Skip to content

secnot/leaky_diode

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
bin
 
 
 
 
 
 
 
 
 
 
 
 

Leaky Diodes

Leaky diode is a data exfiltration test tool for smart data diodes, that is data diodes with support for TCP pass-through with the help of some side channel from the isolated side. The attacks used are flow modulation and/or close delay:

  • CLOSE DELAY uses the delay between the request of one the secret's bits and the time the server closes the connection to encode the bit value. (i.e.- 10 seconds delay means a 0, 30 seconds delay a 1)

  • FLOW MODULATION uses tcp flow control mechanism to encode secret's bits as a transfer speed. For example if the the bit requested by the client is 1 the server throttles the speed to 300KB/s, if it's 0 to 100KB/s. The advantage of this attack is that using a single connection makes it harder to detect.

Installation

Download the package or clone the repository, and then install with:

python3 setup.py install

or use pypi:

pip3 install leaky_diode --user

or

sudo pip3 install leaky_diode

the path to the scripts if not installed as root will be:

/home/[username]/.local/bin/leaky_client
/home/[username]/.local/bin/leaky_server

Usage

On the isolated side launch the server:

leaky_server public_ip port 'secret string that needs leaking'

On the untrusted side launch the client and select one of the attacks,

leaky_client server_ip server_port --mode flow --partial

or

leaky_client server_ip server_port --mode close --partial

And just wait a few minutes to receive the first byte (it's the slowest), if you're not sure if it's working add --verbose option so it prints messages on each received bit.

Options

usage: leaky_client [-h] [--mode mode] [--low_delay delay] [--high_delay delay] [--low_rate rate] 
					[--high_rate rate] [--sample_time time] [--settle_time time] [--partial]
                    host port

Leaky Diode is a data exfiltration test tool for data diodes

positional arguments:
  host                  Remore host address
  port                  Remote host port

optional arguments:
  -h, --help            Show this help message and exit
  --mode mode, -m mode  Attack mode 'flow' or 'close' (default: flow)
  --low_delay delay     Close delay for low bits (default: 5s) (only Close Mode)
  --high_delay delay    Close delay for high bits (default: 10s) (only Close Mode)
  --low_rate rate       Tx rate for low bits (default: 64 KB/s) (only Flow Mode)
  --high_rate rate      Tx rate for high bits (default: 300 KB/s) (only Flow Mode)
  --sample_time time    Tx rate sampling interval (default: 3.0s) (only Flow Mode)
  --settle_time time    Settle time between sending a bit request and the start of 
                        sampling (default: 8.0s) (only Flow Mode)
  --partial             Show partial results each time another byte from the secret is received
  --verbose             Show debugging messages
usage: leaky_server [-h] host port secret_string

Leaky Diode is a data exfiltration test tool for data diodes

positional arguments:
  host           Remore host address
  port           Remote host port
  secret_string  Attack mode 'flow' or 'close' (default: a secret string)

optional arguments:
  -h, --help     Show this help message and exit
  -v, --verbose  Show debugging messages

Performance

The attack throughput with the default parameters is around 1 B/min (yes, one byte per minute), you can increase it by lowering the delay times in close delay mode, and the settle/sample times in flow modulation (the default values are very conservative)

An actual exfiltration attempt using this attack could easily leak a few KB per day, too slow for large breachs, but enough for targeted attacks for keys/passwords or selected users data.

API

It is also possible to use leaky_diode as a package and include a server in your own app:

  • class LeakyServer(host, port, secret, ticks=100, max_connections=10)

    • host: (str) Listen interface ip addres ('' for all)

    • port: (int) Listen port

    • secret: (bytes) Secret to leak (max length 65535)

    • ticks: (int) Ticks per second the worker process use to throttle the connections.

    • max_connections: (int) Max concurrent connection the server can handle.

    • start(): Initialize and launch server worker processes

    • stop(): Stop server and its workers

from leaky_diode import LeakyServer

leaky_server = LeakyServer('192.168.0.10', 9000, b'some secret byte string')
leaky_server.start()

# Do something else
......

# Close server before exit
leaky_server.close()

TODO

  • Harden message parsing input validation (invalid lengths)
  • Use concurrent connection to increase exfiltration speed.
  • Tune flow modulation mode tx speeds .
  • Tune close delay mode delays.
  • Add CRC to the secret and secret length, or even better error correction.
  • Add resume capability so there is no need to get the secret in one go.
  • Add some tests.

References

  • Data Diodes Wikipedia
  • Place holder so I remember to publish a post on the attacks
  • And another on transport and streaming protocols for data diodes

About

Leaky diode is a data exfiltration test tool for data diodes.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages