Using a secure permutational covert channel to detect local and wide area interposition attacks

In this paper, we present new techniques to detect interposition attacks on stream-based connections in local and wide area networks. The approach developed here is general enough to apply uniformly to all circumstances where the man-in-the-middle attacker achieves interposition by corrupting higher-layer to low-layer address mappings. Thus, both the problem of local area network interposition through ARP poisoning, and the problem wide area interposition through DNS poisoning are addressed as special cases of our work. Like other solutions that reside between Layers 3 and 4 (e.g. IPSEC), our techniques enjoy the property that they do not require redesigning legacy software, as is the case for approaches that reside above Layer 4 (e.g. SSL/TLS). Unlike IPSEC, however, the developed system is tailored only to the detection of interposition attacks, and thus circumvents the overhead and complexity introduced in guaranteeing stream confidentiality and integrity. We describe the design of the system, demonstrate its efficacy, and provide a publicly accessible prototype implementation.