This year's ARES conference took place this week and we organized the IWSMR workshop the second time in a row now. However, we also published two new papers at the ARES CUING workshop 2020. The first paper exploits network caches to store secret infomation. The second paper deals with reversible network steganography (covert channels).
Tobias Schmidbauer, Steffen Wendzel: Covert Storage Caches using the NTP Protocol, in Proc. CUING Workshop 2020 (ARES 2020), ACM, 2020.
Abstract: Recently, new methods were discovered to secretly store information in network protocol caches by exploiting functionalities of ARP and SNMP. Such a covert storage cache is referred to as a "Dead Drop". In our present research, we demonstrate that hidden information can also be stored on systems with an active NTP service. We present one method based upon ephemeral associations and one method based upon the most recently used (MRU) list and measure their storage duration and capacity. Our approach improves over the previous approach with ARP as it allows to transport hidden information across the internet and thus outside of local area networks. The preliminary results for both Dead Drops indicate that more than 100 entries with secret data can persist for several hours. Finally, we discuss the detectability and countermeasures of the proposed methods as well as their limitations.
Przemysław Szary, Wojciech Mazurczyk, Luca Caviglione, Steffen Wendzel: Design and Performance Evaluation of Reversible Network Covert Channels, in Proc. CUING Workshop 2020 (ARES 2020), ACM, 2020.
Abstract: Covert channels nested within network traffic are important tools for allowing malware to act unnoticed or to stealthily exchange and exfiltrate information. Thus, understanding how to detect or mitigate their utilization is of paramount importance, especially to counteract the rise of increasingly sophisticated threats. In this perspective, the literature proposed various approaches, including distributed wardens, which can be used to collect traffic in different portions of the network and compare the samples to check for discrepancies revealing hidden communications. However, the use of some form of reversibility, i.e., being able to restore the exploited network carrier to its original form before the injection, can challenge such a detection scheme. Therefore, in this work we introduce and evaluate the performances of different techniques used to endow network covert channels with reversibility. Results indicate the feasibility of achieving reversibility but the used protocol plays a major role.