Article

Keyboards and covert channels

Authors:

Matt BlazeAuthors Info & Claims

USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium - Volume 15

Article No.: 5

Published: 31 July 2006 Publication History

Abstract

This paper introduces JitterBugs, a class of inline interception mechanisms that covertly transmit data by perturbing the timing of input events likely to affect externally observable network traffic. JitterBugs positioned at input devices deep within the trusted environment (e.g., hidden in cables or connectors) can leak sensitive data without compromising the host or its software. In particular, we show a practical Keyboard JitterBug that solves the data exfiltration problem for keystroke loggers by leaking captured passwords through small variations in the precise times at which keyboard events are delivered to the host. Whenever an interactive communication application (such as SSH, Telnet, instant messaging, etc) is running, a receiver monitoring the host's network traffic can recover the leaked data, even when the session or link is encrypted. Our experiments suggest that simple Keyboard JitterBugs can be a practical technique for capturing and exfiltrating typed secrets under conventional OSes and interactive network applications, even when the receiver is many hops away on the Internet.

References

[1]

{1} The stress project. http://weather.ou.edu/apw/projects/stress/.]]

[2]

{2} Trusted computer system evaluation. Tech. Rep. DOD 5200.28-STD, U.S. Department of Defense, 1985.]]

[3]

{3} United States v. Scarfo, Criminal No. 00-404 (D.N.J.), 2001.]]

[4]

{4} ACHARYA, A., AND SALZ, J. A Study of Internet Round-Trip Delay. Tech. Rep. CS-TR-3736, University of Maryland, 1996.]]

[5]

{5} AGAT, J. Transforming out timing leaks. In POPL '00: Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (New York, NY, USA, 2000), ACM Press, pp. 40-53.]]

Digital Library

[6]

{6} ANANTHARAM, V., AND VERDU, S. Bits Through Queues. In IEEE Transactions On Information Theory (1996), vol. 42.]]

Digital Library

[7]

{7} BERK, V., GIANI, A., AND CYBENKO, G. Detection of Covert Channel Encoding in Network Packet Delays. Tech. rep., Darth-mouth College, 2005.]]

[8]

{8} BROIDO, A., HYUN, Y., AND KC CLAFFY. Spectroscopy of traceroute delays. In Passive and active measurement workshop (2005).]]

Digital Library

[9]

{9} BROIDO, A., KING, R., NEMETH, E., AND KC CLAFFY. Radon spectroscopy of inter-packet delay. In IEEE high-speed networking workshop (2003).]]

[10]

{10} BRUMLEY, D., AND BONEH, D. Remote Timing Attacks are Practical. In Proceedings of the 12th USENIX Security Symposium (August 2003).]]

Digital Library

[11]

{11} CABUK, S., BRODLEY, C. E., AND SHIELDS, C. IP covert timing channels: design and detection. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security (New York, NY, USA, 2004), ACM Press, pp. 178-187.]]

Digital Library

[12]

{12} CHUN, B., CULLER, D., ROSCOE, T., BAVIER, A., PETERSON, L., WAWRZONIAK, M., AND BOWMAN, M. Planetlab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33, 3 (2003), 3-12.]]

Digital Library

[13]

{13} DAEMON9. Project Loki. Phrack Magazine 7, 49 (August 1996).]]

[14]

{14} DAVEY, M. C., AND MACKAY, D. J. Reliable communication over channels with insertions, deletions, and substitutions. IEEE Transactions on Information Theory 47 (2001).]]

[15]

{15} F. F. SELLERS, J. Bit loss and gain correction code. In IEEE Transactions on Information Theory (1962), vol. 8, pp. 35-38.]]

[16]

{16} GILES, J., AND HAJEK, B. An Information-Theoretic and Game-Theoretic Study of Timing Channels. In IEEE Transactions on Information Theory (2002), vol. 48.]]

Digital Library

[17]

{17} HELOUET, L., JARD, C., AND ZEITOUN, M. Covert channels detection in protocols using scenarios. In Proceedings of SPV '2003, Workshop on Security Protocols Verification (2003) Satellite of CONCUR'03. Available at http://www.loria.fr/~rusi/spv.pdf.]]

[18]

{18} HU, W.-M. Reducing Timing Channels with Fuzzy Time. In IEEE Symposium on Security and Privacy (1991).]]

[19]

{19} JACOBSON, V., BRADEN, R., AND BORMAN, D. RFC 1323 - TCP Extensions for High Performance.]]

Digital Library

[20]

{20} KANG, M. H., AND MOSKOWITZ, I. S. A Data Pump for Communication. Tech. rep., Naval Research Laboratory, 1995.]]

[21]

{21} KANG, M. H., MOSKOWITZ, I. S., AND LEE, D. C. A Network Version of the Pump. In IEEE Symposium on Security and Privacy (1995).]]

Digital Library

[22]

{22} KANG, M. H., MOSKOWITZ, I. S., MONTROSE, B. E., AND PARSONESE, J. J. A Case Study Of Two NRL Pump Prototypes. In ACSAC '96: Proceedings of the 12th Annual Computer Security Applications Conference (Washington, DC, USA, 1996), IEEE Computer Society, p. 32.]]

Digital Library

[23]

{23} KELSEY, J., SCHNEIER, B., WAGNER, D., AND HALL, C. Side Channel Cryptanalysis of Product Ciphers. In ESORICS '98 (1998).]]

Digital Library

[24]

{24} KEMMERER, R. A. A Practical Approach to Identifying Storage and Timing Channels: Twenty Years Later. In ACSAC '02: Proceedings of the 18th Annual Computer Security Applications Conference (Washington, DC, USA, 2002), IEEE Computer Society, p. 109.]]

Digital Library

[25]

{25} KOCHER, P. C. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In CRYPTO (1996), pp. 104-113.]]

Digital Library

[26]

{26} KOHNO, T., BROIDO, A., AND KC CLAFFY. Remote Physical Device Fingerprinting. In IEEE Symposium on Security and Privacy (2005).]]

Digital Library

[27]

{27} LAMPSON, B. W. A Note on the Confinement Problem. In Communications of the ACM (1973), vol. 16.]]

Digital Library

[28]

{28} LEE, P. Combined error-correcting/modulation recording codes. PhD thesis, Univesity of California, San Diego, 1988.]]

[29]

{29} LEVENSHTEIN, V. I. Binary codes capable of correcting deletions, insertions and reversals. In Soviet Physics Doklady (1966), vol. 10, pp. 707-710.]]

[30]

{30} LEVINE, B., REITER, M., WANG, C., AND WRIGHT, M. Timing Attacks in Low-Latency Mix Systems. In Proceedings of Financial Cryptography: 8th International Conference (FC 2004): LNCS-3110 (2004).]]

[31]

{31} MILLEN, J. 20 years of covert channel modeling and analysis. In IEEE Symposium on Security and Privacy (1999).]]

[32]

{32} MILLER, R. B. Response time in man-computer conversational transactions. In AFIPS Fall Joint Computer Conference (1968), vol. 33.]]

Digital Library

[33]

{33} MOSKOWITZ, I. S., AND KANG, M. H. Covert Channels - Here to Stay ? In COMPASS (1994).]]

[34]

{34} MOSKOWITZ, I. S., AND MILLER, A. R. The Influence of Delay Upon an Idealized Channel's Bandwidth. In SP '92: Proceedings of the 1992 IEEE Symposium on Security and Privacy (Washington, DC, USA, 1992), IEEE Computer Society, p. 62.]]

Digital Library

[35]

{35} MOSKOWITZ, I. S., AND MILLER, A. R. Simple timing channels. In IEEE Symposium on Security and Privacy (1994).]]

Digital Library

[36]

{36} MURDOCH, S., AND DANEZIS, G. Low-cost traffic analysis of tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (2005).]]

Digital Library

[37]

{37} NAGLE, J. RFC 896 - Congestion Control in IP/TCP Internetworks.]]

Digital Library

[38]

{38} PROCTOR, N. E., AND NEUMANN, P. G. Architectural Implications of Covert Channels. In 15th National Computer Security Conference (1992).]]

[39]

{39} RATZER, E. A., AND MACKAY, D. J. C. Codes for channels with insertions, deletions and substitutions. In Proceedings of 2nd International Symposium on Turbo Codes and Related Topics, Brest, France, 2000 (2000), pp. 149-156.]]

[40]

{40} SHANNON, C. E. A mathematical theory of communication. Bell System Technical Journal (1948), 379-423 and 623-656.]]

[41]

{41} SONG, D. X., WAGNER, D., AND TIAN, X. Timing analysis of keystrokes and timing attacks on ssh. In USENIX Security Symposium (2001).]]

Digital Library

[42]

{42} TANAKA, E., AND KASAI, T. Synchronization and substitution error-correcting codes for the Levenshtein metric. In IEEE Transactions on Information Theory (March 1976), vol. 22, pp. 156-162.]]

Digital Library

[43]

{43} VENKATRAMAN, B. R., AND NEWMAN-WOLFE, R. Capacity Estimation and Auditability of Network Covert Channels. In IEEE Symposium on Security and Privacy (1995).]]

Digital Library

[44]

{44} WANG, X., CHEN, S., AND JAJODIA, S. Tracking anonymous peer-to-peer VoIP calls on the internet. In CCS '05: Proceedings of the 12th ACM conference on Computer and communications security (New York, NY, USA, 2005), ACM Press, pp. 81-91.]]

Digital Library

[45]

{45} WANG, X., AND REEVES, D. Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003) (2003).]]

Digital Library

[46]

{46} WRAY, J. C. An Analysis of Covert Timing Channels. In Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California (1991).]]

Cited By

Zhuang XChen YTian H(2024)A generalized detection framework for covert timing channels based on perceptual hashingTransactions on Emerging Telecommunications Technologies10.1002/ett.497835:5Online publication date: 9-May-2024
https://dl.acm.org/doi/10.1002/ett.4978
Xing JKang QChen ACapkun SRoesner F(2020)NetWardenProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489327(2039-2056)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489327
Michael NMink JLiu JGaur SHassan WBates A(2020)On the Forensic Validity of Approximated Audit LogsProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427272(189-202)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427272
Show More Cited By

Index Terms

Keyboards and covert channels

Recommendations

Touch-display keyboards: transforming keyboards into interactive surfaces
CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

In spite of many advances in GUI workstations, the keyboard has remained limited to text entry and basic command invocation. In this work, we introduce the Touch-Display Keyboard (TDK), a novel keyboard that combines the physical-ergonomic qualities of ...
Concurrent covert communication channels
AST/UCMA/ISA/ACN'10: Proceedings of the 2010 international conference on Advances in computer science and information technology

This paper introduces a new steganographic technique in which a set of concurrent hidden channels are established between a sender and multiple receivers. Each channel is protected by a separate key. The method can work with JPEG blocks in which an 8 × ...
On Characterizing and Measuring Out-of-Band Covert Channels
IH&MMSec '15: Proceedings of the 3rd ACM Workshop on Information Hiding and Multimedia Security

A methodology for characterizing and measuring out-of-band covert channels (OOB-CCs) is proposed and used to evaluate covert-acoustic channels (i.e., covert channels established using speakers and microphones). OOB-CCs are low-probability of detection/...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium - Volume 15

July 2006

33 pages

Sponsors

ACCURATE
USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 31 July 2006

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

40
Total Citations
View Citations
33
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhuang XChen YTian H(2024)A generalized detection framework for covert timing channels based on perceptual hashingTransactions on Emerging Telecommunications Technologies10.1002/ett.497835:5Online publication date: 9-May-2024
https://dl.acm.org/doi/10.1002/ett.4978
Xing JKang QChen ACapkun SRoesner F(2020)NetWardenProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489327(2039-2056)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489327
Michael NMink JLiu JGaur SHassan WBates A(2020)On the Forensic Validity of Approximated Audit LogsProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427272(189-202)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427272
Xing JMorrison AChen ADelimitrou CPorts D(2019)NetWardenProceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing10.5555/3357034.3357037(2-2)Online publication date: 8-Jul-2019
https://dl.acm.org/doi/10.5555/3357034.3357037
Cho HZhang PKim DPark JLee CZhao ZDoupé AAhn G(2018)Prime+CountProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274704(441-452)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274704
Ullah FEdwards MRamdhany RChitchyan RBabar MRashid A(2018)Data exfiltrationJournal of Network and Computer Applications10.1016/j.jnca.2017.10.016101:C(18-54)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1016/j.jnca.2017.10.016
Iglesias FZseby T(2017)Are Network Covert Timing Channels Statistical Anomalies?Proceedings of the 12th International Conference on Availability, Reliability and Security10.1145/3098954.3106067(1-9)Online publication date: 29-Aug-2017
https://dl.acm.org/doi/10.1145/3098954.3106067
Wilson JWahby RCorrigan-Gibbs HBoneh DLevis PWinstein KChoudhury TKo SCampbell AGanesan D(2017)Trust but VerifyProceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services10.1145/3081333.3081342(464-474)Online publication date: 16-Jun-2017
https://dl.acm.org/doi/10.1145/3081333.3081342
El-Atawy ADuan QAl-Shaer E(2017)A Novel Class of Robust Covert Channels Using Out-of-Order PacketsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2015.244377914:2(116-129)Online publication date: 1-Mar-2017
https://dl.acm.org/doi/10.1109/TDSC.2015.2443779
Yan MShalabi YTorrellas JHsu WYang CLipasti MLee H(2016)ReplayconfusionThe 49th Annual IEEE/ACM International Symposium on Microarchitecture10.5555/3195638.3195685(1-14)Online publication date: 15-Oct-2016
https://dl.acm.org/doi/10.5555/3195638.3195685
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents