Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 526.2.5 Experiment 5 – Covert Channel DetectionOnly the Proxy part of the designed prototype has been implemented in the course ofthe project, thus the functionality of the system is limited to protocol and signaturebaseddetection. In this experiment Inline Filtering Agent was located inside the testnetwork and the hosts (previously specified Web browsers on the hosts) wereconfigured to use it. Various requests were then generated, automatically as well as byhuman operators, most of them using browsers permitted to pass through the filteringProxy. This was to produce background noise and try to simulate a load of theFiltering Agent. Later Data Hiding Proxy was used to imitate few data hidingscenarios. During the experiment we were able to detect 100% of the data hidingscenarios based on:- HTTP header-name case modification- linear white space injection at the beginning or the end of header-value- modification of the headers’ order- addition of uncommon or undefined headerIn all the cases the IFA has properly identified the originators of the threats, byproviding remote-end socked information. This shown the advantage of usingdetection and filtering agents in-line with the requests. Since a Proxy must process allthe traffic before forwarding it, there is no chance of overlooking any well definedsignature.During the experiment we have also detected few applications of unknown signatures,different than Data Hiding Proxy. Thus, with a help of HTTP Analyser Foundationthe alerts were further investigated (Figure 6-4). Finally following automated agentsof the test network, has been identified:- Background Intelligent Transfer Service version 6.6 – Windows update agent- MSN Messenger 7.0 – MSN configuration agent- Gadu-Gadu Autoupdate – update agent of popular Polish communicator- GG – advert download of the Internet communicator mentioned above- Symantec Anti-virus Live Update agentWe were aware of the above software agents running in the test network, however,none of them were explicitly configured to use the Inline Filtering Agent. Later, it hasbeen identified, that Internet Explorer Proxy settings are being inherited by thoseapplications.Figure 6-4 Threat Detection
Z. Kwecka, BSc (Hons) Network Computing, 2006 53We think that, considering security aspects, it is not an ideal solution, and Proxysettings set in one application should not propagate onto another. It can be consideredas behaviour similar to password ‘hijacking’, and therefore should not be allowed bythe operating system.The Sniffer Detection Agent has not been implemented, thus, automated detection ofmore sophisticated covert channels was not possible. Therefore following methods ofcovert channels’ implementation did not result in raising alerts:- modification of the server object- changing field-values of headers different than ‘User-Agent’ or ‘Connection’- providing an allowed header twice in the same requestThe first two, would require machine with high processing power and large physicalstorage, capable of recording various characteristics of the traffic under observation.This could be achieved, to some degree, by the Sniffer Detection Agent designed inthe project, however the third undetected scenario, falls into signature-baseddetection, which should be performed by the Inline Filtering Agent. Thus, there is aneed to develop more precise signatures and better understanding of HTTP protocol inthe filtering agent.Another objective of this experiment was to check the filtering behaviour of the IFA,thus, during the tests HTTP Analyser Foundation was used to capture the data flowbetween the Proxy and the Internet. The results showed that IFA successfullyobfuscated covert channels induced by header-name case changing, linear spacing (atthe beginning and the end of the header-value) as well as removed unrecognised andrarely used headers. This was done with no extra cost, since the functionality of theProxy was implemented in a way all requests are first processed and then rebuilt andit is actually faster to rebuild the request using standard message syntax, rather thansyntax it arrived with.6.2.6 Experiment 6 – Analysing Prototype’s Load on the TestNetworkIn this experiment we have tested how much the scanning process performed by theInline Filtering Proxy affects the hosts on the test network. Thus we have collectedstatistical information on the time it takes Browser Timer testing software todownload the content of various websites.TIME (SEC)06.005.204.303.502.601.700.900.0No ProxyMedian Time Taken to DownloadHost 3 - No loadHost 3 - LoadHost 1 - No loadCONFIGURATIONHost 1 - LoadFigure 6-5 Median Time Taken to Perform a Full Download
Page 1 and 2: Application Layer Covert ChannelAna
Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
Page 11: Z. Kwecka, BSc (Hons) Network Compu
Page 103 and 104:
Z. Kwecka, BSc (Hons) Network Compu
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?