Application Layer Covert Channel Analysis and ... - Bill Buchanan

Z. Kwecka, BSc (Hons) Network Computing, 2006 142.4 TCP/IP ModelAs described in Section 2.1 ISO recommends the 7-layer OSI model for developmentof transmission protocols. Each of these layers provides well-defined services to thelayer directly above and exchanges data or control information with correspondinglayer on remote machine utilizing services of the layer directly below. In practice onlyfew protocols were developed strictly adhering to OSI’s model, while the existingInternet protocols can be easily mapped onto less complex 4-layer TCP/IP model.Figure 2-2 illustrates mapping between those two different multi-layered approachesto computer networking. It is possible to hide data in any layer of the Internet protocolstack, however, each layer provides different characteristics for possible covertchannels. Remaining part of this Section will briefly describe operations and discusspossible information hiding scenarios for each layer in TCP/IP model.TCP/IPOSIApplicationTransportInternetNetworkFigure 2-2 TCP/IP to OSI Model Mapping (Kwecka, 2006)2.4.1 Network LayerThe Network Layer in TCP/IP model deals with functions described in Physical andData Link Layers of the OSI model. Thus it deals with “getting data across oneparticular link or medium” including “physical characteristics of transmission”equipment (Odom, 2001, pp. 77). Consequently the major task of the protocolsoperating on this layer is to transfer packets between any two subsequent internetlayer capable devices on the end-to-end connection.2.4.2 Internet LayerInternet layer is responsible for end-to-end packets delivery and it is equivalent to OSInetwork layer. Thus it defines logical network addressing and deals with all theoperations required for packets to reach the remote host. These operations include butare not limited to routing, fragmenting and queuing of the PDUs - protocol data units(Odom, 2001).2.4.3 Transport LayerTransport layer provides for end-to-end transparent transfer of application layer data.Due to this feature it is often perceived to be a basic form of middleware fordistributed applications. Thus if error recovery, flow control and similar functionalityis required, transport layer will provide for it.