research-article

Open access

Covert Channels in Network Time Security

Authors:

Kevin Lamshöft,

Jana DittmannAuthors Info & Claims

IH&MMSec '22: Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security

Pages 69 - 79

https://doi.org/10.1145/3531536.3532947

Published: 23 June 2022 Publication History

Abstract

Network Time Security (NTS) specified in RFC8915 is a mechanism to provide cryptographic security for clock synchronization using the Network Time Protocol (NTP) as foundation. By using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) NTS is able to ensure integrity and authenticity between server and clients synchronizing time. However, in the past it was shown that time synchronisation protocols such as the Network Time Protocol (NTP) and the Precision Time Protocol (PTP) might be leveraged as carrier for covert channels, potentially infiltrating or exfiltrating information or to be used as Command-and-Control channels in case of malware infections. By systematically analyzing the NTS specification, we identified 12 potential covert channels, which we describe and discuss in this paper. From the 12 channels, we exemplary selected an client-side approach for a proof-of-concept implementation using NTS random UIDs. Further, we analyze and investigate potential countermeasures and propose a design for an active warden capable of mitigating the covert channels described in this paper.

References

[1]

Mohammed M Alani. 2010. Testing randomness in ciphertext of block-ciphers using DieHard tests. Int. J. Comput. Sci. Netw. Secur, Vol. 10, 4 (2010), 53--57.

[2]

Aidin Ameri and Daryl Johnson. 2017. Covert Channel over Network Time Protocol. In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy (Wuhan, China) (ICCSP '17). Association for Computing Machinery, New York, NY, USA, 62--65.

Digital Library

[3]

Robert G Brown, Dirk Eddelbuettel, and David Bauer. 2018. Dieharder. Duke University Physics Department Durham, NC (2018), 27708--0305.

[4]

Dhiman Deb Chowdhury. 2021. Packet Timing: Network Time Protocol .Springer International Publishing, Cham, 103--116. https://doi.org/10.1007/978--3-030--71179--5_7

[5]

ESET. 2022. ESET Threat Report T3 2021. https://www.welivesecurity.com/2022/02/09/eset-threat-report-t32021/ Section: Threat Reports.

[6]

Daniel Fox Franke, Dieter Sibold, Kristof Teichel, Marcus Dansarie, and Ragnar Sundblad. 2020. Network Time Security for the Network Time Protocol. RFC 8915. https://doi.org/10.17487/RFC8915

Digital Library

[7]

Jonas Hielscher, Kevin Lamshöft, Christian Kratzer, and Jana Dittmann. 2021. A Systematic Analysis of Covert Channels in the Network Time Protocol. In The 16th International Conference on Availability, Reliability and Security (Vienna, Austria) (ARES 2021). Association for Computing Machinery, New York, NY, USA, Article 69, 11 pages. https://doi.org/10.1145/3465481.3470075

Digital Library

[8]

Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin. 2011. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Leading Issues in Information Warfare & Security Research, Vol. 1, 1 (2011), 80.

[9]

Kevin Lamshöft, Jonas Hielscher, Christian Kratzer, and Jana Dittmann. 2022 a. The Threat of Covert Channels in Network Time Synchronisation Protocols. Journal of Cyber Security and Mobility (2022), 165--204. https://doi.org/10.13052/jcsm2245--1439.1123

[10]

Kevin Lamshöft, Tom Neubert, Jonas Hielscher, Claus Vielhauer, and Jana Dittmann. 2022 b. Knock, knock, log: Threat analysis, detection & mitigation of covert channels in syslog using port scans as cover. Forensic Science International: Digital Investigation, Vol. 40 (2022), 301335. https://doi.org/10.1016/j.fsidi.2022.301335

[11]

Kevin Lamshöft and Jana Dittmann. 2020. Assessment of Hidden Channel Attacks: Targetting Modbus/TCP. IFAC-PapersOnLine, Vol. 53, 2 (2020), 11100--11107. https://doi.org/10.1016/j.ifacol.2020.12.258 21st IFAC World Congress.

[12]

Pierre L'ecuyer and Richard Simard. 2007. TestU01: AC library for empirical testing of random number generators. ACM Transactions on Mathematical Software (TOMS), Vol. 33, 4 (2007), 1--40.

Digital Library

[13]

Norka B Lucena, Grzegorz Lewandowski, and Steve J Chapin. 2005. Covert channels in IPv6. In International Workshop on Privacy Enhancing Technologies. Springer, 147--166.

[14]

Aanchal Malhotra, Isaac E Cohen, Erik Brakke, and Sharon Goldberg. 2015. Attacking the network time protocol. Cryptology ePrint Archive (2015).

[15]

Jim Martin, Jack Burbank, William Kasch, and Professor David L. Mills. 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905. https://doi.org/10.17487/RFC5905

Digital Library

[16]

Wojciech Mazurczyk, Krystian Powójski, and Luca Caviglione. 2019. IPv6 covert channels in the wild. In Proceedings of the Third Central European Cybersecurity Conference. 1--6.

Digital Library

[17]

David McGrew. 2008. An Interface and Algorithms for Authenticated Encryption. RFC 5116. https://doi.org/10.17487/RFC5116

Digital Library

[18]

Aleksandra Mileva, Aleksandar Velinov, Laura Hartmann, Steffen Wendzel, and Wojciech Mazurczyk. 2021. Comprehensive analysis of MQTT 5.0 susceptibility to network covert channels. Computers & security, Vol. 104 (2021), 102207.

[19]

David L. Mills. 1992. Network Time Protocol (Version 3) Specification, Implementation and Analysis. RFC 1305. https://doi.org/10.17487/RFC1305

Digital Library

[20]

Professor David L. Mills and Brian Haberman. 2010. Network Time Protocol Version 4: Autokey Specification. RFC 5906. https://doi.org/10.17487/RFC5906

Digital Library

[21]

Netnod. 2020. How does NTS wok and why is it important. (2020). https://www.netnod.se/time-and-frequency/white-paper-how-does-nts-work-and-why-is-it-important

[22]

Lucas Nussbaum, Pierre Neyron, and Olivier Richard. 2009. On robust covert channels inside DNS. In IFIP International Information Security Conference. Springer, 51--62.

[23]

Denis Reilly, Harlan Stenn, and Dieter Sibold. 2019. Network Time Protocol Best Current Practices. RFC 8633. https://doi.org/10.17487/RFC8633

Digital Library

[24]

Eric Rescorla. 2010. Keying Material Exporters for Transport Layer Security (TLS). RFC 5705. https://doi.org/10.17487/RFC5705

Digital Library

[25]

Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https://doi.org/10.17487/RFC8446

Digital Library

[26]

Tobias Schmidbauer and Steffen Wendzel. 2020. Covert Storage Caches using the NTP Protocol. ARES 2020: Proceedings of the 15th International Conference on Availability, Reliability and Security (2020).

Digital Library

[27]

Vinay Shankarkumar, Laurent Montini, Tim Frost, and Greg Dowd. 2017. Precision Time Protocol Version 2 (PTPv2) Management Information Base. RFC 8173. https://doi.org/10.17487/RFC8173

Digital Library

[28]

Blake E. Strom, Andy Applebaum, Douglas P. Miller, Kathryn C. Nickels, Adam G. Pennington, and Cody B. Thomas. 2018. MITRE ATT&CK #8482; : Design and Philosophy. (July 2018).

[29]

Kristof Teichel, Dieter Sibold, and Stefan Milius. 2015. First Results of a Formal Analysis of the Network Time Security Specification. In Security Standardisation Research, Liqun Chen and Shin'ichiro Matsuo (Eds.). Springer International Publishing, Cham, 218--245.

[30]

Nikolaos Tsapakis. 2019. Alternative communication channel over NTP. Virus Bulletin (April 2019). https://www.virusbulletin.com/virusbulletin/2019/04/alternative-communication-channel-over-ntp/.

[31]

Steffen Wendzel, Luca Caviglione, Wojciech Mazurczyk, Aleksandra Mileva, Jana Dittmann, Christian Kratzer, Kevin Lamshöft, Claus Vielhauer, Laura Hartmann, Jörg Keller, and Tom Neubert. 2021. A Revised Taxonomy of Steganography Embedding Patterns. In The 16th International Conference on Availability, Reliability and Security (ARES 2021). Association for Computing Machinery, New York, NY, USA, 1--12. https://doi.org/10.1145/3465481.3470069

Digital Library

[32]

Steffen Wendzel, Sebastian Zander, Bernhard Fechner, and Christian Herdin. 2015. Pattern-Based Survey and Categorization of Network Covert Channel Techniques. Comput. Surveys, Vol. 47 (04 2015), 50:1--26. https://doi.org/10.1145/2684195

Digital Library

Cited By

Vasilellis EBotsos VAnagnostopoulou AGritzalis D(2024)Gaming the system: tetromino-based covert channel and its impact on mobile securityInternational Journal of Information Security10.1007/s10207-024-00875-323:4(3007-3027)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10207-024-00875-3
Mundt MBaier H(2024)Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, ReviewDigital Forensics and Cyber Crime10.1007/978-3-031-56580-9_3(33-57)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56580-9_3
Morais RCrocker PLeithardt V(2023)Nero: A Deterministic Leaderless Consensus Algorithm for DAG-Based CryptocurrenciesAlgorithms10.3390/a1601003816:1(38)Online publication date: 7-Jan-2023
https://doi.org/10.3390/a16010038

Recommendations

A Systematic Analysis of Covert Channels in the Network Time Protocol
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Covert channels in network protocols are a technique aiming to hide the very existence of secret communication in computer networks. In this work we present a systematic in-depth analysis of covert channels by modification for the Network Time Protocol ...
Covert channel-internal control protocols: attacks and defense

Network covert channels have become a sophisticated means for transferring hidden information over the network. Covert channel-internal control protocols, also called micro protocols, have been introduced in the recent years to enhance capabilities of ...
Countermeasures for Covert Channel-Internal Control Protocols
ARES '15: Proceedings of the 2015 10th International Conference on Availability, Reliability and Security

Network covert channels have become a sophisticated means for transferring hidden information over the network, and thereby breaking the security policy of a system. Covert channel-internal control protocols, called micro protocols, have been introduced ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IH&MMSec '22: Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security

June 2022

177 pages

ISBN:9781450393553

DOI:10.1145/3531536

General Chair:
B.S. Manjunath
UC Santa Barbara, California, USA
,
Program Chairs:
Jan Butora
University of Lille, France
,
Benedetta Tondi
University of Siena, Italy
,
Claus Vielhauer
Brandenburg University of Applied Sciences, Germany

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives International 4.0 License.

Sponsors

SIGMM: ACM Special Interest Group on Multimedia

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 June 2022

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Bundesministerium für Wirtschaft und Energie

Conference

IH&MMSec '22

Sponsor:

SIGMM

IH&MMSec '22: ACM Workshop on Information Hiding and Multimedia Security

June 27 - 28, 2022

CA, Santa Barbara, USA

Acceptance Rates

Overall Acceptance Rate 128 of 318 submissions, 40%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
348
Total Downloads

Downloads (Last 12 months)150
Downloads (Last 6 weeks)17

Reflects downloads up to 18 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Vasilellis EBotsos VAnagnostopoulou AGritzalis D(2024)Gaming the system: tetromino-based covert channel and its impact on mobile securityInternational Journal of Information Security10.1007/s10207-024-00875-323:4(3007-3027)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1007/s10207-024-00875-3
Mundt MBaier H(2024)Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, ReviewDigital Forensics and Cyber Crime10.1007/978-3-031-56580-9_3(33-57)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56580-9_3
Morais RCrocker PLeithardt V(2023)Nero: A Deterministic Leaderless Consensus Algorithm for DAG-Based CryptocurrenciesAlgorithms10.3390/a1601003816:1(38)Online publication date: 7-Jan-2023
https://doi.org/10.3390/a16010038

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents