Application Layer Covert Channel Analysis and ... - Bill Buchanan

Z. Kwecka, BSc (Hons) Network Computing, 2006 54This was performed using different Proxy configurations, with Host 2 set asoriginator. These configurations were:- no Proxy- Proxy hosted on low processing power machine (Host 3) without load- Proxy hosted on low processing power machine (Host 3) with load- Proxy hosted on high processing power machine (Host 1) without load- Proxy hosted on high processing power machine (Host 1) with loadFigure 6-4 illustrates the results, i.e. median time between the request and response.We can see that the configuration where Inline Filtering Agent was running on theheavily loaded machine with the lowest processing power in the test network (Host 3)slowed down a typical operation by 1.7sec. Surprising result, however, is that ofInline Filtering Agent being executed on Host 1 (high power PC) with no load. Here atypical download operation took less time than in the scenario with no Proxy used.Since browser on Host 2 was not allowed to keep cache, this fact could only beexplained, by slightly different network conditions. Thus, after short investigation wehave identified that the data in ‘no Proxy’ configuration were collected around21:00GMT, where the ‘Host 1 – No load’ setup was tested at 22:30GMT and by thattime load of our ISP link to the Internet as well as load of target websites was slightlysmaller. Still, the test error introduced is small and we consider that the delay addedby the Inline Filtering Agent is negligible and would not affect the operation of aproduction network, especially considering the fact that 100% HTTP/1.1 compliantProxy implementation would lower the number of internal and external TCPconnections opened. Thus, by the means of persistent connections, such a Proxywould actually be able to speed up WWW transactions, with most popular (among theuser of the intranet) websites.6.2.7 Experiment 7 – Code Mobility CheckDuring this experiment we have tried to execute the prototype on every host in the testnetwork, to check how mobile is the code produced. As described earlier each host, inthe test network runs slightly different operating system. The tests shown that InlineFiltering Agent executes on all the operating systems used and it doesn’t require anyspecial libraries installed. At the same time, Sniffer Detection Agent wasimplemented based on WinPcap library, which was installed on each host prior totesting. Even so that the installation was successful on all four machines, during theexperiment Sniffer Detection Agent would not run on the Starter Edition and HomeEdition platforms. We have expected this, from Home Edition software which was notdesigned to perform any low level operations, however bearing in mind that MicrosoftWindows Starter Edition is actually based on Windows Professional, the fact thesoftware didn’t operate on this platform was surprising. However, information foundon Microsoft website confirmed that, Starter Edition restrictions are not onlyhardware restrictions (this platform will run only on low level computers with lessthan 256MB of RAM and less than 80GB of disk space) but also some elements of theProfessional version were removed, to restrict platforms use in professionalenvironment. However the core of the problem has been identified as ‘npptools.dll’missing from both systems. Thus, after coping this library from Host 1 runningWindows XP Professional onto Host 3 and 4 the problem has been fixed. Therefore,we consider our prototype as operational on all major releases of Windows operatingsystems, but the Sniffer Detection Agent prototype will require installation process tomake sure WinPcap and ‘npptools.dll’ are present.