Location
Online
Event Website
https://hicss.hawaii.edu/
Start Date
3-1-2023 12:00 AM
End Date
7-1-2023 12:00 AM
Description
The severity of data exfiltration attacks is well known, and operators have begun deploying elaborate host and network security controls to counter this threat. Consequently, malicious actors spare no efforts finding methods to obfuscate their attacks within common network traffic. In this paper, we expose a new type of application transparent, kernel level data exfiltration attacks. By embedding data into application messages while they are held in socket buffers outside of applications, the attacks have the flexibility to hijack flows of multiple distinct applications at a time. Furthermore, we assess the practical implications of the attacks using a testbed emulating a typical data exfiltration scenario. We first prototype required attack functionalities with existing Layer 4.5 application message customization software, and then perform flow hijacking experiments with respect to six common application protocols. The results confirm the flexibility of socket layer attacks and their ability to evade typical security controls.
Recommended Citation
Bergen, Eric; Lukaszewski, Daniel; and Xie, Geoffrey, "Data Exfiltration via Flow Hijacking at the Socket Layer" (2023). Hawaii International Conference on System Sciences 2023 (HICSS-56). 4.
https://aisel.aisnet.org/hicss-56/st/digital_forensics/4
Data Exfiltration via Flow Hijacking at the Socket Layer
Online
The severity of data exfiltration attacks is well known, and operators have begun deploying elaborate host and network security controls to counter this threat. Consequently, malicious actors spare no efforts finding methods to obfuscate their attacks within common network traffic. In this paper, we expose a new type of application transparent, kernel level data exfiltration attacks. By embedding data into application messages while they are held in socket buffers outside of applications, the attacks have the flexibility to hijack flows of multiple distinct applications at a time. Furthermore, we assess the practical implications of the attacks using a testbed emulating a typical data exfiltration scenario. We first prototype required attack functionalities with existing Layer 4.5 application message customization software, and then perform flow hijacking experiments with respect to six common application protocols. The results confirm the flexibility of socket layer attacks and their ability to evade typical security controls.
https://aisel.aisnet.org/hicss-56/st/digital_forensics/4