Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

European Symposium on Research in Computer Security

ESORICS 2012: Computer Security – ESORICS 2012 pp 253–270Cite as

  1. Home
  2. Computer Security – ESORICS 2012
  3. Conference paper
The Silence of the LANs: Efficient Leakage Resilience for IPsec VPNs

The Silence of the LANs: Efficient Leakage Resilience for IPsec VPNs

  • Ahmad-Reza Sadeghi19,20,21,
  • Steffen Schulz19,20,22 &
  • Vijay Varadharajan22 
  • Conference paper
  • 3555 Accesses

  • 8 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7459)

Abstract

Virtual Private Networks (VPNs) are increasingly used to build logically isolated networks. However, existing VPN designs and deployments neglect the problem of traffic analysis and covert channels. Hence, there are many ways to infer information from VPN traffic without decrypting it. Many proposals were made to mitigate network covert channels, but previous works remained largely theoretical or resulted in prohibitively high padding overhead and performance penalties.

In this work, we (1) analyse the impact of covert channels in IPsec, (2) present several improved and novel approaches for covert channel mitigation in IPsec, (3) propose and implement a system for dynamic performance trade-offs, and (4) implement our design in the Linux IPsec stack and evaluate its performance for different types of traffic and mitigation policies. At only 24% overhead, our prototype enforces tight information-theoretic bounds on all information leakage.

Keywords

  • IPsec
  • VPNs
  • covert channels
  • performance trade-offs

Download conference paper PDF

References

  1. Cohesive Flexible Technologies: VPN-Cubed (2012), http://cohesiveft.com

  2. Catuogno, L., Dmitrienko, A., Eriksson, K., Kuhlmann, D., Ramunno, G., Sadeghi, A.-R., Schulz, S., Schunter, M., Winandy, M., Zhan, J.: Trusted Virtual Domains – Design, Implementation and Lessons Learned. In: Chen, L., Yung, M. (eds.) INTRUST 2009. LNCS, vol. 6163, pp. 156–179. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  3. Carapinha, J., Feil, P., Weissmann, P., Thorsteinsson, S.E., Etemoğlu, Ç., Ingthórsson, Ó., Çiftçi, S., Melo, M.: Network Virtualization - Opportunities and Challenges for Operators. In: Berre, A.J., Gómez-Pérez, A., Tutschku, K., Fensel, D. (eds.) FIS 2010. LNCS, vol. 6369, pp. 138–147. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  4. Lampson, B.W.: A note on the confinement problem. Communications of the ACM 16(10) (1973)

    Google Scholar 

  5. National Computer Security Center: A Guide to Understanding Covert Channel Analysis of Trusted System (1993)

    Google Scholar 

  6. Venkatraman, B.R., Newman-Wolfe, R.E.: Capacity estimation and auditability of network covert channels. In: Research in Security and Privacy (S&P), Oakland, CA. IEEE (1995)

    Google Scholar 

  7. Liberatore, M., Levine, B.N.: Inferring the source of encrypted HTTP connections. In: Computer and Communications Security (CCS). ACM (2006)

    Google Scholar 

  8. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Computer and Communications Security (CCS). ACM (2009)

    Google Scholar 

  9. Graham, B., Zhu, Y., Fu, X., Bettati, R.: Using covert channels to evaluate the effectiveness of flow confidentiality measures. In: Parallel and Distributed Systems (ICPADS). IEEE (2005)

    Google Scholar 

  10. Liu, Y., Ghosal, D., Armknecht, F., Sadeghi, A.-R., Schulz, S., Katzenbeisser, S.: Hide and Seek in Time — Robust Covert Timing Channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 120–135. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  11. Murdoch, S.J., Lewis, S.: Embedding Covert Channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  12. Venkatraman, B.R., Newman-Wolfe, R.E.: Performance analysis of a method for high level prevention of traffic analysis using measurements from a campus network. In: Computer Security Applications Conference (ACSAC). IEEE (1994)

    Google Scholar 

  13. Millen, J.: 20 years of covert channel modeling and analysis. In: Research in Security and Privacy (S&P), Oakland, CA. IEEE (1999)

    Google Scholar 

  14. Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (2005)

    Google Scholar 

  15. Ahsan, K.: Covert channel analysis and data hiding in TCP/IP. Master’s thesis, Department of Electrical and Computer Engineering, University of Toronto (2002)

    Google Scholar 

  16. Kundur, D., Ahsan, K.: Practical internet steganography: Data hiding in IP. In: Texas Workshop on Security of Information Systems (2003)

    Google Scholar 

  17. Degabriele, J.P., Paterson, K.G.: On the (in)security of IPsec in MAC-then-encrypt configurations. In: Computer and Communications Security (CCS). ACM (2010)

    Google Scholar 

  18. Sadeghi, A.R., Schulz, S., Varadharajan, V.: The silence of the LANs: Efficient leakage resilience for IPsec VPNs (full version). Technical report (2012)

    Google Scholar 

  19. Girling, C.G.: Covert channels in LAN’s. IEEE Transactions on Software Engineering 13(2) (1987)

    Google Scholar 

  20. Browne, R.: Mode security: An infrastructure for covert channel suppression. In: Research in Security and Privacy (S&P), Oakland, CA. IEEE (1994)

    Google Scholar 

  21. Kiraly, C., Teofili, S., Lo Cigno, R., Nardelli, M., Delzeri, E.: Traffic Flow Confidentiality in IPsec: Protocol and Implementation. In: Fischer-Hübner, S., Duquenoy, P., Zuccato, A., Martucci, L. (eds.) The Future of Identity in the Information Society. IFIP, vol. 262, pp. 311–324. Springer, Boston (2008)

    CrossRef  Google Scholar 

  22. Moskowitz, I.S., Miller, A.R.: Simple timing channels. In: Research in Security and Privacy (S&P), Oakland, CA. IEEE (1994)

    Google Scholar 

  23. Fu, X.: On Traffic Analysis Attacks and Countermeasures. PhD thesis, Texas A&M University (2005)

    Google Scholar 

  24. Venkatraman, B.R., Newman-Wolfe, R.E.: Transmission schedules to prevent traffic analysis. In: Computer Security Applications Conference (ACSAC). IEEE (1994)

    Google Scholar 

  25. Fu, X., Graham, B., Bettati, R., Zhao, W.: On effectiveness of link padding for statistical traffic analysis attacks. In: International Conference on Distributed Computing Systems (ICDCS). IEEE, Washington, DC (2003)

    Google Scholar 

  26. Gettys, J.: Bufferbloat: Dark buffers in the Internet. IEEE Internet Computing 15(3) (2011)

    Google Scholar 

  27. El-Atawy, A., Al-Shaer, E.: Building covert channels over the packet reordering phenomenon. In: International Conference on Computer Communications (INFOCOM). IEEE (2009)

    Google Scholar 

  28. Mogul, J., Deering, S.: Path MTU discovery. RFC 1191 (1990)

    Google Scholar 

  29. Zhao, W., Olshefski, D., Schulzrinne, H.: Internet quality of service: An overview. Technical report, Columbia University (2000)

    Google Scholar 

  30. Braden, B., Clark, D., Crowcroft, J., Davie, B., Deering, S., Estrin, D., Floyd, S., Jacobson, V., Minshall, G., Partridge, C., Peterson, L., Ramakrishnan, K., Shenker, S., Wroclawski, J., Zhang, L.: Recommendations on Queue Management and Congestion Avoidance in the Internet. RFC 2309 (1998)

    Google Scholar 

  31. Bell, D.E.: Looking back on the Bell-LaPadula model. In: Computer Security Applications Conference (ACSAC). IEEE (2005)

    Google Scholar 

  32. Llamas, D., Allison, C., Miller, A.: Covert channels in internet protocols: A survey (2006)

    Google Scholar 

  33. Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. Comm. Surveys & Tutorials 9(3) (2007)

    Google Scholar 

  34. Guan, Y., Fu, X., Xuan, D., Shenoy, P.U., Bettati, R., Zhao, W.: NetCamo: Camouflaging network traffic for QoS-guaranteed mission critical applications. Trans. on Systems, Man, and Cybernetics - Systems and Humans 31(4) (2001)

    Google Scholar 

  35. Shmatikov, V., Wang, M.H.: Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 18–33. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  36. Abraham, T., Wright, M.: Selective cross correlation in passive timing analysis attacks against Low-Latency mixes. In: Global Communications Conference (GLOBECOM). IEEE (2010)

    Google Scholar 

  37. Luo, X., Zhou, P., Chan, E.W.W., Lee, W., Chang, R.K.C., Perdisci, R.: HTTPOS: Sealing information leaks with browser-side obfuscation of encrypted flows. In: Network and Distributed Systems Security (NDSS). Internet Society (2011)

    Google Scholar 

  38. Wright, C.V., Coull, S.E., Monrose, F.: Traffic morphing: An efficient defense against statistical traffic analysis. In: Network and Distributed Systems Security (NDSS). Internet Society (2009)

    Google Scholar 

  39. Berk, V., Giani, A., Cybenko, G.: Detection of covert channel encoding in network packet delays. Technical Report TR536, Dartmouth College (2005)

    Google Scholar 

  40. Gilbert, P.A., Bhattacharya, P.: An approach towards anomaly based detection and profiling covert TCP/IP channels. In: Information, Communications and Signal Processing (ICICS). IEEE (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. System Security Lab, Technische Universität Darmstadt, Germany

    Ahmad-Reza Sadeghi & Steffen Schulz

  2. System Security Lab, Ruhr-University Bochum, Germany

    Ahmad-Reza Sadeghi & Steffen Schulz

  3. Fraunhofer SIT, Darmstadt, Germany

    Ahmad-Reza Sadeghi

  4. Information and Network Security Research Lab, Macquarie University, Australia

    Steffen Schulz & Vijay Varadharajan

Authors
  1. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Steffen Schulz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vijay Varadharajan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Informatica, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, Italy

    Sara Foresti

  2. Computer Science Department, Columbia University, 1214 Amsterdam Avenue, 10025, New York, NY, US

    Moti Yung

  3. Institute of Informatics and Telematics, Information Security Group, National Research Council, Pisa Research Area, Via G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sadeghi, AR., Schulz, S., Varadharajan, V. (2012). The Silence of the LANs: Efficient Leakage Resilience for IPsec VPNs. In: Foresti, S., Yung, M., Martinelli, F. (eds) Computer Security – ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science, vol 7459. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33167-1_15

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-33167-1_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33166-4

  • Online ISBN: 978-3-642-33167-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature