A Systematic Analysis of Covert Channels in the Network Time Protocol

Hielscher, Jonas; Lamshöft, Kevin; Kraetzer, Christian; Dittmann, Jana

doi:10.1145/3465481.3470075

Cited by 6 publications

(7 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…According to RFC8915 the amount of cookies is implementation-dependent. In practice, eight cookies seem to be the standard 7 to provide the client with a proper amount of cookies while at the same time avoiding UDP fragmentation. However, a deviation from this standard may raise suspicion or could trigger anomaly detection systems.…”

Section: Covert Channels In Nts Key Establishmentmentioning

confidence: 99%

“…This resembles the Output-Feedback mode (OFB), known from block ciphers and allows to provide fresh pseudo-random IDs based on the initial secret. In Step (7) the next message chunk then gets embedded by XOR into this new UID and sent within the next NTS time request. For retrieval on the server side, the server seeds the PRNG with the shared secret 𝐾 𝑆𝑡𝑒𝑔 (8) and generates a pseudorandom ID as well.…”

Section: Nts-uid Covert Channel Design and Proof-of-conceptmentioning

confidence: 99%

“…This paper aims at closing that gap. In the past related protocols, namely NTP and PTP were analysed in regards to their potential to be used as carrier for covert channels [7,9], for example to covertly infiltrate or exfiltrate information out of network, or to establish Command-and-Control channels (shortened C2 channel). Therefore, in this paper we want to shed light on the threat of covert channels in the novel Network Time Security protocol as the use of cryptography adds further options to establish covert channels and makes their detection even harder.…”

Section: Introductionmentioning

confidence: 99%

“…In the past, many network protocols were investigated in regards to their susceptibility to covert channels, for example IPv6 [13,16], DNS [22], MQTT [18], Modbus/TCP [11] and Syslog [10]. In the context of time synchronization protocols, the Network Time Protocol (NTP) has been investigated in depth by Hielscher et al [7] in 2021, identifying 49 potential covert channels. Before that Ameri and Johnson proposed a covert channel in NTP using a part of timestamp field [2] in 2017.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Covert Channels in Network Time Security

Lamshöft

Dittmann

2022

Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security

Self Cite

View full text Add to dashboard Cite

Network Time Security (NTS) specified in RFC8915 is a mechanism to provide cryptographic security for clock synchronization using the Network Time Protocol (NTP) as foundation. By using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) NTS is able to ensure integrity and authenticity between server and clients synchronizing time. However, in the past it was shown that time synchronisation protocols such as the Network Time Protocol (NTP) and the Precision Time Protocol (PTP) might be leveraged as carrier for covert channels, potentially infiltrating or exfiltrating information or to be used as Commandand-Control channels in case of malware infections. By systematically analyzing the NTS specification, we identified 12 potential covert channels, which we describe and discuss in this paper. From the 12 channels, we exemplary selected an client-side approach for a proof-of-concept implementation using NTS random UIDs. Further, we analyze and investigate potential countermeasures and propose a design for an active warden capable of mitigating the covert channels described in this paper.

show abstract

Section: Covert Channels In Nts Key Establishmentmentioning

confidence: 99%

Section: Nts-uid Covert Channel Design and Proof-of-conceptmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Covert Channels in Network Time Security

Lamshöft

Dittmann

2022

Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…Covert channel is a communication channel that can be used to transfer data bypassing the prohibition of the access control policies. The previous studies have proposed some methods for identifying covert channels [13][14][15] .…”

Section: Introductionmentioning

confidence: 99%

Implementation of multi-domain isolation architecture and communication mechanism in Linux

Lan

Zou

2022

Third International Conference on Computer Science and Communication Technology (ICCSCT 2022)

View full text Add to dashboard Cite

Multiple Independent Levels of Security (MILS) is widely used in the design of high assurance operating system. By separating the system into components, and making the components run in different domains, the kernel can control and monitor information flow between components to enhance the security and availability of system. However, due to the complexity and certification cost issue associate with large monolithic kernel, MILS architecture is mainly used in microkernel system. But we still want to use the idea of MILS in monolithic kernel system to improve the security. In the Linux, although there are some access control models based on the concept of domain (like SELinux). Limited by the feature of shared kernel, the security of system is affected by the vulnerabilities in itself. Therefore, this paper proposes a scheme of constructing multiple independent isolated domains based on virtualization technology in Linux. We developed on Linux kernel and QEMU/KVM hypervisor, exploiting the isolation feature brought by virtualization to achieve data isolation. We build domain from virtual machine, so that we can separate origin system into components and run them in domains. In the host, we take control of all domains and implements a secure communication mechanism between domains. By using this secure channel, we can monitor the data transmission between domains, and control the information flow according to the security level of the domain. Finally, we evaluated the effectiveness and efficiency of our communication mechanism.

show abstract

Analysis of Reversible Network Covert Channels

et al. 2022

View full text Add to dashboard Cite

In the last years, the utilization of information hiding techniques for empowering modern strains of malware has become a serious concern for security experts. Such an approach allows attackers to act in a stealthy manner, for instance, to covertly exfiltrate confidential data or retrieve additional command & control payloads for the operation of malware. Therefore, the deep understanding of data hiding mechanisms is a core requirement, as it allows designing effective countermeasures. Unfortunately, the most recent evolution of information-hiding-capable threats enjoys reversible properties, i.e., the abused network flow is restored to its original form. Hence, detection approaches based on the comparison of different traffic samples may not work anymore. In this paper, we further investigate various methods for performing reversible data hiding for network covert channels. Specifically, we extend our previous research by considering different scenarios focusing on IPv4 traffic and HTTP conversations. The results confirm that reversibility can be used in various network conditions and is not impaired by middleboxes. In addition, engineering countermeasures or mitigation techniques could be difficult, thus requiring to consider reversible mechanisms already in the early design stages of a protocol/deployment.

show abstract

A Systematic Analysis of Covert Channels in the Network Time Protocol

Cited by 6 publications

References 29 publications

Covert Channels in Network Time Security

Covert Channels in Network Time Security

Implementation of multi-domain isolation architecture and communication mechanism in Linux

Analysis of Reversible Network Covert Channels

Contact Info

Product

Resources

About