Z. Kwecka, BSc (Hons) Network Computing, 2006 50control should not be employed, due to a nature of information send by client’ssoftware in requests using cache control. This is due to the fact, that some of thisinformation (sent in plain text) may give potential listener detailed data on softwareused by the inside host.We think current implementations of HTTP/1.1 protocol send a number of redundantdata in their messages. In this experiment only a number of request headers have beenput to test, however, out of five headers, three have been identified as not beingrelevant anymore. Thus, we think an in depth study of data send be HTTP clients <strong>and</strong>server responses is needed, to produce a new specification to this protocol basedaround statistical data of current implementations.6.2.3 Experiment 3 – Headers ModificationIn previous sections of this report, we have identified six different techniques to hidedata inside HTTP transaction messages. However, these methods were identified astheoretical <strong>and</strong> since Experiment 1 proved that there are many differentimplementations of HTTP specification, the objective of this experiment was to testthe behaviour various servers, to suggested data hiding scenarios. The physical <strong>and</strong>logical setup for this experiment was very similar to that of Experiment 2. Thus, Host2 was generating two requests for each website in ‘sites’ file. The requests followedtwo different paths, one with forward Proxy, where no modifications were performed,<strong>and</strong> one with Data Hiding Proxy on the way, so that the request could be modifiedaccordingly to the requirements. Thus, we have tested five different data hidingscenarios:(a) Case ModificationFrom HTTP specification, we know that all header names are case-insensitive. Thus,in this scenario, Data Hiding Proxy has been used to change header names’ casing,from the usual title-case, to uppercase.(b) Undefined HeaderClient <strong>and</strong> server software, which conform to HTTP/1.1 st<strong>and</strong>ard must ignoreunrecognised headers, i.e. threat the transaction, as they would if the header was notthere. Therefore, to test this data hiding technique Data Hiding Proxy was configuredto add an extra header (‘<strong>Covert</strong>-<strong>Channel</strong>: A covert data’) to every request passing through it.(c) Linear Spacing ModificationThis scenario employed the fact that HTTP software should interpret consequentlinear spacing characters as a single white space. Thus combination of white spaces<strong>and</strong> linear tabulators was appended to every header in requests passing through DataHiding Proxy.(d) Optional HeaderOptional header ‘Via’ with a value ‘A covert data’ was added to each request whentesting this scenario.(e) Headers’ ReorderingIn this test Data Hiding Proxy was used to change the order of two first headers ineach request, since software conform to HTTP/1.1 should ignore the order of theheaders of different name.The only data hiding technique not tested in this experiment was the modification ofserver object. This is due, to the fact that appropriate scenario would need to employst<strong>and</strong>ard unmodified HTTP requests, to access server object. Thus, since thetechnique doesn’t involve modification of the request it cannot negatively affectHTTP server software <strong>and</strong> would produce results identical to the baseline.
Z. Kwecka, BSc (Hons) Network Computing, 2006 51The results from this experiment were used to analyse server responses to various datahiding techniques <strong>and</strong> their graphical representation is attached to the report inAppendix 2. Thus, out of five scenarios tested, the number of error response codesreturned in the Data Hiding Agent path, were different only for Linear SpacingModification scenario. The difference, however, was negligible (0.1%), so weconfider badly written scripts rather that server software to be the reason behind them.Thus, the theoretical data hiding scenarios can be implemented in practice, withoutaffecting HTTP operations <strong>and</strong> countermeasures should be developed to stop suchimplementations.6.2.4 Experiment 4 – Browser Signature RecognitionEvery web browser installed at test network hosts were configured with the IP addressof the Inline Filtering Agent (running on Host 3) for the purpose of this experiment.Then we have tried browsing the Internet using various browsers (those previouslyspecified) on different machines simultaneously. The IFA passed this test matching100% of the requests to their originators. Thus, we have added an early version ofData Hiding Proxy inline with the request path, between the hosts <strong>and</strong> the InlineFiltering Agent. The results were very surprising, as the filtering agent recognizedsignature mismatch in every request. This was later identified as being caused by thedefault behaviour of the proxies based on HTTP Proxy Foundation, since it usesDictionary Collection to store headers <strong>and</strong> rebuild requests, messages passing throughData Hiding Proxy had their headers ordered alphabetically. This behaviour wasconsequently modified so that Data Hiding Proxy produced exact copies of originalrequests, when hiding techniques are not employed (this new version was use toproduce scenarios in Experiment 3). Then the test was repeated using the new versionof hiding software <strong>and</strong> this time once again the filtering agent has reported 100%match of the requests’ signatures to the originators specified in ‘User-Agent’ field.However, when the data hiding techniques were used the IFA did not report anymismatches.In this experiment we have proven that recognition of different HTTP client softwarebased on unique signature is possible. Thus, by analysis of the message syntax we areable to check the value supplied in the ‘User-Agent’ header by the originator.However the, data hiding techniques, were able to pass through filtering agent withoutraising alerts <strong>and</strong> caused concerns to the definition of the signatures. We think thefault was in the signatures being defined in a way do distinguish between differentbrowsers, i.e. identified browser specific aspects, however did not evaluate anycommon factors in the requests. Thus, we think that in order to produce signatures,that could be employed to detect data hiding techniques usage, a full syntax of themessage must be considered. For the set of browsers used following factors whereidentified that should produce more precise signatures:- usage of title-casing to produce header names- single space between colon at the end of header name <strong>and</strong> header value- no linear spacing characters at the end of value field- set of headers used to produce requestsThese factors were introduced to signature checking process of the Inline FilteringProxy version used in Experiment 5.
