Application Layer Covert Channel Analysis and ... - Bill Buchanan

Z. Kwecka, BSc (Hons) Network Computing, 2006 567 Discussion, Conclusions and Further Work7.1 IntroductionThe main aim of this dissertation was an investigation of covert channels in Internetprotocol stack. In the previous chapters the information collected shown thatimplementation of this data hiding technique is possible, and will most likely takeplace in the Application Layer of TCP/IP model. In addition a suitable prototype ofthe detection system was proposed and evaluated. Thus this chapter discusses thefindings, provides conclusions and suggests further work that would need to beundertaken in this field, to create virtually covert channel free environment.7.2 Discussion & Prototype EvaluationThe main aim of this dissertation was to investigate covert channel technologies inInternet protocol stack in the context of information confinement. Thus, ApplicationLayer has been identified as the most likely level of data hiding in TCP/IP networkingmodel. Previously there have been many successful approaches to building covertchannels in lower layers of the TCP/IP model (Buchanan & Llamas, 2004), howevercurrently their usage is limited and possible only in low security networks. Themodern network access control systems (NACSs) are capable of replacing TCP/IPconnection information of the traffic by the use of Proxies or suitably configuredNAT (network address translation) servers, thus they can render useless any covertchannel implementations, operating below Application Layer (Dyatlov & Castro,2003). Therefore the technologies of data hiding in these lower layers may beinteresting from the point of view of suspect surveillance, where a person underobservation may use low security networking environment, such as internet cafe orSOHO 11 network. However, they may be perceived as ineffective when consideringinformation confinement problem of large institutions, with secure networks.There is a strong tendency, in the recent years, of the information hiding experts toturn their heads towards the relatively new subject of Application Layer CovertChannels. Most of the papers in this field agree that for the successful detectionsystem to work, it should employ three different methods of detection, signature,protocol and behaviour-based (Borders & Prakash, 2004; Castro, 2003; Dyatlov &Castro, 2003). For this dissertation a system capable of performing this, was designed,however, due to the time restrains only the protocol and signature-based detectionsystem was implemented and tested. The test results suggested that the system iscapable of successful detection of pre-programmed threat signatures and covertchannel implementations which do not comply with the HTTP protocol specification,however detection of unknown implementations or timing channels was impossible.Thus, although fast and precise (low level of false-positives) these two methodsproved to have some limitations, and behaviour-based detection should be consideredas a must, if the system is expected to detected new or more sophisticated threats.Thus, the findings of this dissertation agree with the results of other researchers of thefield.11 Small-Office-Home-Office