamic when opening a webpage. Motivated by this finding, we present a behavior-based covert channel, Lost in HTTP Behaviors (LiHB). LiHB embeds secret messages into request-flow distributions using combinatorics without changing any packet contents. Furthermore, LiHB achieves automatic coding with no need for a codebook. In particular, LiHB is able to penetrate web proxy to transmit information stealthily. To overcome limitations of LiHB, we propose an enhanced secure HTTP behavior-based covert channel (HBCC), which is statistically undetectable by shape and regularity tests. HBCC employs an independent and identically distributed (i.i.d.) inter-request delay (IRD) generator to maintain the request distribution of legitimate traffic, and mimics normal browsing patterns based on the frequent traversal sequences. Experimental results show LiHB and HBCC have a good performance and reliability, and HBCC outperforms LiHB in terms of channel capacity and undetectability.
Conference Paper
The application-layer covert channels have been extensively studied in recent years. Information-hiding in ubiquitous application packets can significantly improve the capacity of covert channels. However, the undetectability is still a knotty problem, because the existing covert channels are all frustrated by proper detection schemes. In this paper, we propose LiHB, a behavior-based covert channel in HTTP. When a client is browsing a website and downloading webpage objects, we can reveal some fluctuation behaviors that the distribution relationship between the ports opening and HTTP requests are flexible. Based on combinatorial nature of distributing N HTTP requests over M HTTP flows, such fluctuation can be exploited by LiHB channel to encode covert messages, which can obtain high stealthiness. Besides, LiHB achieves a considerable and controllable capacity by setting the number of webpage objects and HTTP flows. Compared with existing techniques, LiHB is the first covert channel implemented based on the unsuspicious behavior of browsers, the most important application-layer software. Because most HTTP proxies are using NAPT techniques, LiHB can also operate well even when a proxy is equipped, which poses a serious threat to individual privacy. Experimental results show that LiHB covert channel achieves a good capacity, reliability and high undetectability.
Conference Paper
Full-text available
This paper describes how anonymity is achieved in gnunet, a framework for anonymous distributed and secure networking. The main focus of this work is gap, a simple protocol for anonymous transfer of data which can achieve better anonymity guarantees than many traditional indirection schemes and is additionally more efficient. gap is based on a new perspective on how to achieve anonymity. Based on this new perspective it is possible to relax the requirements stated in traditional indirection schemes, allowing individual nodes to balance anonymity with efficiency according to their specific needs.
Conference Paper
Full-text available
Based on the nomenclature of the early papers in the field, we propose a set of terminology which is both expressive and precise. More particularly, we define anonymity, unlinkability, unobservability, and pseudonymity (pseudonyms and digital pseudonyms, and their attributes). We hope that the adoption of this terminology might help to achieve better progress in the field by avoiding that each researcher invents a language of his/her own from scratch. Of course, each paper will need additional vocabulary, which might be added consistently to the terms defined here.
Conference Paper
Full-text available
We introduce a new cryptographic technique that we call universal re-encryption. A conventional cryptosystem that permits re-encryption, such as ElGamal, does so only for a player with knowledge of the public key corresponding to a given ciphertext. In contrast, universal re-encryption can be done without knowledge of public keys. We propose an asymmetric cryptosystem with universal re-encryption that is half as efficient as standard ElGamal in terms of computation and storage. While technically and conceptually simple, universal re-encryption leads to new types of functionality in mixnet architectures. Conventional mixnets are often called upon to enable players to communicate with one another through channels that are externally anonymous, i.e., that hide information permitting traffic-analysis. Universal re-encryption lets us construct a mixnet of this kind in which servers hold no public or private keying material, and may therefore dispense with the cumbersome requirements of key generation, key distribution, and private-key management. We describe two practical mixnet constructions, one involving asymmetric input ciphertexts, and another with hybrid-ciphertext inputs.
Conference Paper
Full-text available
Abstract Currently known basic anonymity techniques depend on iden - tity veri cation If veri cation of user identities is not possible due to the related management overhead or a general lack of information (e g on the Internet), an adversary can participate several times in a com - munication relationship and observe the honest users In this paper we focus on the problem of providing anonymity without identity veri ca - tion The notion of probabilistic anonymity is introduced Probabilistic anonymity is based on a publicly known security parameter, which de - termines the security of the protocol For probabilistic anonymity the insecurity, expressed as the probability of having only one honest par - ticipant, approaches 0 at an exponential rate as the security parameter is changed linearly Based on our security model we propose a new MIX variant called "Stop - and - Go - MIX" (SG - MIX) which provides anonymity without identity veri cation, and prove that it is probabilistically secure
Chapter
We present the architecture, design issues and functions of a MIX-based system for anonymous and unobservable real-time Internet access. This system prevents traffic analysis as well as flooding attacks. The core technologies include an adaptive, anonymous, time/volumesliced channel mechanism and a ticket-based authentication mechanism. The system also provides an interface to inform anonymous users about their level of anonymity and unobservability.
Article
Remailers have permitted Internet users to take advantage of the medium as a means to communicate with others globally on sensitive issues while maintaining a high degree of privacy. Recent events have clearly indicated that privacy is increasingly at risk on the global networks. Individual efforts have, so far, worked well in maintaining for most Internet users a modicum of anonymity. With the growth of increasingly sophisticated techniques to defeat anonymity, there will be a need for both standards and policies to continue to make privacy on the Internet a priority.