Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 32Wide Web browsers’ and servers’ implementations regard their usage of HTTPprotocol, since literature review findings suggested that a great number of informationsent within HTTP conversations is not actually used by either of sides. Thus, onceagain a piece of software will need to trigger various Web browsers (same set as inExperiment 1) to request websites from predefined list. However, in this experimentwe should locate a Proxy server inline with the requests and filter parts of HTTPenvelope so that WWW servers receive reduced set of information from the request.Then the servers’ responses should be analysed and compared to the responsesreceived after sending complete client requests. Thus, similarly to Experiment 1 theHTTP conversations will be saved in binary dump format and then analysed offlineby another piece of software. Ideally the process of collecting the data from modifiedrequests should be simultaneous to the traffic dumps from the unmodified requests, sothat the outside factors should not compromise the data collected and the final results.The software required for this experiment:- Browser Caller. An application triggering Web browsers to request websitesfrom predefined list.- Filtering Proxy. Forward Proxy server, which placed inline with the request,would be able to modify the client-server HTTP flow.- HTTP Dumper. Piece of software employing WinPCap to collect binarydumps of packets from HTTP conversations. Ideally only the packetscontaining the HTTP protocol envelope should be saved.- OffLine HTTP Analyser. The purpose of this application would be datamining from the binary packet dumps in order to collect experiment results.4.4.3 Experiment 3 – Headers ModificationPreviously, based on findings of Dyatlov and Kaminsky, as well as our analysis ofHTTP specification (RFC 2616), we have identified few different techniques, whichcould be employed to create covert channels in HTTP. They, generally, fall intofollowing categories:- headers’ reordering- headers’ and values’ case changing- usage of optional headers, values or flags- injection of an undefined header- usage of various linear spacing characters- server object modificationSince there is a number of different client and server HTTP software implementationscurrently used and all of them differ from each other, the purpose of this experimentwill be to analyse the practical use of the techniques suggested. The techniques willbe analysed in terms of the level of the processing required, noisiness of the channel,and level of discreetness (i.e. if any given techniques generates errors in either clientor server software it should not be considered a very good base for covert channelimplementation). To get a similar cross section of the implementations available, as inthe previous experiments, the BrowserCaller application with the same set of targetswill be used to generate genuine requests. Then a specially modified forward Proxyserver will be used to modify the request with covert channel simulation. Once againHTTPMessageDump and OffLineHTTPAnalyser will be used to collect the results.
Z. Kwecka, BSc (Hons) Network Computing, 2006 33Summarising, the software required for this experiment consist of:- Browser Caller. An application triggering Web browsers to request websitesfrom predefined list.- Data Hiding Proxy. Forward Proxy server, which placed inline with therequest, would be able to modify the client-server HTTP flow by applyingsuggested covert channel techniques.- HTTP Dumper. Piece of software employing WinPCap to collect binarydumps of packets from HTTP conversations. Ideally only the packetscontaining the HTTP protocol envelope should be saved.- OffLine HTTP Analyser. The purpose of this application would be datamining from the binary packet dumps in order to collect experiment results.Findings of the Experiments 1 - 3 together with the literature review suggestions willbe used to prototype Sniffer Detection and Inline Filtering Agents. Thus, in order toevaluate the project, following experiments will help to collect data required.4.4.4 Experiment 4 – Browser Signature RecognitionResults from Experiment 1 are expected to provide signatures of the various WWWbrowsers. In this experiment we will test the capabilities of the Inline Filtering Agent(IFA) to recognise those signatures, i.e. identify client software. However, clients thatconform to HTTP specification (Fielding, et al, 1999) should provide a form ofidentification in a value of User-Agent header, thus, during this experiment we shellnot use this value for the recognition purposes. Thus, to prove that applicationidentification is possible even when the User-Agent header is obfuscated, or whenmalicious software is trying to hide its identity by providing header value associatedwith genuine software. Therefore, in this experiment user will use various browsers,while they connect to the internet through IFA. The IFA task will be to recognise thesignature of the client software and for the purpose of data gathering the Proxy willgenerate a text file where the outcome of signature matching against User-Agentheader value will be stored.The extra software required for this experiment will be the Inline Filtering Agent ofthe prototyped system.4.4.5 Experiment 5 – Covert Channel DetectionIn this experiment Sniffer Detection and Inline Filtering Agents prototypes will beemployed to detect covert channels in the traffic generated by Browser Caller andData Hiding Proxy. Thus, the results will illustrate the system’s success of detection.All HTTP data hiding techniques previously identified will be tested, one at a time aswell as few combined together to form aggregated covert channel scenario.The software required for this experiment:- Sniffer Detection Agent- Inline Filtering Agent- Browser Caller- Data Hiding Proxy
Page 1 and 2: Application Layer Covert ChannelAna
Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
Page 11: Z. Kwecka, BSc (Hons) Network Compu
Page 83 and 84:
Z. Kwecka, BSc (Hons) Network Compu
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

Create successful ePaper yourself

Delete template?

Save as template?