ArticlePDF Available

New Covert Channels in HTTP: Adding Unwitting Web Browsers to Anonymity Sets

Authors:

Abstract

This paper presents new methods enabling anonymous communication on the Internet. We describe a new protocol that allows us to create an anonymous overlay network by exploiting the web browsing activities of regular users. We show that the overlay network provides an anonymity set greater than the set of senders and receivers in a realistic threat model. In particular, the protocol provides unobservability in our threat model.
arXiv:cs/0404054v1 [cs.CR] 26 Apr 2004
New Covert Channels in HTTP
Adding Unwitting Web Browsers to Anonymity Sets
Matthias Bauer
Institut für Informatik
Martensstrasse 3
91058 Erlangen, Germany
matthiasb@acm.org
ABSTRACT
Categories and Subject Descriptors
General Terms
Keywords
1. INTRODUCTION
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
WPES’03, October 30, 2003, Washington, DC, USA.
Copyright 2003 ACM 1-58113-776-1/03/0010 ...$5.00.
2. THREAT MODEL
3. BACKGROUND
(public key, private key)
4. RELATED WORK
5. SERVER–TO–SERVER CHANNEL
THROUGH UNWITTING CLIENTS
5.0.1 Redirects
5.0.2
5.0.3 Referer
5.0.4 HTML Elements
5.0.5 Active Content
6. THE MUTED POSTHORN A CHAU-
MIAN MIX ON BANNER ADVERTS
6.1 The Setup
(publickey, secretkey)
6.2 A first Version
m
0
n
i
m
i+1
= To :||n
i
||E
n
i
(m
i
).
E
n
(m) m n
0
1
6.3 DoS attack on the first protocol
m
i+1
= To :||n
i
||Ack :||h(m
i
)||E
n
i
(m
i
).
Ack:
To: node2 PadE_node2(mess2)
To: node1 E_node1(mess1) Pad 0x123456
0xabcdef
mbox2: message_b Pad
mbox1: Padmessage_a
Mailboxes:
ack1, ack2 PadAck: node2
Message Pool:
|h()|
h
6.4 Properties of the Protocol
7. UNSOLVED PROBLEMS AND DIREC-
TIONS FOR FUTURE RESEARCH
(Group,
Generator)
8. SUMMARY
9. ACKNOWLEDGEMENTS
10. REFERENCES
... The HTTP is a stateless network protocol that allows the transport of hypertext documents and is mostly used to deliver web-content from a web server to a client application (mostly web browsers). In [4], several HTTP-based indirect CCs have been described that allow the exchange of CI between two HTTP servers through a client system. For HTTP.1, a server forces a client to transport CI via a redirect to another server. ...
... Considered overall, it is difficult to make an exact classification of the best and most innovative covert channels, as Table 6: Naming Conventions Applied to Dead Drop Covert Channels these depend on various factors and each surveyed indirect CC contributes different ideas. If there is one to pick publication for each indirect CC pattern, in our opinion for the redirector pattern, the CCs presented in [4] are remarkable, as they are able to transmit a large amount of CI utilizing a wide spread carrier protocol. For the redirector pattern, [34] is impressive as the publication shows how redirectors can be implemented with various protocols, crossing logical separation. ...
... Each single warden is in a position to detect this violation on its own. 1 and 2 will for example only observe the SYN packet but never the ACK. 3 can detect the protocol-violating behavior of an acknowledgment sent to another host. 4 and 5 may detect an ACK in absence of a SYN, which is never supposed to happen (except for the so-called cold start problem [21]). Such a behavior is also observable with ARP.3, where the protocol is violated by broadcast source IPs that are not used for ARP-requests and can be observed by all wardens. ...
