Application Layer Covert Channel Analysis and ... - Bill Buchanan

Z. Kwecka, BSc (Hons) Network Computing, 2006 39The final solution developed is capable of capturing HTTP traffic, as well as writingand reading tcpdump format. To allow for HTTP connection monitoring the HTTPAnalyser Foundation (illustrated in Figure 5-2), splits the traffic based on combinationof client IP, client port, server IP and server port. This at the beginning proved to beproblematic, since nested ArrayList were chosen to store raw packets. Microsoftguarantees that ArrayLists are thread-safe for read and write operations, however onlyway to search an ArrayList is to iterate through it, and here was the problem. Theprogram produced errors, when there was a write to an ArrayList under iteration. Thisproblem was solved by using synchronised wrappers for ArrayLists used. Then, forthe purpose of HTTP conversation monitoring the application was programmed to“understand” basic TCP and HTTP parameters. Thus, logic of the implementationtreats following packets as interesting:- First packet from client to server after 3XX or zero in length response from theserver.- Packet with TCP sequence number equal to the acknowledgment number fromthe last client’s request.Additionally some extra logic was added into the application, following testing. Thoseimprovements included adding a tick box which allows work in promiscuous modewith some Intel based adapters, which proved to inverse logic to that used in most ofthe adapters. Also some extra filtering capabilities were added, to allow directionalvisualisation.5.3.2 HTTP ProxiesIn the design section we have identified that development of HTTP Proxy foundationcould create a base for implementation of the prototype’s Inline Filtering Agent, aswell as applications required for experiments (Filtering Proxy, Data Hiding Proxy).Thus, we have performed an investigation with an objective to find genuine opensource Proxy server that could be adjusted to our needs. This resulted in identificationof a Mentalis.org Proxy 8 , open source software, with a licence permittingredistribution and modification. While, the original software was a consoleapplication, which could perform functions of HTTP, FTP and SOCKS Proxy servers,we have employed only the classes responsible for HTTP operation, i.e. client,HTTPclient, listener and HTTPlistener, out of the original design. Consequentlygraphic user interface was produced, to control the application. The final HTTP ProxyFoundation (illustrated in Figure 5-3) is using asynchronous system calls. Therefore,an interfacing is needed between the GUI and the functional classes. At first it wastroublesome, since the GUI instantiated other classes, and therefore, had a full controlover them, but the instances of the functional classes could not communicate back toit. This was solved by the implementation of ConsoleBuffer class, with a number ofstatic variables. Static variables are the same among different instances of the sameclass, thus different components of HTTP Proxy Foundation implementation use it tocommunicate between each other.8 Autor: KPD-Team; Website: http://www.mentalis.org/soft/projects/Proxy/