Embed Size (px)
Citation preview
Time is on my sideSteganography in filesystem metadataSebas�an Neuner, Artemios G.Voyiatzis, Mar�nSchmiedecker, Stefan Brunthaler, Stefan Katzenbeisser, EdgarR. Weippl
Mo�va�on for our Work
• Raise awareness about hiding techniques for digitalinves�gators• Need for stealth communica�on• Alterna�ve channel (image steganography, audiosteganography, ...)• We did not know what the date 01.01.1601 is all about.Do you?
2/37
Steganography
Steganography
Hiding data in plain sight
3/37
Steganography – (our) Requirements• Robustness:→ Certain amounts of modifica�ons allowed.
• Stealthiness:→ The existance of an embedded message cannot beproven.
• Deniability:→ ”What? Who said there is something hidden?”
4/37
Steganography – (our) Requirements
• Applicability:→ The carrying medium should be widely used and offerenough capacity.
• Relying on Kerkhoffs Law:→ Breaking Stealthiness should not reveal the message.
5/37
Steganography – Medium
What is the op�mal medium to carry data?• Sa�sfying applicability...
◦ In widespread use.◦ Offer enough ”random-looking” capacity to carry data.
6/37
Filesystem Metadata
Filesystem Metadata forSteganography?Something like:
• ACL steganography shown by Michael Perklin in 2013 atBlackHat1• Par�ally-stealth...
1https://www.youtube.com/watch?v=J4x8Hz6_hq0
7/37
Why Filesystem Metadata?
It sa�sfies a key requirement:→ (Almost) Everyone uses it.Huge code-bases (high possibility for steganographicchannels).
8/37
Proposal
• A lot of modern filesystems provide nanosecondgranularity• Opera�ng systems o�en only show up to minutes orseconds• Let’s use the non-shown-bits as medium
9/37
Give it a try: Timestamp GranularityGUIs mostly present �me values up to minutes or seconds,but more granular storage
10/37
More Granular Storage – A StudyWhat level of �mestamp granularity do ”modern” filesystemsoffer?
Filesystem File �mestamp Size GranularityNTFS crea�on 64 bits 100 nsaccess 64 bits 100 nsmodifica�on 64 bits 100 nsmodif. of MFT entry 64 bits 100 nsext4 crea�on 64 bits 1 nsaccess 64 bits 1 nsmodifica�on 64 bits 1 nsa�ribute modif. 64 bits 1 nsbtrfs crea�on 64 bits 1 nsaccess 64 bits 1 nsmodifica�on 64 bits 1 nsa�ribute modif. 64 bits 1 ns
11/37
More Granular Storage – A StudyWhat level of �mestamp granularity do ”modern” filesystemsoffer?
Filesystem File �mestamp Size GranularityZFS crea�on 64 bits 1 nsaccess 64 bits 1 nsmodifica�on 64 bits 1 nsa�ribute modif. 64 bits 1 nsFAT32 crea�on 40 bits 10 msecaccess 16 bits 1 daymodifica�on 32 bits 2 secHFS+ crea�on 32 bits 1 secaccess 32 bits 1 secmodifica�on 32 bits 1 seca�ribute modif. 32 bits 1 secbackup 32 bits 1 secext3 access 32 bits 1 secmodifica�on 32 bits 1 seca�ribute modif. 32 bits 1 sec
12/37
Pu�ng it all together:Time is on my Side
Timestamp–Basics NTFS
(Our PoCs target NTFS fromWin Vista on→ later...)• MACE (Modified, Access, Crea�on, Modified MFT entry)• Each 64bits→ 24bits of that describe the nano seconds
• Number of 100 nano seconds since 1.1.1601
13/37
Timestamp–Basics NTFS
Before Vista (XP...):
14/37
Timestamp–Basics NTFS
From Vista on...• By default: N�sDisableLastAccessUpdate set to 1→ Immutable access �me
• (ext4 mount op�on ”noa�me”)
15/37
Timestamp–Basics NTFSFrom Vista on...
• By default: N�sDisableLastAccessUpdate set to 1→ Immutable access �me
• (ext4 mount op�on ”noa�me”)
16/37
Time is on my side–PoC *Embed informa�on in the crea�on (C) and access (A)nano-�mestamp-parts of files’ metadata (MFT’s filenamea�ribute)
• Python• NTFS• Variable error correc�on• Encryp�on• Kerkhoffs Principle!
17/37
Time is on my side–PoC 1
Save a metadata file• Produce a metadata file, containing the loca�on of allmodified files• Error corrected payload is encrypted• Metadata file is also encrypted (with a differentalgorithm)• Drawback: Obviously a file with random data is lyingaround
18/37
Time is on my side–PoC 2
Oblivious Replacement• Take the data• Produce error correc�ng codes• Hide an index byte in the crea�on �mestamp• Hide the length indicators• Encrypt the stuff• Embed it
19/37
Time is on my side–PoC 2
20/37
Time is on my side–Thoughts• The index is needed to recover the correct order of thefiles• The amount of error correc�on is variable but influencesthe possible capacity• Speaking of capacity:→ PoC 1 is able to use 48bits payload, where PoC 2 just40 bits (index byte)→ The more error-correc�on, the more capacity isneeded (the more errors are recoverable)
21/37
Time is on my side–Capacity
Example for PoC2 (oblivious replacement)• Crea�on: 3bytes / Access: 3bytes
◦ Minus: 1byte per file (index)◦ Minus: Every 255th file contains the length of the wholedata◦ Minus: Error correc�on
22/37
Time is on my side–Capacity Win8
Freshly installed Win8→ roughly 160k files• Theore�cal payload: 48bits * 160k: 960KB• Real payload: (40bits * 160k) - (160k / 255 * 5) - ( 15%error correc�on )→∼ 680kb hard payload
23/37
Time is on my side–Capacity Win8Freshly installed Win8→ roughly 160k files
• Theore�cal payload: 48bits * 160k: 960KB• Real payload: (40bits * 160k) - (160k / 255 * 5) - ( 15%error correc�on )→∼ 680kb hard payload
24/37
Impressive?
Mhmm...not really... BUT......we offer encryp�on...we offer error correc�on...we offer order recovery...we offer stealthiness
25/37
Stealth?
By relying on the requirement of encryp�on to look likerandom data, our embedded data looks like random data.Stealth→ sta�s�cally undetectable
26/37
Undetectable?Measured with Kullback–Leibler divergence (”measure of thedifference between two probability distribu�ons”2)Crea�on Timestamp Access Timestamp
2https://en.wikipedia.org/wiki/Kullback%E2%80%93Leibler_divergence
27/37
Corpus
How and where did we measure Stealthiness?• Synthe�c data set• Real-world data set
28/37
Synthe�c Data Set
• Python script• NTFS-3g• 117 million files• 50% no delay, 50% random delay between one and twoseconds
29/37
Real-World Data Set
• 70 NTFS volumes in research lab• Average: 290k files and 40k directories• In total: 22.26 million files and directories
30/37
A�acks on our System
A�acks
• Denial of Service:→ You have to know that the data is there→ No informa�on gain→ (Re-)Set all �mestamps
• Accidental reset→ File gets deleted and re-created
31/37
A�acks
• Timestamp storages:MFT filename a�ribute←→MFT standard informa�on
• 1:1 copy→ Compare before and a�er embedding
32/37
Conclusion
→ Study on which filesystems are usable→ Feasible→ Low capacity
33/37
Future Work
→ Implica�ons on the Windows $LogFile→ Extend the PoC’s to ext4→ Fix minor bugs and release the PoC’s at:
→ https://www.sba-research.org/dfrws2016
34/37
Thank you for your a�en�on...
35/37
Image References
https://blogs.sans.org/computer-forensics/files/2010/10/ts_change_rules_gui1.jpg
http://cdn.meme.am/instances/32090244.jpg https://imgflip.com/i/18mv6s
http://philbaumann.com/wp-content/uploads/2009/01/Twitter_bird_logo_2012.png
http://img4.wikia.nocookie.net/__cb20121008041422/thehungergames/images/b/bd/I_has_a_
question.jpg
37/37
