Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 24features of HTTP/1.0 as standard in the new protocol HTTP/1.1. In the time when thisspecification was written the biggest concern of the creators was interoperabilitybetween all the applications using the new standard and a backward compatibility tothe already existing implementations, which conformed to previous RFCs. Somesecurity concerns were raised, regarding leakage of personal information, attacksbased on path names and DNS spoofing, however threats of covert channels’implementation was overlooked. Following interpretation of a RFC 2616, describesoperation of HTTP and highlights areas where transfer of data in a covert manner ispossible.3.4.2 General syntaxThe basic units of HTTP communication are messages, made up of a structuredsequence of octets and transmitted via a transport layer virtual circuit (connection).There are two types of messages allowed: requests and responses. Both use genericmessage format. This consists of a start-line, zero or more header-fields (headers), anempty line and optional message body:generic-message = start-line ; a Request-line or a Status-line*(message-header CRLF) ; one or more headerCRLF; compulsory empty line[ message-body ] ; optional application layer dataStart-line is made of either a Request-line in a request message or a Status-line in aresponse message. CRLF is the only end-of-line marker allowed for all HTTPprotocol elements except the entity-body. It stands for carriage return (CR) and linefeed (LF). This is a good practice, there is only one standard allowed, which makesprotocol implementation easier, and prevents information hiding. There are fewdifferent types of message-headers: general-header, request-header, response-headerand entity-header. All of them are built using the same syntax. Each header consists ofa case-insensitive field name followed by a colon and an optional field value.message-header = field-name “:” [ field-value ]Case-insensitivity.Field-names are case-insensitive, thus they are ideal carrier for hiding bits (payload).Both clients and the servers will interpret a field-name in the same way no matter thecase of the letters. The coincidence is that capital letters in the ASCII code differ fromthe lower case letters only by a value of the 3 rd bit. Thus binary form of letter R is01010010 and the one of letter r is 01110010. Then a mask of 0xDF can be employedto extract or encode a payload in ASCII characters. Lower case letters would decodeas 1’s, where capital letters would decode as 0’s. An example follows to illustrate howcovert payload maybe hidden in a typical HTTP header given below:Connection: keep-aliveThis header can be modified to carry the bit pattern of 0111001011 and would look asfollows:ConnECtIon: keep-aliveConsequently above encoding method can be employed to transfer as many bits ofpayload as the total number of letters in field-names in any particular message. A
Z. Kwecka, BSc (Hons) Network Computing, 2006 25visual inspection of the HTTP envelope would reveal this covert channel, however asit is unusual for anybody to examine HTTP message header and HTTP clients andservers would ignore casing, this kind of covert channel could be successfullydeployed.Linear white spacing.Another reason for concern is the fact that according to RFC 2616 the field-content(the data part of field-value) can be preceded and followed by an optional linear whitespacing (LWS). LWS can be made up from a non-compulsory CRLF and one or morespace (SP) or horizontal tab (HT) character.LWS = [CRLF] 1*(SP|HT)Header values may be folded onto multiple lines using CRLF as long as the new linestarts with a space or horizontal tab. Thus, all linear white space in a header may bereplaced with a single SP before processing or forwarding the message downstream.This allows for a text decoration in the HTTP messages and has no real meaning inprocessing of the requests and responses. However it creates room for bidirectionalcovert channels. In a case where there is no HTTP Proxy between communicatingsites, or linear white spaces are left unaltered by a Proxy, it is possible to encodeinformation using SP and HT characters. An example illustrates how linear whitespace characters may be employed to transfer covert payload in the following header:“Connection: keep-alive”Header name Connection followed by a colon “:”, a space SP and the value keepalive:“Connection” “:” SP “keep-alive”Let assume that 1’s are encoded as HTs and 0’s as SPs. Now if the single SP would bereplaced with a combination of HTs and SPs, the meaning of the HTTP header wouldnot change, but a binary stream could be hidden in the header. Thus a byte ofinformation which in binary form is 01011100 could be encoded in one of thefollowing ways:“Connection” “:” SP HT SP HT HT HT SP SP “keep-alive”“Connection” “:” SP “keep-alive” SP HT SP HT HT HT SP SP“Connection” “:” SP “keep-alive” CRLFSP HT SP HT HT HT SP SPThere is virtually no limit to a number of bits per message that can be sent using thismethod, apart of the size limits set for different kinds of requests and responses. If bitsencoded in this way are placed in front of a header value a visual examination of theHTTP message would be enough to reveal the disguise, however if they follow thefield-value contents or a CRLF only examination of the message bytes would exposethe covert channel.Order of headers.Above technique is not the last reason why HTTP messages are such s good carrierfor covert channels. The generic-message syntax does not specify the order in which
Page 1 and 2: Application Layer Covert ChannelAna
Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
Page 11: Z. Kwecka, BSc (Hons) Network Compu
Page 75 and 76:
Z. Kwecka, BSc (Hons) Network Compu
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

Create successful ePaper yourself

Delete template?

Save as template?