Leaky Diode is a data exfiltration test tool for data diodes, using flow modulation and close delay attacks
Project description
Leaky Diodes
Leaky diode is a data exfiltration test tool for smart data diodes, that is data diodes with support for TCP pass-through with the help of some side channel from the isolated side. The attacks used are flow modulation and/or close delay:
-
CLOSE DELAY uses the delay between the request of one the secret's bits and the time the server closes the connection to encode the bit value. (i.e.- 10 seconds delay means a 0, 30 seconds delay a 1)
-
FLOW MODULATION uses tcp flow control mechanism to encode secret's bits as a transfer speed. For example if the the bit requested by the client is 1 the server throttles the speed to 300KB/s, if it's 0 to 100KB/s. The advantage of this attack is that using a single connection makes it harder to detect.
Installation
Download the package or clone the repository, and then install with:
python3 setup.py install
or use pypi:
pip install leaky_diode
Usage
On the isolated side launch the server:
leaky_server public_ip port 'secret string that needs leaking'
On the untrusted side launch the client and select one of the attacks,
leaky_client server_ip server_port --mode flow --partial
or
leaky_client server_ip server_port --mode close --partial
And just wait a few minutes to receive the first byte (it's the slowest), if you're not sure if it's working add --verbose option so it prints messages on each received bit.
Options
usage: leaky_client [-h] [--mode mode] [--low_delay delay] [--high_delay delay] [--low_rate rate]
[--high_rate rate] [--sample_time time] [--settle_time time] [--partial]
host port
Leaky Diode is a data exfiltration test tool for data diodes
positional arguments:
host Remore host address
port Remote host port
optional arguments:
-h, --help Show this help message and exit
--mode mode, -m mode Attack mode 'flow' or 'close' (default: flow)
--low_delay delay Close delay for low bits (default: 5s) (only Close Mode)
--high_delay delay Close delay for high bits (default: 10s) (only Close Mode)
--low_rate rate Tx rate for low bits (default: 64 KB/s) (only Flow Mode)
--high_rate rate Tx rate for high bits (default: 300 KB/s) (only Flow Mode)
--sample_time time Tx rate sampling interval (default: 3.0s) (only Flow Mode)
--settle_time time Settle time between sending a bit request and the start of
sampling (default: 8.0s) (only Flow Mode)
--partial Show partial results each time another byte from the secret is received
--verbose Show debugging messages
usage: leaky_server [-h] host port secret_string
Leaky Diode is a data exfiltration test tool for data diodes
positional arguments:
host Remore host address
port Remote host port
secret_string Attack mode 'flow' or 'close' (default: a secret string)
optional arguments:
-h, --help Show this help message and exit
-v, --verbose Show debugging messages
Performance
The attack throughput with the default parameters is around 1 B/min (yes, one byte per minute), you can increase it by lowering the delay times in close delay mode, and the settle/sample times in flow modulation (the default values are very conservative)
An actual exfiltration attempt using this attack could easily leak a few KB per day, too slow for large breachs, but enough for targeted attacks for keys/passwords or selected users data.
API
It is also possible to use leaky_diode as a package and include a server in your own app:
-
class LeakyServer(host, port, secret, ticks=100, max_connections=10)
-
host: (str) Listen interface ip addres ('' for all)
-
port: (int) Listen port
-
secret: (bytes) Secret to leak (max length 65535)
-
ticks: (int) Ticks per second the worker process use to throttle the connections.
-
max_connections: (int) Max concurrent connection the server can handle.
-
start(): Initialize and launch server worker processes
-
stop(): Stop server and its workers
-
from leaky_diode import LeakyServer
leaky_server = LeakyServer('192.168.0.10', 9000, b'some secret byte string')
leaky_server.start()
# Do something else
......
# Close server before exit
leaky_server.close()
TODO
- Harden message parsing input validation (invalid lengths)
- Use concurrent connection to increase exfiltration speed.
- Tune flow modulation mode tx speeds .
- Tune close delay mode delays.
- Add CRC to the secret and secret length, or even better error correction.
- Add resume capability so there is no need to get the secret in one go.
- Add some tests.
References
- Data Diodes Wikipedia
- Place holder so I remember to publish a post on the attacks
- And another on transport and streaming protocols for data diodes
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file leaky_diode-0.1.1.tar.gz.
File metadata
- Download URL: leaky_diode-0.1.1.tar.gz
- Upload date:
- Size: 14.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.15.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.50.0 CPython/3.5.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e60521311bedfc16b17dd22653d788015f95b3f4f7bf0a813bede36e04bd2b8b |
|
| MD5 | 7f6e50db301e4000e6983eecb4b3c19a |
|
| BLAKE2b-256 | 739a48091d597402e228a6de1921651fb979117d12ecdfc572d23a0619852976 |
File details
Details for the file leaky_diode-0.1.1-py3-none-any.whl.
File metadata
- Download URL: leaky_diode-0.1.1-py3-none-any.whl
- Upload date:
- Size: 28.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.15.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.50.0 CPython/3.5.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a9d68ad1f427e2d65d8d38425313bde04c62f2d071d413df1ccf269fa29691b1 |
|
| MD5 | 7b2e22e5cf128a324162de01740e251d |
|
| BLAKE2b-256 | 5da58e14511e055bebfe436a119ff58baaa7d99d414cf168d3910cf56a2c7bf6 |
