Application Layer Covert Channel Analysis and ... - Bill Buchanan

Z. Kwecka, BSc (Hons) Network Computing, 2006 587.3 Test InadequaciesThe vast majority of the experiments performed for the needs of this dissertation,were performed using automated software developed especially for this project usingC# programming language of the .NET framework. Thus, due to time restrains andthe considerable amount of optional functions in HTTP specification, the testenvironment was not fully HTTP compliant. This in turn could lead to some testinadequacies.In Experiment 1 the objective was to analyse the usage of HTTP headers in therequest messages. The HTTP Dumper software was used to produce tcpdumps of thetraffic to be analysed, packets containing HTTP protocol envelope. Thus, the softwarewas capable of recognising and storing the packets where the request and the responseinformation should start. However, the application did not check the packet contentand therefore was unable to detect HTTP messages which span across multiple TCPpackets. Thus, some sporadically used headers could be overlooked in the results ofthis experiment. However, later tests proved the chances of HTTP envelope, ofautomatically generated requests, being larger than the MTU (max transfer unit) ofthe test environment, as lower than 1/1000. Thus, since in this experiment the focuswas on the most common headers, the ones overlooked would not affect the results.The results form Experiments 2 and 3, which were used to analyse the amount offlexibility in the current HTTP implementations, were based on the response codesfrom the web servers. This has proven, that even with certain information insiderequest messages modified, in most cases the web servers will provide the services tothe client. However, the differences between the levels of these services were notconsidered. It has been noted, that some pages, especially those running distributedservices developed by Microsoft, provided success response codes (1xx, 2xx, 3xx) tothe clients with User-Agent field obfuscated or removed, but sent only basic versionsof layout files (such as css). Thus for the purpose of complete evaluation of the HTTPimplementations currently used a number of human operators would need to performthe tests themselves or supervise the automated request system.The automated generation of the requests using Browser Timer and Browser Callerapplications developed for the needs of this dissertation, was required in order tocollect a large base of the test data. Thus, the amount of data collected andexperiments conducted could be accomplished without the use of this software.However, it limited the validity of the results to the GET HTTP requests, since onlythis request method was used in various tests performed. The tests were based aroundmodification of the message syntax allowed by the generic message in HTTPspecification (Fielding, et al, 1999), thus they could also be performed on otherrequest methods, but the generation of the requests, would need to be performed byhuman operators, or set of messages generated and recorded in advance to the tests,could be replayed.7.4 ConclusionsThis dissertation looked at the problem of covert channels in communication systems,from a different than usual approach. Most of the documents in the field focus onthreats incoming form the Internet, were the findings provided suggest the biggestthreat of covert channels usage is that of information confinement. Thus, data leaving