Perseus: A Coding Theory-based Firefox Plug-in to Counter Botnet Activity

No ratings

Presented at HackLu 2009 by

Most of the activity of botnets is based on listening and analysing hhtp stream to retrieve and collect sensitive data (email addresses, login/password, credit card numbers ...). This is possible because the http protocol does not protect the contents of transmitted packets. The use of encryption, besides the fact that it would lead to severe constraints (time encryption key management ...), poses problems in legal terms, especially for transnational flows with respect to the different national regulations. How can protect against this flow listening by botnets while allowing the action of States in the field of the surveillance of communications? The project we are developing aims to provide an operational response to this problem. The solution is materialized in the form of a Firefox plug-in, developed under the triple GPL / LGPL / MPL and meeting the specifications of Mozilla development, allowing for possible incorporation into the code of Firefox. Principle put into practice this principle has been validated mathematically between 1997 and 2007 in two theses of the Ecole Polytechnique (E thesis. Filiol in 2001; thesis J. Barbier 2007). The idea is to encode the data exchanged (payload packets) with punctured convolutional codes (used in telecommunications for their very high encoding speed). The flow is, after encoding and before transmission, according to an artificially noisy noise parameter P, defined before the transmission. Alice wants to communicate with Bob. As a first step, the parameters of the encoder are generated randomly (polynomial size constraint, rate, matrix punching, setting noise ...) and a short session allows https to communicate to Bob (this amounts to less than 256 bytes). The http stream is then encoded using this encoder and Bob decodes it via the Viterbi algorithm. On the Botnet agent side, analysis of the http stream must pass through a systematic preliminary phase of decoding, but since the encoder is changed for each transmission, the botnet client must first rebuild the unknown encoder which is computationnally infeasible without heavy resources which moreover would betray the presence of the botnet client on the infected host. The time required time for that reconstruction becomes prohibitive. In addition, only a non-punctured equivalent encoder can be recovered (established theoretical results which have been experimentally validated). If reconstruction is infeasible in practice by a botnet client type, it is still easily possible for a service of the State with a classical computing power. The various implementations show that this layer encoding / decoding is transparent to the user and does not degrade the performance.