Abstract
Virtual Private Networks (VPNs) are increasingly used to build logically isolated networks. However, existing VPN designs and deployments neglect the problem of traffic analysis and covert channels. Hence, there are many ways to infer information from VPN traffic without decrypting it. Many proposals were made to mitigate network covert channels, but previous works remained largely theoretical or resulted in prohibitively high padding overhead and performance penalties.
In this work, we (1) analyse the impact of covert channels in IPsec, (2) present several improved and novel approaches for covert channel mitigation in IPsec, (3) propose and implement a system for dynamic performance trade-offs, and (4) implement our design in the Linux IPsec stack and evaluate its performance for different types of traffic and mitigation policies. At only 24% overhead, our prototype enforces tight information-theoretic bounds on all information leakage.
Chapter PDF
References
Cohesive Flexible Technologies: VPN-Cubed (2012), http://cohesiveft.com
Catuogno, L., Dmitrienko, A., Eriksson, K., Kuhlmann, D., Ramunno, G., Sadeghi, A.-R., Schulz, S., Schunter, M., Winandy, M., Zhan, J.: Trusted Virtual Domains – Design, Implementation and Lessons Learned. In: Chen, L., Yung, M. (eds.) INTRUST 2009. LNCS, vol. 6163, pp. 156–179. Springer, Heidelberg (2010)
Carapinha, J., Feil, P., Weissmann, P., Thorsteinsson, S.E., Etemoğlu, Ç., Ingthórsson, Ó., Çiftçi, S., Melo, M.: Network Virtualization - Opportunities and Challenges for Operators. In: Berre, A.J., Gómez-Pérez, A., Tutschku, K., Fensel, D. (eds.) FIS 2010. LNCS, vol. 6369, pp. 138–147. Springer, Heidelberg (2010)
Lampson, B.W.: A note on the confinement problem. Communications of the ACM 16(10) (1973)
National Computer Security Center: A Guide to Understanding Covert Channel Analysis of Trusted System (1993)
Venkatraman, B.R., Newman-Wolfe, R.E.: Capacity estimation and auditability of network covert channels. In: Research in Security and Privacy (S&P), Oakland, CA. IEEE (1995)
Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: Computer and Communications Security (CCS). ACM (2006)
Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Computer and Communications Security (CCS). ACM (2009)
Graham, B., Zhu, Y., Fu, X., Bettati, R.: Using covert channels to evaluate the effectiveness of flow confidentiality measures. In: Parallel and Distributed Systems (ICPADS). IEEE (2005)
Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.-R., Schulz, S., Katzenbeisser, S.: Hide and Seek in Time — Robust Covert Timing Channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 120–135. Springer, Heidelberg (2009)
Murdoch, S.J., Lewis, S.: Embedding Covert Channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)
Venkatraman, B.R., Newman-Wolfe, R.E.: Performance analysis of a method for high level prevention of traffic analysis using measurements from a campus network. In: Computer Security Applications Conference (ACSAC). IEEE (1994)
Millen, J.: 20 years of covert channel modeling and analysis. In: Research in Security and Privacy (S&P), Oakland, CA. IEEE (1999)
Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (2005)
Ahsan, K.: Covert channel analysis and data hiding in TCP/IP. Master’s thesis, Department of Electrical and Computer Engineering, University of Toronto (2002)
Kundur, D., Ahsan, K.: Practical internet steganography: Data hiding in IP. In: Texas Workshop on Security of Information Systems (2003)
Degabriele, J.P., Paterson, K.G.: On the (in)security of IPsec in MAC-then-encrypt configurations. In: Computer and Communications Security (CCS). ACM (2010)
Sadeghi, A.R., Schulz, S., Varadharajan, V.: The silence of the LANs: Efficient leakage resilience for IPsec VPNs (full version). Technical report (2012)
Girling, C.G.: Covert channels in LAN’s. IEEE Transactions on Software Engineering 13(2) (1987)
Browne, R.: Mode security: An infrastructure for covert channel suppression. In: Research in Security and Privacy (S&P), Oakland, CA. IEEE (1994)
Kiraly, C., Teofili, S., Lo Cigno, R., Nardelli, M., Delzeri, E.: Traffic Flow Confidentiality in IPsec: Protocol and Implementation. In: Fischer-Hübner, S., Duquenoy, P., Zuccato, A., Martucci, L. (eds.) The Future of Identity in the Information Society. IFIP, vol. 262, pp. 311–324. Springer, Boston (2008)
Moskowitz, I.S., Miller, A.R.: Simple timing channels. In: Research in Security and Privacy (S&P), Oakland, CA. IEEE (1994)
Fu, X.: On Traffic Analysis Attacks and Countermeasures. PhD thesis, Texas A&M University (2005)
Venkatraman, B.R., Newman-Wolfe, R.E.: Transmission schedules to prevent traffic analysis. In: Computer Security Applications Conference (ACSAC). IEEE (1994)
Fu, X., Graham, B., Bettati, R., Zhao, W.: On effectiveness of link padding for statistical traffic analysis attacks. In: International Conference on Distributed Computing Systems (ICDCS). IEEE, Washington, DC (2003)
Gettys, J.: Bufferbloat: Dark buffers in the Internet. IEEE Internet Computing 15(3) (2011)
El-Atawy, A., Al-Shaer, E.: Building covert channels over the packet reordering phenomenon. In: International Conference on Computer Communications (INFOCOM). IEEE (2009)
Mogul, J., Deering, S.: Path MTU discovery. RFC 1191 (1990)
Zhao, W., Olshefski, D., Schulzrinne, H.: Internet quality of service: An overview. Technical report, Columbia University (2000)
Braden, B., Clark, D., Crowcroft, J., Davie, B., Deering, S., Estrin, D., Floyd, S., Jacobson, V., Minshall, G., Partridge, C., Peterson, L., Ramakrishnan, K., Shenker, S., Wroclawski, J., Zhang, L.: Recommendations on Queue Management and Congestion Avoidance in the Internet. RFC 2309 (1998)
Bell, D.E.: Looking back on the Bell-LaPadula model. In: Computer Security Applications Conference (ACSAC). IEEE (2005)
Llamas, D., Allison, C., Miller, A.: Covert channels in internet protocols: A survey (2006)
Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. Comm. Surveys & Tutorials 9(3) (2007)
Guan, Y., Fu, X., Xuan, D., Shenoy, P.U., Bettati, R., Zhao, W.: NetCamo: Camouflaging network traffic for QoS-guaranteed mission critical applications. Trans. on Systems, Man, and Cybernetics - Systems and Humans 31(4) (2001)
Shmatikov, V., Wang, M.H.: Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 18–33. Springer, Heidelberg (2006)
Abraham, T., Wright, M.: Selective cross correlation in passive timing analysis attacks against Low-Latency mixes. In: Global Communications Conference (GLOBECOM). IEEE (2010)
Luo, X., Zhou, P., Chan, E.W.W., Lee, W., Chang, R.K.C., Perdisci, R.: HTTPOS: Sealing information leaks with browser-side obfuscation of encrypted flows. In: Network and Distributed Systems Security (NDSS). Internet Society (2011)
Wright, C.V., Coull, S.E., Monrose, F.: Traffic morphing: An efficient defense against statistical traffic analysis. In: Network and Distributed Systems Security (NDSS). Internet Society (2009)
Berk, V., Giani, A., Cybenko, G.: Detection of covert channel encoding in network packet delays. Technical Report TR536, Dartmouth College (2005)
Gilbert, P.A., Bhattacharya, P.: An approach towards anomaly based detection and profiling covert TCP/IP channels. In: Information, Communications and Signal Processing (ICICS). IEEE (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sadeghi, AR., Schulz, S., Varadharajan, V. (2012). The Silence of the LANs: Efficient Leakage Resilience for IPsec VPNs. In: Foresti, S., Yung, M., Martinelli, F. (eds) Computer Security – ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science, vol 7459. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33167-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-33167-1_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33166-4
Online ISBN: 978-3-642-33167-1
eBook Packages: Computer ScienceComputer Science (R0)