Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 4ContentsAuthorship declaration ...........................................................................................................2Abstract.........................................................................................................................................3Contents........................................................................................................................................4List of figures and tables .......................................................................................................6Acknowledgments ....................................................................................................................71 Introduction..........................................................................................................................81.1 Project Overview ..................................................................................................................81.2 Background ..........................................................................................................................81.3 Covert Channels Terminology...............................................................................................91.4 Project Aims and Objectives................................................................................................101.5 Thesis Structure ..................................................................................................................112 Theory...................................................................................................................................122.1 Introduction ........................................................................................................................122.2 Covert Channels Definition .................................................................................................122.3 Potential Users of Covert Channels......................................................................................132.4 TCP/IP Model.....................................................................................................................142.4.1 Network Layer...........................................................................................................142.4.2 Internet Layer ............................................................................................................142.4.3 Transport Layer .........................................................................................................142.4.4 Application Layer ......................................................................................................152.5 Examples of Application Layer Covert Channels.................................................................152.5.1 HTTP ........................................................................................................................152.5.2 DNS ..........................................................................................................................162.6 Conclusions ........................................................................................................................173 Literature Review............................................................................................................183.1 Introduction ........................................................................................................................183.2 Covert Channel Classification .............................................................................................183.2.1 Storage and Timing Channels.....................................................................................183.2.2 Noisy and Noiseless Channels....................................................................................193.2.3 Aggregated and Not-aggregated Channels ..................................................................193.3 Application Layer Covert Scenarios ....................................................................................193.3.1 Reordering.................................................................................................................213.3.2 Case Modification......................................................................................................213.3.3 Use of Optional Fields and Flags................................................................................213.3.4 Adding a New Field ...................................................................................................223.3.5 Using Linear White Spacing Characters......................................................................223.3.6 Modifying Server Object............................................................................................223.4 HTTP Protocol....................................................................................................................233.4.1 HTTP Syntax and Covert Channels ............................................................................233.4.2 General syntax...........................................................................................................243.5 Detection ............................................................................................................................273.6 Conclusions ........................................................................................................................284 Design...................................................................................................................................294.1 Introduction ........................................................................................................................294.2 Evaluation Environment......................................................................................................294.3 Covert Channels Detection System......................................................................................294.4 Experiment Design..............................................................................................................314.4.1 Experiment 1 – Implementation Specific Data Gathering............................................314.4.2 Experiment 2 – Request Information Filtering ............................................................314.4.3 Experiment 3 – Headers Modification ........................................................................324.4.4 Experiment 4 – Browser Signature Recognition..........................................................334.4.5 Experiment 5 – Covert Channel Detection ..................................................................334.4.6 Experiment 6 – Analysing Prototype’s Load on Test Network ....................................344.4.7 Experiment 7 – Code Mobility Check.........................................................................344.5 Conclusion..........................................................................................................................34
Z. Kwecka, BSc (Hons) Network Computing, 2006 55 Implementation ................................................................................................................365.1 Introduction ........................................................................................................................365.2 Testing Network .................................................................................................................365.3 Foundation Software...........................................................................................................375.3.1 HTTP Analysers ........................................................................................................375.3.2 HTTP Proxies............................................................................................................395.3.3 Web browsers ............................................................................................................405.4 Experimental Applications ..................................................................................................405.4.1 HTTP Dumper ...........................................................................................................405.4.2 OffLine HTTP Analyser.............................................................................................415.4.3 Filtering Proxy...........................................................................................................415.4.4 Data Hiding Proxy .....................................................................................................425.4.5 Browser Caller...........................................................................................................435.4.6 Browser Timer...........................................................................................................455.5 Covert Channel Detection System Prototype........................................................................455.6 Conclusions ........................................................................................................................466 Experiment Data Analysis............................................................................................476.1 Introduction ........................................................................................................................476.2 Experiments........................................................................................................................476.2.1 Experiment 1 – Implementation Specific Data Gathering............................................476.2.2 Experiment 2 – Request Information Filtering ............................................................496.2.3 Experiment 3 – Headers Modification ........................................................................506.2.4 Experiment 4 – Browser Signature Recognition..........................................................516.2.5 Experiment 5 – Covert Channel Detection ..................................................................526.2.6 Experiment 6 – Analysing Prototype’s Load on the Test Network...............................536.2.7 Experiment 7 – Code Mobility Check.........................................................................546.3 Conclusions ........................................................................................................................557 Discussion, Conclusions and Further Work..........................................................567.1 Introduction ........................................................................................................................567.2 Discussion & Prototype Evaluation .....................................................................................567.3 Test Inadequacies................................................................................................................587.4 Conclusions ........................................................................................................................587.5 Further Work ......................................................................................................................608 References..........................................................................................................................619 Appendices.........................................................................................................................63Appendix 1 - Experiment 2 Results ...............................................................................................63Appendix 2 – Experiment 3 Results...............................................................................................65Appendix 3 - HTTP Protocol.........................................................................................................67Appendix 3 – Project Presentation.................................................................................................74Appendix 4 - Inline Filtering Agent - Code Listing........................................................................79Appendix 5 - HTTP Analyser Foundation - Code Listing...............................................................93Appendix 6 – Browser Timer - Code Listing ...............................................................................104Appendix 7 – Browser Caller - Code Listing ...............................................................................108Appendix 8 – Data Hiding Proxy - Code Listing..........................................................................114Appendix 10 - HTTP Dumper - Code Listing ..............................................................................121Appendix 11 – Experimant 1 - Code Listing................................................................................130Appendix 12 – Experiment 2 & 3 - Code Listing .........................................................................137
Page 1 and 2: Application Layer Covert ChannelAna
Page 3: Z. Kwecka, BSc (Hons) Network Compu
Page 7 and 8: Z. Kwecka, BSc (Hons) Network Compu
Page 54 and 55:
Z. Kwecka, BSc (Hons) Network Compu
Page 56:
Page 60 and 61:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

Create successful ePaper yourself

Delete template?

Save as template?