research-article

Covert storage caches using the NTP protocol

Authors:

Tobias Schmidbauer,

Steffen WendzelAuthors Info & Claims

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Article No.: 67, Pages 1 - 10

https://doi.org/10.1145/3407023.3409207

Published: 25 August 2020 Publication History

Abstract

Recently, new methods were discovered to secretly store information in network protocol caches by exploiting functionalities of ARP and SNMP. Such a covert storage cache is referred to as a "Dead Drop". In our present research, we demonstrate that hidden information can also be stored on systems with an active NTP service. We present one method based upon ephemeral associations and one method based upon the most recently used (MRU) list and measure their storage duration and capacity. Our approach improves over the previous approach with ARP as it allows to transport hidden information across the internet and thus outside of local area networks. The preliminary results for both Dead Drops indicate that more than 100 entries with secret data can persist for several hours. Finally, we discuss the detectability and countermeasures of the proposed methods as well as their limitations.

References

[1]

T. Schmidbauer, S. Wendzel, A. Mileva, W. Mazurczyk: "Introducing Dead Drops to Network Steganography using ARP-Caches and SNMP-Walks," Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES '19, 2019, August 26--29, Canterbury, United Kingdom

Digital Library

[2]

A. Velinov, A. Mileva, S. Wendzel, W. Mazurczyk: "Covert Channels in the MQTT-Based Internet of Things," IEEE Access Vol. 7, 2019, pp. 161899--161915

[3]

T. Rytilahti, D. Tatang, J. Köpper, T.Holz: "Masters of Time: An Overview of the NTP Ecosystem," European Symposium on Security and Privacy, EuroS&P '18, 2018, April 24-26, London, United Kingdom, ACM

[4]

A. Ameri, D. Johnson: "Covert Channels over Network Time Protocol," International Conference on Communication and Signal Processing ICCSP '17, 2017, March 17-19, Wuhan, China, ACM

[5]

D. Mills, J.Martin, J. Burbank, W. Kasch: "Network Time Protocol Version 4: Protocol and Algorithms Specification," RFC 5905, Internet Engineering Task Force, 2010

[6]

D. Mills: " Network Time Protocol (Version 3): Specification, Implementation and Analysis," RFC 1305, Internet Engineering Task Force, 1992

[7]

D. Reilly, H. Stenn, D. Sibold: "Network Time Protocol Best Current Practices," RFC 8633, Internet Engineering Task Force, 2019

[8]

B. Haberman: "Control Messages Protocol for Use with Network Time Protocol Version 4," draft-ietf-ntp-mode-6-cmds-07, Internet Engineering Task Force, IETF Trust, 2019, https://tools.ietf.org/html/draft-ietf-ntp-mode-6-cmds-07

[9]

C. Meadows, I. S. Moskowitz: "Covert channels-A context-based view," Information Hiding, First International Workshop, 1996, May 30 - June 1, Cambridge, United Kingdom, Proceedings, Vol. 1174, Springer Berlin Heidelberg

[10]

C. Zhiyong, Z. Yong: "Entropy based taxonomy of network convert channels," Proceedings of the 2nd International Conference on Power Electronics and Intelligent Transportation System, PEITS '09, 2009, December 19--20, Shenzhen, China, pp. 451--455, IEEE

[11]

S. Zander, G. J. Armitage, P. Branch: "A survey of covert channels and countermeasures in com-puter network protocols," IEEE Communications Surveys and Tutorials, Vol. 9, No. 1-4, 2007, pp. 44--57

Digital Library

[12]

A. Mileva, B. Panajotov: "Covert channels in TCP/IP protocol stack - extended version -,". Central European Journal Computer Science, Vol. 4, Number 2, 2014, pp. 45--66

[13]

C. Rowland: "Covert Channels in the TCP/IP Protocol Suite," First Monday, 1997, https://firstmonday.org/ojs/index.php/fm/article/view/528/449

[14]

W. Mazurczyk, S. Wendzel, Z. Zander, A. Houmansadr, K. Szczypiorski: "Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications and Countermeasures (1st. ed.)," Wiley-IEEE Press, 2016, Hoboken, New Jersey

[15]

E. Zielinska,W. Mazurczyk, K. Szczypiorski: "Trends in Steganography," Commun. of ACM, vol. 57, no. 3, 2014, pp. 86--95

Digital Library

[16]

K. Cabaj, L. Caviglione, W. Mazurczyk, S. Wendzel, A. Woodward, S. Zander: "The new threats of information hiding: The road ahead," IT Professional, Vol. 20, No. 3, 2018, pp. 31--39

Digital Library

[17]

S.Wendzel, S. Zander, B. Fechner, C. Herdin: "Pattern-based Survey and Categorization of Network covert channels," ACM Computing Surveys (CSUR), no. 47(3), 2015, pp. 50:1--50:26

Digital Library

[18]

