Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 22allow any file type in the response. Thus, this feature may be, once again, used toencode data. The example in Figure 3-3 shows a possible covert channelimplementation, where a wildcard in the value of the accept header is treated asbinary zero, and a specific file type provided as binary one.Figure 3-3 Use of Optional Header Values (Kwecka, 2006)3.3.4 Adding a New FieldAs it was stated before, there is no real limitation to the specifications and the newtags could be added to Application Layer envelope (Dyatlov, 2003). Additionallysome applications are configured to ignore any unrecognised headers and treat requestand responses in a way they would be treated if the problematic header was not there(Fielding, et al, 1999). Thus, scenario from Figure 3-4 could be implementer, where acovert payload is exchanged in a plain text inside HTTP envelope. However, thiswould be undetectable to Eve if standard HTTP software was used to eavesdrop.Figure 3-4 Use of Unrecognised Header (Kwecka, 2006)3.3.5 Using Linear White Spacing CharactersFor a web browser there is no difference if there is one or more spaces between HTTPheader values, similarly linear white spacing is ignored in SMTP (Dyatlov, 2003).Please refer to Section 2.5.1 for example of linear white spacing header modification.3.3.6 Modifying Server ObjectIn this scenario Alice and Bob could use a previously agreed server object to exchangeinformation. Thus using more objects or altering the frequency of probing couldincrease the bandwidth (Kaminsky, 2004).
Z. Kwecka, BSc (Hons) Network Computing, 2006 233.4 HTTP ProtocolFollowing description of HTTP protocol is a part of larger document, written by theauthor of this dissertation, which highlights the possibilities of implementing covertchannels in this Application Layer protocol. The full content is of this document isattached to this dissertation in Appendix 4.The application layer protocol called HTTP is often perceived as very basic protocolfor distribution of World Wide Web pages. We could say that even its nameHypertext Transfer Protocol is very suggestive and implies that the purpose of thisprotocol is to transfer hypertext, where hypertext is defined as textual data “linked”across many documents or locations. It makes no wonder then, that some networkadministrators do not consider HTTP as a threat or think that as long as only outgoingestablished connections are permitted and every machine in the network uses somekind of firewall and antivirus software, they network is secure. However the true faceof the protocol is different. The most recent specification of HTTP is RFC 2616 andthe purpose of the protocol is described as follows:The Hypertext Transfer Protocol (HTTP) is an application-levelprotocol for distributed, collaborative, hypermedia informationsystems. HTTP has been in use by the World-Wide Web globalinformation initiative since 1990. The first version of HTTP, referredto as HTTP/0.9, was a simple protocol for raw data transfer across theInternet. HTTP/1.0, as defined by RFC 1945, improved the protocol byallowing messages to be in the format of MIME-like messages,containing metainformation about the data transferred and modifierson the request/response semantics. (Fielding, et al, 1999, pp. 7)HTTP is now well established protocol and the current version is 1.1, however theidea of the protocol stayed the same. Through employing a simple human readable(MIME-like) syntax and allowing transfer of virtually any kind of data, HTTPbecome a preferred protocol in development of “on-line” applications. Furthermorethe fact that a large group of network administrators allowed almost any outgoingconnections of HTTP either directly or through proxies contributed strongly to thistrend. Nowadays almost any software application, which requires communicationover the Internet, employs HTTP or has a build in functionality allowing itsapplication layer protocol to be tunnelled in HTTP. Example of the first kind could beantivirus software that uses HTTP for downloading signatures of the newest threatsfrom the central server, or an update agent for an application like internet messenger.The implementations of the remote method invocation or remote procedure call are,thus, common examples of the second kind of the applications.HTTP was identified as one of three protocols, which can be employed to createcovert channels for sending data in and out of networks commonly considered to besecure. Thus the following section will identify, where RFC 2616 as the documentwhich defines the current version of HTTP in use, gives hackers an open field forhiding data.3.4.1 HTTP Syntax and Covert ChannelsRFC 2616 was created to clear up some hard to understand statements from theprevious documentations of HTTP (namely 1.0 and 0.9) and to introduce few optional
Page 1 and 2: Application Layer Covert ChannelAna
Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
Page 11: Z. Kwecka, BSc (Hons) Network Compu
Page 73 and 74:
Z. Kwecka, BSc (Hons) Network Compu
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?