- Page 1 and 2: Application Layer Covert ChannelAna
- Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
- Page 5 and 6: Z. Kwecka, BSc (Hons) Network Compu
- Page 7 and 8: Z. Kwecka, BSc (Hons) Network Compu
- Page 9 and 10: Z. Kwecka, BSc (Hons) Network Compu
- Page 11: Z. Kwecka, BSc (Hons) Network Compu
- Page 14: Z. Kwecka, BSc (Hons) Network Compu
- Page 17 and 18: Z. Kwecka, BSc (Hons) Network Compu
- Page 19 and 20: Z. Kwecka, BSc (Hons) Network Compu
- Page 21 and 22: Z. Kwecka, BSc (Hons) Network Compu
- Page 23 and 24: Z. Kwecka, BSc (Hons) Network Compu
- Page 25: Z. Kwecka, BSc (Hons) Network Compu
- Page 28 and 29: Z. Kwecka, BSc (Hons) Network Compu
- Page 30 and 31: Z. Kwecka, BSc (Hons) Network Compu
- Page 32 and 33: Z. Kwecka, BSc (Hons) Network Compu
- Page 34 and 35: Z. Kwecka, BSc (Hons) Network Compu
- Page 36 and 37: Z. Kwecka, BSc (Hons) Network Compu
- Page 38 and 39: Z. Kwecka, BSc (Hons) Network Compu
- Page 40 and 41: Z. Kwecka, BSc (Hons) Network Compu
- Page 42 and 43: Z. Kwecka, BSc (Hons) Network Compu
- Page 44 and 45: Z. Kwecka, BSc (Hons) Network Compu
- Page 46 and 47: Z. Kwecka, BSc (Hons) Network Compu
- Page 48 and 49: Z. Kwecka, BSc (Hons) Network Compu
- Page 52 and 53: Z. Kwecka, BSc (Hons) Network Compu
- Page 54 and 55: Z. Kwecka, BSc (Hons) Network Compu
- Page 56: Z. Kwecka, BSc (Hons) Network Compu
- Page 60 and 61: Z. Kwecka, BSc (Hons) Network Compu
- Page 63 and 64: Z. Kwecka, BSc (Hons) Network Compu
- Page 65 and 66: Z. Kwecka, BSc (Hons) Network Compu
- Page 67 and 68: Z. Kwecka, BSc (Hons) Network Compu
- Page 69 and 70: Z. Kwecka, BSc (Hons) Network Compu
- Page 71 and 72: Z. Kwecka, BSc (Hons) Network Compu
- Page 73 and 74: Z. Kwecka, BSc (Hons) Network Compu
- Page 75 and 76: Z. Kwecka, BSc (Hons) Network Compu
- Page 77 and 78: Z. Kwecka, BSc (Hons) Network Compu
- Page 79 and 80: Z. Kwecka, BSc (Hons) Network Compu
- Page 81 and 82: Z. Kwecka, BSc (Hons) Network Compu
- Page 83 and 84: Z. Kwecka, BSc (Hons) Network Compu
- Page 85 and 86: Z. Kwecka, BSc (Hons) Network Compu
- Page 87 and 88: Z. Kwecka, BSc (Hons) Network Compu
- Page 89 and 90: Z. Kwecka, BSc (Hons) Network Compu
- Page 91 and 92: Z. Kwecka, BSc (Hons) Network Compu
- Page 93 and 94: Z. Kwecka, BSc (Hons) Network Compu
- Page 95 and 96: Z. Kwecka, BSc (Hons) Network Compu
- Page 97 and 98: Z. Kwecka, BSc (Hons) Network Compu
- Page 99 and 100: Z. Kwecka, BSc (Hons) Network Compu
- Page 101 and 102:
Z. Kwecka, BSc (Hons) Network Compu
- Page 103 and 104:
Z. Kwecka, BSc (Hons) Network Compu
- Page 105 and 106:
Z. Kwecka, BSc (Hons) Network Compu
- Page 107 and 108:
Z. Kwecka, BSc (Hons) Network Compu
- Page 109 and 110:
Z. Kwecka, BSc (Hons) Network Compu
- Page 111 and 112:
Z. Kwecka, BSc (Hons) Network Compu
- Page 113:
Z. Kwecka, BSc (Hons) Network Compu
- Page 116 and 117:
Z. Kwecka, BSc (Hons) Network Compu
- Page 118 and 119:
Z. Kwecka, BSc (Hons) Network Compu
- Page 120 and 121:
Z. Kwecka, BSc (Hons) Network Compu
- Page 122 and 123:
Z. Kwecka, BSc (Hons) Network Compu
- Page 124 and 125:
Z. Kwecka, BSc (Hons) Network Compu
- Page 126 and 127:
Z. Kwecka, BSc (Hons) Network Compu
- Page 128 and 129:
Z. Kwecka, BSc (Hons) Network Compu
- Page 130 and 131:
Z. Kwecka, BSc (Hons) Network Compu
- Page 132 and 133:
Z. Kwecka, BSc (Hons) Network Compu
- Page 134 and 135:
Z. Kwecka, BSc (Hons) Network Compu
- Page 136 and 137:
Z. Kwecka, BSc (Hons) Network Compu
- Page 138:
Z. Kwecka, BSc (Hons) Network Compu