Wojciech Mazurczyk, Krystian Powójski, Luca Caviglione: "IPv6 Covert Channels in the Wild," Proceedings of the Third Central European Cybersecurity Conference, CECC '19, 2019, November 14-15, Munich, Germany, pp. 10:1--10:6

[19]

S. Wendzel, W. Mazurczyk, G. Haas: "Steganography for cyberphysical systems," Journal of Cyber Security and Mobility, no. 6.2, pp. 105--126, 2017

[20]

I. Zelenchuk: "Skeeve - ICMP Bounce Tunnel," 2004, http://www.gray-world.net/poc_skeeve.shtml.

[21]

Anonymous: "DNS Covert Channels and Bouncing Techniques," 2005, https://seclists.org/fulldisclosure/2005/Jul/att-452/p63_dns_worm_covert_channel.txt.

Cited By

Saadeh HHasan QAlnuman RAbdelbasit SAlbanna A(2024)Dead Drop Covert Channel Technique Using Windows RegistryInformation System Design: Communication Networks and IoT10.1007/978-981-97-4895-2_5(55-65)Online publication date: 8-Oct-2024
https://doi.org/10.1007/978-981-97-4895-2_5
Pilania UKumar MRohit TNandal N(2023)A Walk-through towards Network Steganography TechniquesКраткий обзор методов сетевой стеганографииInformatics and AutomationИнформатика и автоматизация10.15622/ia.22.5.622:5(1103-1151)Online publication date: 25-Sep-2023
https://doi.org/10.15622/ia.22.5.6
Bedi PDua AJindal V(2023)FIHIM: a framework for information hiding in IPv6 using micro-protocolsInternational Journal of Information Technology10.1007/s41870-023-01511-4Online publication date: 4-Oct-2023
https://doi.org/10.1007/s41870-023-01511-4
Show More Cited By

Covert storage caches using the NTP protocol
1. Networks

Recommendations

An adaptive steganographic method based on the measurement of just noticeable distortion profile

This paper presents an adaptive steganographic method based on just noticeable distortion (JND) profile measurement. According to the input requirements, our method can produce a higher quality or higher embedding capacity stego-image. In the embedding ...
LSB steganographic method based on reversible histogram transformation function for resisting statistical steganalysis

Statistical steganalysis schemes detect the existence of secret information embedded by steganography. The x^2-detection and Regular-Singular (RS)-attack methods are two well-known statistical steganalysis schemes used against LSB (least significant bit)...
An Adaptive Steganographic Scheme for Color Images

In this paper, a new palette-based image steganography is proposed. Palette-based images such as GIF files have been widely used on the Internet and web pages such that all browsers can recognize them. Palette-based images can be used as good carriers ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

August 2020

1073 pages

ISBN:9781450388337

DOI:10.1145/3407023

Program Chairs:
Melanie Volkamer
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)
,
Christian Wressnegger
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 August 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ARES 2020

ARES 2020: The 15th International Conference on Availability, Reliability and Security

August 25 - 28, 2020

Virtual Event, Ireland

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
84
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)4

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Saadeh HHasan QAlnuman RAbdelbasit SAlbanna A(2024)Dead Drop Covert Channel Technique Using Windows RegistryInformation System Design: Communication Networks and IoT10.1007/978-981-97-4895-2_5(55-65)Online publication date: 8-Oct-2024
https://doi.org/10.1007/978-981-97-4895-2_5
Pilania UKumar MRohit TNandal N(2023)A Walk-through towards Network Steganography TechniquesКраткий обзор методов сетевой стеганографииInformatics and AutomationИнформатика и автоматизация10.15622/ia.22.5.622:5(1103-1151)Online publication date: 25-Sep-2023
https://doi.org/10.15622/ia.22.5.6
Bedi PDua AJindal V(2023)FIHIM: a framework for information hiding in IPv6 using micro-protocolsInternational Journal of Information Technology10.1007/s41870-023-01511-4Online publication date: 4-Oct-2023
https://doi.org/10.1007/s41870-023-01511-4
Lamshöft KDittmann JManjunath BButora JTondi BVielhauer C(2022)Covert Channels in Network Time SecurityProceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security10.1145/3531536.3532947(69-79)Online publication date: 23-Jun-2022
https://dl.acm.org/doi/10.1145/3531536.3532947
Schmidbauer TWendzel SSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517418(546-560)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517418
Flowers R(2022)Performance Impact of Header-Based Network Steganographic CountermeasuresIEEE Access10.1109/ACCESS.2022.320255610(92446-92453)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3202556
Zheng JLi SHao SLi YZhang Y(2022)ZM-CTCComputer Communications10.1016/j.comcom.2021.10.040182:C(212-222)Online publication date: 15-Jan-2022
https://dl.acm.org/doi/10.1016/j.comcom.2021.10.040
Hielscher JLamshöft KKrätzer CDittmann J(2021)A Systematic Analysis of Covert Channels in the Network Time ProtocolProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470075(1-11)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3470075

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents