BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:Covert channels in TCP/IP: attack and defence - Steven J. Murdoch\ , University of Cambridge DTSTART:20060131T161500Z DTEND:20060131T171500Z UID:TALK5486@talks.cam.ac.uk CONTACT:Saar Drimer DESCRIPTION: This talk will show how idiosyncrasies in TCP/IP implementati ons can be used to reveal the use of several steganography schemes\, and h ow they can be fixed. The analysis can even be extended to remotely identi fy the physical machine being used.\n\nA number of steganography technique s have been designed to insert a covert channel into seemingly random TCP/ IP fields\, such as the IP ID\, TCP initial sequence number (ISN) or the l east significant bits of the TCP timestamp. While compliant with the TCP/I P specification\, their output is unlike that an unmodified operating syst em would generate. This talk will show how by taking in account the implem entation of the TCP/IP stack\, a number of such specification-based stegan ography schemes can be broken. This includes Nushu\, an ISN based scheme p resented at 21C3.\n\nFirstly the talk will introduce the field of covert c hannels and TCP/IP steganography in particular\, giving an overview of the steganographic potential of different fields in the protocol. This will s how that only the IP ID and TCP ISN can be plausibly used for steganograph y. The talk will then describe how these fields are generated\, and how st eganography schemes which do not properly take in account these algorithms can be detected.\n\nThe talk will then present improved TCP/IP steganogra phy schemes for Linux and OpenBSD which\, by deriving a reversible transfo rmation from the standard TCP/IP stacks' implementation\, make a much hard er to detect covert channel. Such a scheme can be shown to be as strong as the underlying encryption\, when attacked by an adversary monitoring pack et content.\n\nFinally\, a side effect of the steganography detection syst em is to reveal microsecond-level deviations in the clock speed of the dev ice being monitored. Clock-skew varies from computer to computer so can ac t as a fingerprint of a particular physical device. This talk will show ho w this fact can be used to track physical devices across the Internet\, an d how the use of TCP ISNs can improve over schemes based on TCP timestamps .\n\nThis work was done in conjunction with Stephen Lewis. LOCATION:Lecture Theatre 2\, Computer Laboratory\, William Gates Building END:VEVENT END:VCALENDAR