Montag, 26. Dezember 2011

Interesting CS/Psych. Articles/Papers (Dec-27-2011)

I recently read some very interesting CS papers of which I want to recommend the most interesting subset to my readers. As some of you probably know, I began to become interested in HCI-related topics, what is obviously reflected in my recommendations.
  1. J. Roberson and B. Nardi: Survival Needs and Social Inclusion: Technology Use Among the Homeless, in Proc.Conf. Computer Supported Cooperative Work (CSCW), ACM, pp. 445-448, 2010.
    • You will be suprised about the fact, how useful information technology became for homeless people.Read the article (pdf)
  2. from the same proceedings: Xiang Cao et. al.: Understanding Family Communication across Time Zones (pp. 155-158).
    • I guess, that one is currently interesting for me since I face such a time zone-difference situation at the moment.Read the article (pdf)
  3. B. Lampson: Privacy and Security. Usable Security: How to Get It?, In ACM Comm. Viewpoint, Nov-2009, Vol. 52(11), pp. 25-27, 2009.
    • This article deals with the problem of usability in the context of IT-Security and describes some basic problems such as the understanding of security methods by customers and the motivation to enhance security by the industry. Read the article
  4. L. Fortnow: Time for Computer Science to Grow Up, In ACM Comm. Viewpoint, Aug-2009, Vol. 52(8), pp. 33-35, 2009.
    • This article is about the value of journal articles in CS in relation to conference papers. Very interesting to read. Read the article

Dienstag, 20. Dezember 2011

Steganographic Ducks ;)

One of the nice things here at Waikato's campus are the ducks (and all the other animals). However, as shown on the photo, the ducks are pretty good in covering theirselfs. You will probably find a few of the ducks on the picture (poor quality, made with my mobile), but there are plenty of them. Ergo, nature is good in steganography, too.

Freitag, 16. Dezember 2011

Neue Publikation: Einführung in Covert Channels

Eine kleine Einführung in die Forschungsthematik der verdeckten Kanäle von J. Keller und mir ist in einem kleinen Open Access-Journal erschienen. Die Publikation ging aus dem Datenspuren Symposium im Oktober in Dresden hervor.

Wendzel, Steffen / Keller, Jörg (2011). Einführung in die Forschungsthematik der verdeckten Kanäle. Magdeburger Journal zur Sicherheitsforschung, Band 2, 2011, S. 115–124.

Verdeckte Kanäle stellen eine bisher nur wenig außerhalb der Forschung betrachtete Technik für unzensierte Kommunikation dar. Zugleich liegt in verdeckten Kanälen die Gefahr des unbemerkten Informationsverlusts (Data Leakage) und der unbemerkten Steuerung von Botnetzen. Dieser Artikel bietet zunächst eine Einführung in die Thematik der verdeckten Kanäle, ihre Risiken und Chancen. Anschließend werden exemplarisch einzelne Techniken zur Erzeugung von verdeckten Kanälen vorgestellt, sowie gängige Gegenmaßnahmen diskutiert. Der Artikel schließt mit einem Überblick über neuere Techniken der letzten Jahre.

Getting many things done

Today, when we left the CS department's building after midnight, a friend asked me: "How do you manage to get all these things done?" and I explained him my simple, but (at least for me) working concept. It contains of two parts which are linked to each other.

(1) I work on a high number of interesting projects. The key aspect here is to pick always the task that attracts me most at the particular moment. Using this technique, I accomplish motivated work since I always only do the work I like to work on. This is, of course, not always 100% feasible, but I at least try.

(2) By working on so many tasks in parallel, I receive a nice amount positive feedback. So, while I work on something I like instead of something I am currently not motivated to work on, I will probably receive feedback for the task on which I currently don't want to work on. Thus, I get motivated for the other task again (and can switch, if I like).

This easy and (probably not optimal) technique requires the ability to keep many things in mind (e.g. deadlines of tasks currently not in my focus). Sometimes, it even results in multiple deadlines occurring at the same time and therefore results in long nights full of workload. However, one has to like this way of working. Also, point (2) can result in negative feedback instead of positive feedback what is a clear drawback of the presented strategy :) I also think, that it is not necessary to mention that working on many parallel things is only possible if one accepts that a single task takes long to finish in comparison to a model where only few tasks are handled.

Donnerstag, 15. Dezember 2011

Talk at Swinburne on Covert Channel Research

Sebastian Zander kindly invited me to give a talk at the Swinburne CAIA Research Seminar about my recent research in the area of network covert channels. The talk is sheduled for Jan-12 and an abstract can be found on their website.

Dienstag, 13. Dezember 2011

Summary of my recent Covert Channel Research

As posted a few weeks ago, I continued my research in the area of network covert channels. This posting aims on providing a short summary on the work I've done in the area within the last years.

Covert Channels are hidden communication channels and a part of the Information Hiding research. Lampson defined them as "not intended for information transfer at all" in 1973 in his paper "a note on the confinement problem". I skip the details and the context of multi-level security (MLS), especially the Bell-LaPadula model. However, covert channels can now be used to bypass censorship and thus can support the free expression of opinions but they can also be used by botnets (a good introduction is provided by Zander et. al. in this journal article).

My early Work

In 2006, I developed a tool called "vstt" (very strange tunneling tool) capable of using multiple network protocols to transfer data to a destination system and able to accept input via socket or (named) Pipe on Unix-like operating systems. One of the very first steps, after playing around with some Linux/BSD SOCK_RAW codes and by experimenting with the available "tunneling" software from the hacking community, was to develop the idea of protocol hopping (i.e. a protocol switching covert channel). The first program capable to do such a protocol switching was "LOKI2" by daemon9 (phrack magazine, 1997). LOKI2 is based on a manual "/swapt" command that let the user switch between ICMP and UDP. In 2007 (exactly ten years later) I implemented the first "protocol hopping covert channel" in the tool "phcct" (cf. my Hakin9 article about it (in German), or my english Hakin9 article on another covert channel type ("protocol channels", see next section) that contains a small discussion of protocol hopping covert channels, or try Google Scholar). Phcct did not demand on a user's input anymore and switched the protocol automatically as well as on a transparent way.

However, the idea of protocol switching resulted in another, similar idea: the "protocol channel". A protocol channel is a covert channel based on the idea to transfer information not by adding a special content or time information to a network packet but by using a specified network protocol. Thus, the hidden information was represented by the network protocol itself. You can read more about that in my paper on protocol channels. A proof of concept code called "pct" (protocol channel tool) can be found here.

Covert Channels with Internal Control-Protocols

However, let us come back to the protocol hopping covert channels. These covert channels are protocol switching covert channels, as explained in a paper called "low-attention forwarding for mobile network covert channels" [pdf] I wrote together with my Ph.D. advisor. The paper initially put the old basis for the protocol hopping into the scientific context.

The idea is to build a hidden covert channel overlay network and let the peers/proxies of the overlay network communicate using different protocol hopping covert channels. The overlay network's goal is to minimize the raised attention by using protocols and areas within protocol headers that are unlikely to raise attention on a given link. This optimization depends on the context (each network is different) and can be optimized to minimize the overhead or to minimize the amount of transferred data. Also the forwarding between two hops/proxies within the covert overlay network can be optimized by producing as few data packets as possible for forwarding a hidden message and by caching the hidden information for a time t. In that paper we additionally proposed an upgradable covert channel overlay network based on version and capability information exchange using the covert channel's micro protocol.

The exchange of protocol information, state information and other kinds of management information between hidden covert channel peers is done by a covert channel-internal communication protocol, a so-called "micro protocol" as I already invented it in 2008 while I wrote my diploma thesis at the University of Applied Sciences in Kempten on my very early-stage thoughts about both, protocol hopping covert channels and protocol channels. A current summary on my work on micro protocols can be found (in German) in the proceedings of Doktorandenkolleg Ruhr (page 35). However, the previously mentioned paper on low-attention forwarding extends the knowledge of these micro protocols from my old diploma thesis by important ideas (such as combining multiple areas of the TCP/IP network stack and giving different network protocols different "weights"/linking them to different sets regarding to their detectability) and you can find all the details there.

At CMS 2013, we presented an approach to develop low-attention raising micro protocols by providing an systematic engineering approach for covert channel-internal control protocols based on formal grammar.

Additionally, one of my paper of mine covers the problem of traffic normalization (done with the previously mentioned micro protocols) that leads to a two-army-problem within the covert channel overlay network. This problem does not only apply for the kind of overlay network we proposed, but for other approaches (e.g. 'adaptable covert channels' by Yarochkin et. al.), too. The work will appear under the title The Problem of Traffic Normalization Within a Covert Channel's Network Environment Learning Phase at the SICHERHEIT'12 conference.

Limitation, Detection, and Prevention of Covert Channels

In 2011, I also finished my Master's thesis (University of Applied Sciences in Augsburg) on the analysis of known means that were developed to limit, prevent or detect network covert channels as well as local covert channels. It is not possible to summarize all the results in this posting but I work on a new german book that will be published in Q3-2012 that includes *all* details of my Master's thesis too. However, some examples and a general introduction (in German) is available as a video of my Datenspuren 2011 talk.

In May 2012, we presented work on the limitation of the previously mentioned protocol switching covert channels that is available via open access (pdf): Steffen Wendzel, Jörg Keller: Design and Implementation of an Active Warden Addressing Protocol Switching Covert Channels, In Proc. 7th International Conference on Internet Monitoring and Protection (ICIMP 2012), Wagner, A. and Dini, P. (Eds.), pp. 1-6, IARIA, Stuttgart, 2012. The limitation system is based on the idea to delay protocol switches based on an Linux netfilter feature. Our paper received a best paper award at the ICIMP 12 conference. There is also an extended journal article of the paper available that discusses the topic in more detail (also available via open access): Preventing Protocol Switching Covert Channels.

In joint work, we could also show that it is feasible to detect protocol channels using a static formula as well as machine learning.

Covert Channels and Side Channels in Building Automation Systems

Last, but not least, we worked on the investigation of covert channels and side channels in building automation systems (BAS) and especially on covert channels in BACnet. An inter-operable BAS middleware was developed to limit covert storage and side storage channels in building automation systems by applying multi-level security (MLS). A paper addressing these hidden channels as well as the protection means was presented under the title Covert and Side Channels in Buildings and the Prototype of a Building-aware Active Warden at the first IEEE International Workshop on Security and Forensics in Communication Systems (SFCS 2012), Ottawa. A second paper on BACnet (see link above) was presented at the 3SL workshop.

Dynamic Routing in Covert Channel Overlay Networks

In joint work, we (especially P. Backs) developed a dynamic routing approach for covert channels in overlay networks for which I contributed the concept of "status updates", i.e., a means to minimize the size of micro protocol headers.

I have currently much more research in the queue and will publish information as soon as it passed the scientific peer-review processes.


2012-02-11: Added a few words about the BAS middleware paper (SFCS'12) and the traffic normalization paper (SICHERHEIT'12).

2012-06-18: Added new paper of the ICIMP 2012 conference.

2012-07-08: Added Protocol Channel Detection paper and link to BAS side/covert channel posting.

2012-01-15: Added our latest papers 3 related papers.

Montag, 12. Dezember 2011

Rezension: Internetzensur in China

Ich hatte kürzlich "Internetzensur in China. Aufbau und Grenzen des chinesischen Kontrollsystems" von Kim-Björn Becker gelesen. Als Nicht-Politikwissenschaftler habe ich mich eigentlich nur bedingt für die politischen Hintergründe dieser Thematik interessiert, doch muss ich sagen, dass ich die Aufbereitung des Thema durch dieses Werk als sehr interessant einstufen würde.
 Zwar hätte ich mir mehr technische Hintergründe gewünscht (die dort vorliegenden sind leider nicht auf dem Level, auf dem ich es mir vorgestellt hätte, aber der Autor ist schließlich auch kein Informatiker), aber dafür sind andere sehr spannende Inhalte zu finden. Dazu zählen etwa der Umgang der chinesische Regierung mit SARS oder die Entwicklung der Internetnutzung in China bzw. wie sie sich heutzutage darstellt (Land vs. Stadt, Smartphone-Relevanz, usf.). Entsprechend kann ich dieses Buch in meinem Blog auch empfehlen (und ich tue dies im Übrigen nicht, weil mich der Autor 6x zitiert hat).

Details zum Buch:
Autor: Kim-Björn Becker
Titel: Internetzensur in China. Aufbau und Grenzen des chinesischen Kontrollsystems
Verlag: Vieweg-Springer Research, 246 Seiten, 1. Auflage 2011, 39,95 EUR
ISBN: 978-3-531-18208-7

Donnerstag, 8. Dezember 2011

Der Unterschied zwischen wissenschaftlicher Psychologie und Alltagspsychologie

Wieder etwas aus meinem Psychologie-Studium an der FernUniversität in Hagen:

1. Wie gelangt die Psychologie eigentlich zu ihren Erkenntnissen?

2. Weshalb sind diese Erkenntnisse von höher Qualität als bei unserer alltäglichen Psychologie, mit der wir etwa unsere Kollegen und Freunde beurteilen?

Zunächst einmal ist die Psychologie eine Wissenschaft. Als solche verwendet sie Methoden, die wir im Alltag nicht anwenden. Dazu zählt etwa, dass Experimente durchgeführt werden, um zu Erkenntnissen zu gelangen. Diese Experimente werden überwacht, nach genauen Regeln, ethischen Grundsätzen und allgemein anerkannten Maßstäben durchgeführt, protokolliert und anschließend ausgewertet. Bei Auswertungen in der Psychologie kommt in der Regel die Statistik zum Einsatz. Resultate müssen reproduzierbar sein und werden vor einer Veröffentlichung durch andere Wissenschaftler überprüft. Erst  dann, wenn auch diese anderen Wissenschaftler die Erkenntnisse für korrekt erachtet haben, werden sie etwa in einem Journal publiziert -- also ähnlich, wie in der Informatik.

Psychologische Experimente belaufen sich dabei nicht bloß auf Fragebögen oder Interviews. Stattdessen können auch technologische Instrumente (etwa zur Überwachung der Hirnaktivität) oder speziell gestaltete Testlabors zum Einsatz kommen.

In der Alltagspsychologie gibt es hingegen viele Dinge, die wir nicht bedenken, die uns bei "Experimenten" im persönlichen Umfeld nicht bewusst sind, oder die wir falsch wahrnehmen, weil uns das Wissen fehlt, um falsche Wahrnehmungen zu erkennen.

Ein weiterer Punkt ist der, dass wir im Alltag ungenaue Begriffe für die Beschreibung psychologischer Themen verwenden. Wenn beispielsweise jemand sagt, er sei heute "nicht gut drauf" -- was bedeutet diese Aussage genau? Geht es der Person psychisch oder physisch nicht gut? Was genau ist der Grund das Befinden? ...

Nicht vergessen werden soll an dieser Stelle auch, dass bei psychologischen Experimenten sichergestellt werden muss, dass der Beobachter des Experiments nicht selbst (unbewusst) bestimmte synthetische Resultate in das eigentliche Resultat interpretiert, die gar nicht vorliegen. Insbesondere dürfen keine Vorurteile eine Rolle spielen und die Beurteilung muss so objektiv, wie nur irgendwie möglich, ablaufen.