Application Layer Covert Channel Analysis and ... - Bill Buchanan

Z. Kwecka, BSc (Hons) Network Computing, 2006 32Wide Web browsers’ and servers’ implementations regard their usage of HTTPprotocol, since literature review findings suggested that a great number of informationsent within HTTP conversations is not actually used by either of sides. Thus, onceagain a piece of software will need to trigger various Web browsers (same set as inExperiment 1) to request websites from predefined list. However, in this experimentwe should locate a Proxy server inline with the requests and filter parts of HTTPenvelope so that WWW servers receive reduced set of information from the request.Then the servers’ responses should be analysed and compared to the responsesreceived after sending complete client requests. Thus, similarly to Experiment 1 theHTTP conversations will be saved in binary dump format and then analysed offlineby another piece of software. Ideally the process of collecting the data from modifiedrequests should be simultaneous to the traffic dumps from the unmodified requests, sothat the outside factors should not compromise the data collected and the final results.The software required for this experiment:- Browser Caller. An application triggering Web browsers to request websitesfrom predefined list.- Filtering Proxy. Forward Proxy server, which placed inline with the request,would be able to modify the client-server HTTP flow.- HTTP Dumper. Piece of software employing WinPCap to collect binarydumps of packets from HTTP conversations. Ideally only the packetscontaining the HTTP protocol envelope should be saved.- OffLine HTTP Analyser. The purpose of this application would be datamining from the binary packet dumps in order to collect experiment results.4.4.3 Experiment 3 – Headers ModificationPreviously, based on findings of Dyatlov and Kaminsky, as well as our analysis ofHTTP specification (RFC 2616), we have identified few different techniques, whichcould be employed to create covert channels in HTTP. They, generally, fall intofollowing categories:- headers’ reordering- headers’ and values’ case changing- usage of optional headers, values or flags- injection of an undefined header- usage of various linear spacing characters- server object modificationSince there is a number of different client and server HTTP software implementationscurrently used and all of them differ from each other, the purpose of this experimentwill be to analyse the practical use of the techniques suggested. The techniques willbe analysed in terms of the level of the processing required, noisiness of the channel,and level of discreetness (i.e. if any given techniques generates errors in either clientor server software it should not be considered a very good base for covert channelimplementation). To get a similar cross section of the implementations available, as inthe previous experiments, the BrowserCaller application with the same set of targetswill be used to generate genuine requests. Then a specially modified forward Proxyserver will be used to modify the request with covert channel simulation. Once againHTTPMessageDump and OffLineHTTPAnalyser will be used to collect the results.