Steffen Wendzel | Universität Ulm (original) (raw)
Papers by Steffen Wendzel
An ongoing challenge in censorship circumvention is optimizing the stealthiness of communications... more An ongoing challenge in censorship circumvention is optimizing the stealthiness of communications, enabled by covert channels. Recently, a new variant called history covert channels has been proposed. Instead of modifying or mimicking legitimate data, such channels solely point to observed data matching secret information. This approach reduces the amount of secret data a sender explicitly must transfer and thus limits detectability. However, the only published history channel is only suitable for special scenarios due to severe limitations in terms of bandwidth. We propose a significant performance enhancement of history covert channels that allows their use in real-world scenarios through utilizing the content of online social media and online archives. Our approach, which we call OPPRESSION (Open-knowledge Compression), takes advantage of the massive amounts of textual data on the Internet that can be referenced by short pointer messages. Broadly, OPPRESSION can be considered a novel encoding strategy for censorship circumvention. We further present and evaluate our open source proof-of-concept implementation of OPPRESSION that can transfer secret data by pointing to popular online media, such as Twitter (now "X"), news websites, Wikipedia entries, and online books. The pointer itself is transmitted through existing censorship circumvention systems. Our approach minimizes the amount of traffic to be concealed in comparison to existing works, even in comparison to compression. CCS CONCEPTS • Security and privacy → Network security; Distributed systems security; Information flow control; Pseudonymity, anonymity and untraceability; • Social and professional topics → Computer crime.
John Wiley & Sons, Inc. eBooks, Mar 5, 2016
ABSTRACT Network covert channels enable hidden communication and can be used to break security po... more ABSTRACT Network covert channels enable hidden communication and can be used to break security policies. Within the last years, new techniques for such covert channels arose, including protocol switching covert channels (PSCCs). PSCCs transfer hidden information by sending network packets with different selected network protocols. In this paper we present the first detection methods for PSCCs. We show that the number of packets between network protocol switches and the time between switches can be monitored to detect PSCCs with 98-99% accuracy for bit rates of 4 bits/second or higher.
Security and Communication Networks, Jun 17, 2016
Network steganography conceals the transfer of sensitive information within unobtrusive data in c... more Network steganography conceals the transfer of sensitive information within unobtrusive data in computer networks. So-called micro protocols are communication protocols placed within the payload of a network steganographic transfer. They enrich this transfer with features such as reliability, dynamic overlay routing, or performance optimization-just to mention a few. We present different design approaches for the embedding of hidden channels with micro protocols in digitized audio signals under consideration of different requirements. On the basis of experimental results, our design approaches are compared, and introduced into a protocol engineering approach for micro protocols.
Lecture Notes in Computer Science, 2011
In a real-world network, different hosts involved in covert channel communication run different c... more In a real-world network, different hosts involved in covert channel communication run different covert channel software as well as different versions of such software, i.e. these systems use different network protocols for a covert channel. A program that implements a network covert channel for mobile usage thus must be capable of utilizing multiple network protocols to deal with a number of different covert networks and hosts. We present calculation methods for utilizable header areas in network protocols, calculations for channel optimization, an algorithm to minimize a covert channel's overhead traffic, as well as implementationrelated solutions for such a mobile environment. By minimizing the channel's overhead depending on the set of supported protocols between mobile hosts, we also minimize the attention raised through the channel's traffic. We also show how existing covert network channel infrastructure can be modified without replacing all existing infrastructure elements by proposing the handling of backward-compatible software versions.
Due to improvements in defensive systems, network threats are becoming increasingly sophisticated... more Due to improvements in defensive systems, network threats are becoming increasingly sophisticated and complex as cybercriminals are using various methods to cloak their actions. This, among others, includes the application of network steganography e.g. to hide the communication between an infected host and a malicious control server by embedding commands into innocent-looking traffic. Currently, a new subtype of such methods called inter-protocol steganography emerged. It utilizes relationships between two or more overt protocols to hide data. In this paper, we present new inter-protocol hiding techniques which are suitable for real-time services. Afterwards, we introduce and present preliminary results of a novel steganography detection approach which relies on network traffic coloring.
Lecture Notes in Computer Science, 2012
Within the last years, new techniques for network covert channels arose, such as covert channel o... more Within the last years, new techniques for network covert channels arose, such as covert channel overlay networking, protocol switching covert channels, and adaptive covert channels. These techniques have in common that they rely on covert channel-internal control protocols (so called micro protocols) placed within the hidden bits of a covert channel's payload. An adaptable approach for the engineering of such micro protocols is not available. This paper introduces a protocol engineering technique for micro protocols. We present a twolayer system comprising six steps to create a micro protocol design. The approach tries to combine different goals: (1) simplicity, (2) ensuring a standard-conform behaviour of the underlying protocol if the micro protocol is used within a binary protocol header, as well as we provide an optimization technique to (3) raise as little attention as possible. We apply a context-free and regular grammar to analyze the micro protocol's behavior within the context of the underlying network protocol.
John Wiley & Sons, Ltd eBooks, Oct 6, 2017
John Wiley & Sons, Inc. eBooks, Feb 12, 2016
Network covert channels enable a policy-breaking network communication (e.g., within botnets). Wi... more Network covert channels enable a policy-breaking network communication (e.g., within botnets). Within the last years, new covert channel techniques arose which are based on the capability of protocol switching. Such protocol switching covert channels operate within overlay networks and can (as a special case) contain their own internal control protocols. We present the first approach to effectively limit the bitrate of such covert channels by introducing a new active warden. We present a calculation method for the maximum usable bitrate of these channels in case the active warden is used. We discuss implementation details of the active warden and discuss results from experiments that indicate the usability in practice. Additionally, we present means to enhance the practical application of our active warden by applying a formal grammar-based whitelisting and by proposing the combination of a previously developed detection technique in combination with our presented approach.
arXiv (Cornell University), Dec 1, 2015
Until now hiding methods in network steganography have been described in arbitrary ways, making t... more Until now hiding methods in network steganography have been described in arbitrary ways, making them difficult to compare. For instance, some publications describe classical channel characteristics, such as robustness and bandwidth, while others describe the embedding of hidden information. We introduce the first unified description of hiding methods in network steganography. Our description method is based on a comprehensive analysis of the existing publications in the domain. When our description method is applied by the research community, future publications will be easier to categorize, compare and extend. Our method can also serve as a basis to evaluate the novelty of hiding methods proposed in the future.
International Conference on Internet Monitoring and Protection, May 27, 2012
Network covert channels enable a policy-breaking network communication (e.g., within botnets). Wi... more Network covert channels enable a policy-breaking network communication (e.g., within botnets). Within the last years, new covert channel techniques occurred which are based on the capability of protocol switching. There are currently no means available to counter these new techniques. In this paper we present the first approach to effectively limit the bandwidth of such covert channels by introducing a new active warden. We present a calculation method for the bandwidth of these channels in case the active warden is used. Additionally, we discuss implementation details and we evaluate the practical usefulness of our technique.
Annales Des Télécommunications, Mar 18, 2014
Network covert channels are policy-breaking and stealthy communication channels in computer netwo... more Network covert channels are policy-breaking and stealthy communication channels in computer networks. These channels can be used to bypass Internet censorship, to exfiltrate data without raising attention, to allow a safe and stealthy communication for members of political oppositions and for spies, to hide the communication of military units at the battlefield from the enemy, and to provide stealthy communication for today's malware, especially for botnets. To enhance network covert channels, researchers started to add protocol headers, so called micro protocols, to hidden payload in covert channels. Such protocol headers enable fundamental features such as reliability, dynamic routing, proxy capabilities, simultaneous connections, or session management for network covert channels-features which enrich future botnet communications to become more adaptive and more stealthy than nowadays. In this survey, we provide the first overview and categorization of existing micro protocols. We compare micro protocol features and present currently uncovered research directions for these protocols. Afterwards, we discuss the significance and the existing means for micro protocol engineering. Based on our findings, we propose further research directions for micro protocols. These features include to introduce multi-layer protocol stacks, peer auto-configuration, and peer group communication based on micro protocols, as well as to develop protocol translation in order to achieve inter-connectivity for currently separated overlay networks.
arXiv (Cornell University), Jun 10, 2014
Network steganography encompasses the information hiding techniques that can be applied in commun... more Network steganography encompasses the information hiding techniques that can be applied in communication network environments and that utilize hidden data carriers for this purpose. In this paper we introduce a characteristic called steganographic cost which is an indicator for the degradation or distortion of the carrier caused by the application of the steganographic method. Based on exemplary cases for single-and multi-method steganographic cost analyses we observe that it can be an important characteristic that allows to express hidden data carrier degradationsimilarly as MSE (Mean-Square Error) or PSNR (Peak Signal-to-Noise Ratio) are utilized for digital media steganography. Steganographic cost can moreover be helpful to analyse the relationships between two or more steganographic methods applied to the same hidden data carrier.
Journal of cyber security and mobility, 2017
We present and motivate a parallel algorithm to compute promising candidate states for modifying ... more We present and motivate a parallel algorithm to compute promising candidate states for modifying the state space of a pseudo-random number generator in order to increase its cycle length. This is important for generators in low-power devices where increase of state space to achieve longer cycles is not an alternative. The runtime of the parallel algorithm is improved by an analogy to ant colony behavior: if two paths meet, the resulting path is followed at accelerated speed just as ants tend to reinforce paths that have been used by other ants. We evaluate our algorithm with simulations and demonstrate high parallel efficiency that makes the algorithm well-suited even for massively parallel systems like GPUs. Furthermore, the accelerated path variant of the algorithm achieves a runtime improvement of up to 4% over the straightforward implementation. 1
We present a parallel algorithm to compute promising candidate states for modifying the state spa... more We present a parallel algorithm to compute promising candidate states for modifying the state space of a pseudorandom number generator in order to increase its cycle length. This is important for generators in low-power devices where increase of state space is not an alternative. The runtime of the parallel algorithm is improved by an analogy to ant colony behavior: if two paths meet, the resulting path is followed at accelerated speed just as ants tend to reinforce paths that have been used by other ants. We evaluate our algorithm with simulations and demonstrate high parallel efficiency that makes the algorithm well-suited even for massively parallel systems like GPUs. Furthermore, the accelerated path variant of the algorithm achieves a runtime improvement of up to 4% over the straightforward implementation.
An ongoing challenge in censorship circumvention is optimizing the stealthiness of communications... more An ongoing challenge in censorship circumvention is optimizing the stealthiness of communications, enabled by covert channels. Recently, a new variant called history covert channels has been proposed. Instead of modifying or mimicking legitimate data, such channels solely point to observed data matching secret information. This approach reduces the amount of secret data a sender explicitly must transfer and thus limits detectability. However, the only published history channel is only suitable for special scenarios due to severe limitations in terms of bandwidth. We propose a significant performance enhancement of history covert channels that allows their use in real-world scenarios through utilizing the content of online social media and online archives. Our approach, which we call OPPRESSION (Open-knowledge Compression), takes advantage of the massive amounts of textual data on the Internet that can be referenced by short pointer messages. Broadly, OPPRESSION can be considered a novel encoding strategy for censorship circumvention. We further present and evaluate our open source proof-of-concept implementation of OPPRESSION that can transfer secret data by pointing to popular online media, such as Twitter (now "X"), news websites, Wikipedia entries, and online books. The pointer itself is transmitted through existing censorship circumvention systems. Our approach minimizes the amount of traffic to be concealed in comparison to existing works, even in comparison to compression. CCS CONCEPTS • Security and privacy → Network security; Distributed systems security; Information flow control; Pseudonymity, anonymity and untraceability; • Social and professional topics → Computer crime.
John Wiley & Sons, Inc. eBooks, Mar 5, 2016
ABSTRACT Network covert channels enable hidden communication and can be used to break security po... more ABSTRACT Network covert channels enable hidden communication and can be used to break security policies. Within the last years, new techniques for such covert channels arose, including protocol switching covert channels (PSCCs). PSCCs transfer hidden information by sending network packets with different selected network protocols. In this paper we present the first detection methods for PSCCs. We show that the number of packets between network protocol switches and the time between switches can be monitored to detect PSCCs with 98-99% accuracy for bit rates of 4 bits/second or higher.
Security and Communication Networks, Jun 17, 2016
Network steganography conceals the transfer of sensitive information within unobtrusive data in c... more Network steganography conceals the transfer of sensitive information within unobtrusive data in computer networks. So-called micro protocols are communication protocols placed within the payload of a network steganographic transfer. They enrich this transfer with features such as reliability, dynamic overlay routing, or performance optimization-just to mention a few. We present different design approaches for the embedding of hidden channels with micro protocols in digitized audio signals under consideration of different requirements. On the basis of experimental results, our design approaches are compared, and introduced into a protocol engineering approach for micro protocols.
Lecture Notes in Computer Science, 2011
In a real-world network, different hosts involved in covert channel communication run different c... more In a real-world network, different hosts involved in covert channel communication run different covert channel software as well as different versions of such software, i.e. these systems use different network protocols for a covert channel. A program that implements a network covert channel for mobile usage thus must be capable of utilizing multiple network protocols to deal with a number of different covert networks and hosts. We present calculation methods for utilizable header areas in network protocols, calculations for channel optimization, an algorithm to minimize a covert channel's overhead traffic, as well as implementationrelated solutions for such a mobile environment. By minimizing the channel's overhead depending on the set of supported protocols between mobile hosts, we also minimize the attention raised through the channel's traffic. We also show how existing covert network channel infrastructure can be modified without replacing all existing infrastructure elements by proposing the handling of backward-compatible software versions.
Due to improvements in defensive systems, network threats are becoming increasingly sophisticated... more Due to improvements in defensive systems, network threats are becoming increasingly sophisticated and complex as cybercriminals are using various methods to cloak their actions. This, among others, includes the application of network steganography e.g. to hide the communication between an infected host and a malicious control server by embedding commands into innocent-looking traffic. Currently, a new subtype of such methods called inter-protocol steganography emerged. It utilizes relationships between two or more overt protocols to hide data. In this paper, we present new inter-protocol hiding techniques which are suitable for real-time services. Afterwards, we introduce and present preliminary results of a novel steganography detection approach which relies on network traffic coloring.
Lecture Notes in Computer Science, 2012
Within the last years, new techniques for network covert channels arose, such as covert channel o... more Within the last years, new techniques for network covert channels arose, such as covert channel overlay networking, protocol switching covert channels, and adaptive covert channels. These techniques have in common that they rely on covert channel-internal control protocols (so called micro protocols) placed within the hidden bits of a covert channel's payload. An adaptable approach for the engineering of such micro protocols is not available. This paper introduces a protocol engineering technique for micro protocols. We present a twolayer system comprising six steps to create a micro protocol design. The approach tries to combine different goals: (1) simplicity, (2) ensuring a standard-conform behaviour of the underlying protocol if the micro protocol is used within a binary protocol header, as well as we provide an optimization technique to (3) raise as little attention as possible. We apply a context-free and regular grammar to analyze the micro protocol's behavior within the context of the underlying network protocol.
John Wiley & Sons, Ltd eBooks, Oct 6, 2017
John Wiley & Sons, Inc. eBooks, Feb 12, 2016
Network covert channels enable a policy-breaking network communication (e.g., within botnets). Wi... more Network covert channels enable a policy-breaking network communication (e.g., within botnets). Within the last years, new covert channel techniques arose which are based on the capability of protocol switching. Such protocol switching covert channels operate within overlay networks and can (as a special case) contain their own internal control protocols. We present the first approach to effectively limit the bitrate of such covert channels by introducing a new active warden. We present a calculation method for the maximum usable bitrate of these channels in case the active warden is used. We discuss implementation details of the active warden and discuss results from experiments that indicate the usability in practice. Additionally, we present means to enhance the practical application of our active warden by applying a formal grammar-based whitelisting and by proposing the combination of a previously developed detection technique in combination with our presented approach.
arXiv (Cornell University), Dec 1, 2015
Until now hiding methods in network steganography have been described in arbitrary ways, making t... more Until now hiding methods in network steganography have been described in arbitrary ways, making them difficult to compare. For instance, some publications describe classical channel characteristics, such as robustness and bandwidth, while others describe the embedding of hidden information. We introduce the first unified description of hiding methods in network steganography. Our description method is based on a comprehensive analysis of the existing publications in the domain. When our description method is applied by the research community, future publications will be easier to categorize, compare and extend. Our method can also serve as a basis to evaluate the novelty of hiding methods proposed in the future.
International Conference on Internet Monitoring and Protection, May 27, 2012
Network covert channels enable a policy-breaking network communication (e.g., within botnets). Wi... more Network covert channels enable a policy-breaking network communication (e.g., within botnets). Within the last years, new covert channel techniques occurred which are based on the capability of protocol switching. There are currently no means available to counter these new techniques. In this paper we present the first approach to effectively limit the bandwidth of such covert channels by introducing a new active warden. We present a calculation method for the bandwidth of these channels in case the active warden is used. Additionally, we discuss implementation details and we evaluate the practical usefulness of our technique.
Annales Des Télécommunications, Mar 18, 2014
Network covert channels are policy-breaking and stealthy communication channels in computer netwo... more Network covert channels are policy-breaking and stealthy communication channels in computer networks. These channels can be used to bypass Internet censorship, to exfiltrate data without raising attention, to allow a safe and stealthy communication for members of political oppositions and for spies, to hide the communication of military units at the battlefield from the enemy, and to provide stealthy communication for today's malware, especially for botnets. To enhance network covert channels, researchers started to add protocol headers, so called micro protocols, to hidden payload in covert channels. Such protocol headers enable fundamental features such as reliability, dynamic routing, proxy capabilities, simultaneous connections, or session management for network covert channels-features which enrich future botnet communications to become more adaptive and more stealthy than nowadays. In this survey, we provide the first overview and categorization of existing micro protocols. We compare micro protocol features and present currently uncovered research directions for these protocols. Afterwards, we discuss the significance and the existing means for micro protocol engineering. Based on our findings, we propose further research directions for micro protocols. These features include to introduce multi-layer protocol stacks, peer auto-configuration, and peer group communication based on micro protocols, as well as to develop protocol translation in order to achieve inter-connectivity for currently separated overlay networks.
arXiv (Cornell University), Jun 10, 2014
Network steganography encompasses the information hiding techniques that can be applied in commun... more Network steganography encompasses the information hiding techniques that can be applied in communication network environments and that utilize hidden data carriers for this purpose. In this paper we introduce a characteristic called steganographic cost which is an indicator for the degradation or distortion of the carrier caused by the application of the steganographic method. Based on exemplary cases for single-and multi-method steganographic cost analyses we observe that it can be an important characteristic that allows to express hidden data carrier degradationsimilarly as MSE (Mean-Square Error) or PSNR (Peak Signal-to-Noise Ratio) are utilized for digital media steganography. Steganographic cost can moreover be helpful to analyse the relationships between two or more steganographic methods applied to the same hidden data carrier.
Journal of cyber security and mobility, 2017
We present and motivate a parallel algorithm to compute promising candidate states for modifying ... more We present and motivate a parallel algorithm to compute promising candidate states for modifying the state space of a pseudo-random number generator in order to increase its cycle length. This is important for generators in low-power devices where increase of state space to achieve longer cycles is not an alternative. The runtime of the parallel algorithm is improved by an analogy to ant colony behavior: if two paths meet, the resulting path is followed at accelerated speed just as ants tend to reinforce paths that have been used by other ants. We evaluate our algorithm with simulations and demonstrate high parallel efficiency that makes the algorithm well-suited even for massively parallel systems like GPUs. Furthermore, the accelerated path variant of the algorithm achieves a runtime improvement of up to 4% over the straightforward implementation. 1
We present a parallel algorithm to compute promising candidate states for modifying the state spa... more We present a parallel algorithm to compute promising candidate states for modifying the state space of a pseudorandom number generator in order to increase its cycle length. This is important for generators in low-power devices where increase of state space is not an alternative. The runtime of the parallel algorithm is improved by an analogy to ant colony behavior: if two paths meet, the resulting path is followed at accelerated speed just as ants tend to reinforce paths that have been used by other ants. We evaluate our algorithm with simulations and demonstrate high parallel efficiency that makes the algorithm well-suited even for massively parallel systems like GPUs. Furthermore, the accelerated path variant of the algorithm achieves a runtime improvement of up to 4% over the straightforward implementation.
Since the late 1980's a large number of techniques to embed covert channels into network protocol... more Since the late 1980's a large number of techniques to embed covert channels into network protocols were discovered. Covert channels enable a policy-breaking communication while they are additionally hard to detect. While it must be considered non-trivial to counter covert channels in networks, it can be considered trivial to evaluate network protocols in order to find possible ways to embed hidden information in these protocols. This thesis therefore, does not aim on presenting new covert channels in network protocols (except from exemplary channels in BACnet). Today, covert channels are a useful technique for the development of botnets since these channels can make botnet traffic hard to detect. For this reason, it is an attractive goal for botnet developers to enhance existing covert channel techniques. As this gives leeway for the introduction of additional features into covert channels and enhancement of their invisibility.\\ Therefore, the research community must also aim on improving covert channels since it would otherwise be unfeasible to find means to counter such novel techniques introduced by botnet developers.\\ On the other hand, covert channels must be considered as dual-use betterment as they, for instance, can enable journalists to transfer illicit information in networks with censorship without facing detection. Within the last decade, new covert channels with internal control protocols (so called micro protocols) arose. These micro protocols are placed in the hidden data of the channel and can be considered a powerful technique as they introduce new features such as dynamic routing or reliability. In general, micro protocols control a covert channel but their purpose depends on its given utilization. For instance, a micro protocol used within a botnet could signal a botnet command, such as, to send a Spam mail while the actual hidden payload can comprise a fragment of the Spam message to be sent. This thesis is the first to discuss the need for improved micro protocol designs as the detectability of a covert channel highly depends on the used micro protocol: If a micro protocol causes anomalies, the detection of a covert channel raises. The first part (Chapters 3 and 4) of this thesis introduces two approaches for the design and development of micro protocols. The first approach decreases the size of a micro protocol header to minimize the number of bits to be modified in a network packet --- if less bits are required to be modified by the covert channel, the channel will cause fewer anomalies. The second approach ensures the conformity of the micro protocol to the utilized network protocol: If the micro protocol does not violate rules of the utilized protocol, it will also cause less anomalies. Therefore, the existing covert channel terminology is extended. The initial connection establishment phase (NEL phase) of network covert channels is enhanced by using these micro protocols and it helps overcoming the two-army problem initially discovered in this thesis. Covert channels (with or without micro protocols) can utilize various network protocols simultaneously. We call the family of such covert channels protocol switching covert channels. A problem with these channels is the lack of a means to limit their bitrate. This thesis presents the first approach to limit the maximum error-free bitrate of protocol switching covert channels. The approach has been evaluated and can be considered to be applicable in practice. The second part (Chapter 5) of this thesis discusses the presence of covert and side channels in building automation systems. Their potential for adversaries, which lies in the observation of events and persons in buildings. And finally, in building automation-based data exfiltration to bypass the protection means of a (better protected) enterprise network. A distinction of such covert channels into high-level covert channels (based on the interaction with the building) and low-level covert channels (based on the utilization of building automation network protocols) is proposed. Furthermore, a prevention means to counter high-level covert (and side) channels in building automation systems as well as a prevention technique for BACnet-based covert channels is also presented and evaluated.