Conference Paper
Full-text available
Within the last few years, indirect network-level covert channels have experienced a renaissance with new ideas and evolving concepts. Logical network separation may now be crossed and the sending and receiving activities can be performed with temporal distance between sending and receiving operations. Despite these new developments, all indirect network covert channels share certain basic principles that allow a categorization. So far, the concepts of indirect network-level covert channels have never been systematized. In this paper, we introduce a taxonomy containing indirect covert channel patterns that allow a differentiated analysis of all known indirect network-level covert channels. We introduce additional definitions to unify the understanding of the domain and further identify crucial features of indirect covert channels to make them comparable and describable. We further discuss application scenarios as well as potential and already evaluated countermeasures against indirect covert channels. Further, we discuss observable trends and anticipated future developments in the research area of indirect network-level covert channels.
... HTTP The HTTP is a stateless network protocol that allows the transport of hypertext documents and is mostly used to deliver web content from a web server to a client application (mostly web browsers). In [14], several HTTP-based indirect CCs have been described that allow the exchange of CI between two HTTP servers through a client system. For HTTP.1, a server forces a client to transport CI via a redirect to another server. ...
... Considered overall, it is difficult to make an exact classification of the best and most innovative CCs, as these depend on various factors and each surveyed indirect CC contributes different ideas. If we are to pick one single publication for each indirect CC pattern, in our opinion for the redirector pattern, the CCs presented in [14] are remarkable, as they are able to transmit a large amount of CI utilizing a widespread carrier protocol. For the redirector pattern, [122] is impressive as the publication shows how redirectors can be implemented with various protocols, crossing logical separation. ...
Thesis
Full-text available
Network-level covert channels can be considered as parasitic communication, nesting into legitimate overt communication in a way they were not foreseen by the creators of the protocol. Thus, such covert communication is threatening the integrity of the defined rules of network communication. Since first mentioned in the 1970s, covert channels have been described for numerous network-level communication protocols, and it can be considered that for each network protocol defined there also exists a covert channel, even if it may not have been described yet. The concepts of covert channels have experienced revolutionary developments within the last decade, creating highly sophisticated information hiding techniques within network traffic that are designed to deceive wardens. This thesis covers three novel approaches for such sophisticated covert channels. First, indirect network-level covert channels that rely on the exploitation of an intermediate third-party system are investigated. Therefore, all known indirect network-level covert channels are surveyed and transferred into a novel pattern-based taxonomy. Our categorization enables the unification of the understanding of this subdomain and standardizes the description of such channels. Further, potential application scenarios and countermeasures against these sophisticated indirect covert channels are described. Second, a novel detection approach is introduced, which allows the detection of reversible and plausibly deniable covert channels. Such channels restore the original information and therefore have been not or hard to detect, like for example if the cover information is (pseudo-)randomly distributed. Such an implementation has recently been published and relies on one-time password chains that are created by computationally intensive hash operations. The detector is based upon elongated packet runtimes, caused by computational intensive operations that are necessary to restore the original information, achieving reversibility. Further, we introduce a novel computational intensive covert channel exploiting nonce-based challenge-response authentication to create a plausibly deniable and reversible communication channel to test the portability of the introduced detector. Third, a novel type of covert channel is introduced, the so-called history covert channel. The presented proof of concept implementation allows transferring of covert information without modifying, creating, or manipulating legitimate traffic. The approach utilizes legitimate network broadcast packets and signals that information to be passed has been observed lately. This concept of splitting data and signaling traffic significantly reduces the amount of information that needs to be transmitted from a covert sender to a covert receiver. Further, we evaluate the robustness and optimization of our implementation in two testbeds.
... Most authors considered encapsulation of hidden communications in applicationlayer network protocols. Being the main application-level protocol, HTTP is the primary target for covert channel implementations, e.g., see [5]. Nevertheless, the entire TCP/IP ecosystem can be at risk, and we refer the interest reader to [51] for a survey. ...
Article
Full-text available
Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. This paper proves that FL systems can be turned into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a sequence of bits. We mounted our attack on an FL system to verify its feasibility. Experimental evidence shows that this covert channel is reliable, efficient, and extremely hard to counter. These results highlight that our new attacker model threatens FL infrastructures.
... Lastly, covert channels can be also used to elude wiretapping in regimes or to protect sources in investigative journalism [12]. Thus, IPv6CC can offer a basic privacy-enforcing communication service or can be used to test if a scenario is resistant against unwanted data leakages (e.g., for industrial espionages). ...
Article
Full-text available
IPv6CC is a suite of network covert channels targeting the IPv6 protocol. Its main scope is supporting penetration test campaigns to evaluate the security of a system against emerging information-hiding- capable attacks or steganographic malware. This paper presents the techniques used to inject data within IPv6 packets, the reference use case and the software architecture of the suite. It also showcases a performance evaluation of the different covert channels offered by IPv6CC, as well as an analysis of their ability to bypass some de-facto standard security tools.
... This also means that the data hiding approach is preserving the structure of the utilized hidden data carrier (in our case, a code). Note that currently typical techniques representing this pattern involve modification of the fields in network protocols like IPv4 (IP ID field) [22], first sequence number of a TCP connection, i.e., the Initial Sequence Number (ISN) [22], or cookie in HTTP messages [3]. However, our method is crafted to modify the web content that the web client is requesting, i.e., JavaScript code. ...
... Most authors considered encapsulation of hidden communications in application-layer network protocols. Being the main application level protocol, HTTP is the primary target for covert channel implementations, e.g., see [70]. Nevertheless, the entire TCP/IP ecosystem can be at risk, and we refer the interest reader to [71] for a survey. ...
Preprint
Full-text available
Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. In this paper, we put forward a novel attacker model aiming at turning FL systems into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants, and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a single bit.
Article
Proposed as a solution to mitigate the privacy implications related to the adoption of deep learning, Federated Learning (FL) enables large numbers of participants to successfully train deep neural networks without revealing the actual private training data. To date, a substantial amount of research has investigated the security and privacy properties of FL, resulting in a plethora of innovative attack and defense strategies. This paper thoroughly investigates the communication capabilities of an FL scheme. In particular, we show that a party involved in the FL learning process can use FL as a covert communication medium to send an arbitrary message. We introduce FedComm, a novel covert-communication technique that enables robust sharing and transfer of targeted payloads within the FL framework. Our extensive theoretical and empirical evaluations show that FedComm provides a stealthy communication channel, with minimal disruptions to the training process. Our experiments show that FedComm successfully delivers 100% of a payload in the order of kilobits before the FL procedure converges. Our evaluation also shows that FedComm is independent of the application domain and the neural network architecture used by the underlying FL scheme.
Article
Conventional mobile communication systems often use one single channel for data transmission, i.e., mobile devices use cellular network to transfer multimedia information. However, if attackers successfully hijack the single transmission channel, they can recover the communicated data. Focused on this issue, we introduce a Multichannel Communication System (MSYM), which aims to improve the data communication security for Android devices. The key idea of our approach is to leverage the diversity of communication mechanisms (e.g., Wi-Fi/cellular network, Bluetooth, and SMS) for transferring sensitive data in a secure way. More specifically, we use the VpnService interface provided by the Android platform to intercept the network data delivered by a sender program. Then, we split the network data into different fragments and improve the security by disordering and encrypting them via multiple transmission channels. When the target Android device receives the data fragments from different channels, it can decrypt and reorder them to reassemble the original data. In the end, we reuse the VpnService interface to inject the network data into the receiver program. Our approach can be deployed in Android devices to secure communication without the need of modifying the communication programs. In the evaluation, as a proof of concept, we implemented our approach on Android system. The experimental results show that our prototype system can secure data transmission with moderate performance cost.
Chapter
Browser Fingerprinting is the process in which the device and browser-related properties (or attributes) are collected through the browser for various reasons, especially, for user identification. The user is monitored through the tracking and collection of technical information, also detecting intrinsic properties of the device being analyzed. In particular, the collected results provide, if properly combined, sufficient information to profile and even identify a device. Those attributes include system information, such as screen dimensions, software versions and plugins, user-installed system fonts list, time zone, language and browser configuration. Browser profiling techniques are activities that typically invade user privacy. The objective of this work is to use those technologies underlying profiling systems for a purpose opposite to the one just indicated, i.e., to provide a mechanism for protecting user privacy by creating hidden communication channels. Usually, privacy protection is achieved by using cryptographic techniques. The main limitation of those techniques consists in exposing not the content of the communication but the communication itself. In this paper, the use of Steganography is motivated by this. Considering the wide use of the web technologies, in addition to the increased attention to the privacy of users connected to the Network, the aim is to analyze and design a steganographic system in order to create a covert channel between two communicating peers through the HTTP protocol.
Conference Paper
Full-text available
This paper describes how anonymity is achieved in gnunet, a framework for anonymous distributed and secure networking. The main focus of this work is gap, a simple protocol for anonymous transfer of data which can achieve better anonymity guarantees than many traditional indirection schemes and is additionally more efficient. gap is based on a new perspective on how to achieve anonymity. Based on this new perspective it is possible to relax the requirements stated in traditional indirection schemes, allowing individual nodes to balance anonymity with efficiency according to their specific needs.
Conference Paper
Full-text available
Based on the nomenclature of the early papers in the field, we propose a set of terminology which is both expressive and precise. More particularly, we define anonymity, unlinkability, unobservability, and pseudonymity (pseudonyms and digital pseudonyms, and their attributes). We hope that the adoption of this terminology might help to achieve better progress in the field by avoiding that each researcher invents a language of his/her own from scratch. Of course, each paper will need additional vocabulary, which might be added consistently to the terms defined here.
Conference Paper
Full-text available
We introduce a new cryptographic technique that we call universal re-encryption. A conventional cryptosystem that permits re-encryption, such as ElGamal, does so only for a player with knowledge of the public key corresponding to a given ciphertext. In contrast, universal re-encryption can be done without knowledge of public keys. We propose an asymmetric cryptosystem with universal re-encryption that is half as efficient as standard ElGamal in terms of computation and storage. While technically and conceptually simple, universal re-encryption leads to new types of functionality in mixnet architectures. Conventional mixnets are often called upon to enable players to communicate with one another through channels that are externally anonymous, i.e., that hide information permitting traffic-analysis. Universal re-encryption lets us construct a mixnet of this kind in which servers hold no public or private keying material, and may therefore dispense with the cumbersome requirements of key generation, key distribution, and private-key management. We describe two practical mixnet constructions, one involving asymmetric input ciphertexts, and another with hybrid-ciphertext inputs.
Conference Paper
Full-text available
Abstract Currently known basic anonymity techniques depend on iden - tity veri cation If veri cation of user identities is not possible due to the related management overhead or a general lack of information (e g on the Internet), an adversary can participate several times in a com - munication relationship and observe the honest users In this paper we focus on the problem of providing anonymity without identity veri ca - tion The notion of probabilistic anonymity is introduced Probabilistic anonymity is based on a publicly known security parameter, which de - termines the security of the protocol For probabilistic anonymity the insecurity, expressed as the probability of having only one honest par - ticipant, approaches 0 at an exponential rate as the security parameter is changed linearly Based on our security model we propose a new MIX variant called "Stop - and - Go - MIX" (SG - MIX) which provides anonymity without identity veri cation, and prove that it is probabilistically secure
Article
In this paper we introduce a system called Crowds for protecting users' anonymity on the world-wide-web. Crowds, named for the notion of “blending into a crowd,” operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members. Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and even collaborating crowd members cannot distinguish the originator of a request from a member who is merely forwarding the request on behalf of another. We describe the design, implementation, security, performance, and scalability of our system. Our security analysis introduces degrees of anonymity as an important tool for describing and proving anonymity properties.
Chapter
We present the architecture, design issues and functions of a MIX-based system for anonymous and unobservable real-time Internet access. This system prevents traffic analysis as well as flooding attacks. The core technologies include an adaptive, anonymous, time/volumesliced channel mechanism and a ticket-based authentication mechanism. The system also provides an interface to inform anonymous users about their level of anonymity and unobservability.