Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 66Linear Spacing Modification% OF RESPONSES100%80%60%40%20%0%200 206 301 302 304 400 403 404 500RESPONSE CODEForw ard ProxyData Hiding ProxyResponses to Requests with Linear Spacing ModifiedNumbers of ‘404’ error responses are similar for both forward Proxy and Data Hiding Agent.A small percentage of modified requests, however, resulted in ‘400’, ‘403’ and ‘500’ type responses.Thus, although this data hiding method is allowed by RFC 2616 some server software implementationsdo not process them in required manner. However, covert channel implementation employing thisvulnerability of RFC 2616 is still possible, since the number of error responses in negligible.Optional Header Added% OF RESPONSES100%80%60%40%20%0%200 301 302 303 304 403 404RESPONSE CODEForw ard Proxy Data Hiding ProxyResponses to Requests with Optional Header (‘Via’) AddedNumbers of error responses (‘403’, ‘404’) are negligible and similar for both forward Proxy and DataHiding Agent. This suggests that HTTP servers’ implementations comply with RFC 2616 specification,by ignoring any unrecognised headers.Headers' Reordering% OF RESPONSES100%80%60%40%20%0%200 206 301 302 303 304 400 403 404RESPONSE CODEForw ard ProxyData Hiding ProxyResponses to Requests with Modified Headers’ OrderNumbers of ‘403’ and ‘404’ error responses are similar for both forward Proxy and Data Hiding Agent.Thus, with only negligible number of code ‘400’ responses (less than 1%), we assume headerreordering may be used to produce covert channels implementations.
Z. Kwecka, BSc (Hons) Network Computing, 2006 67Appendix 3 - HTTP ProtocolDefinition, purpose and usageThe application layer protocol called HTTP is often perceived as very basic protocolfor distribution of World Wide Web pages. We could say that even its nameHypertext Transfer Protocol is very suggestive and implies that the purpose of thisprotocol is to transfer hypertext, where hypertext is defined as textual data “linked”across many documents or locations. It makes no wonder then, that some networkadministrators do not consider HTTP as a threat or think that as long as only outgoingestablished connections are permitted and every machine in the network uses somekind of firewall and antivirus software, they network is secure. However the true faceof the protocol is different. The most recent specification of HTTP is RFC 2616 andthe purpose of the protocol is described as follows:The Hypertext Transfer Protocol (HTTP) is an application-levelprotocol for distributed, collaborative, hypermedia informationsystems. HTTP has been in use by the World-Wide Web globalinformation initiative since 1990. The first version of HTTP, referredto as HTTP/0.9, was a simple protocol for raw data transfer across theInternet. HTTP/1.0, as defined by RFC 1945, improved the protocol byallowing messages to be in the format of MIME-like messages,containing metainformation about the data transferred and modifierson the request/response semantics. (Fielding, et al, 1999, pp. 7)HTTP is now well established protocol and the current version is 1.1, however theidea of the protocol stayed the same. Through employing a simple human readable(MIME-like) syntax and allowing transfer of virtually any kind of data, HTTPbecome a preferred protocol in development of “on-line” applications. Furthermorethe fact that a large group of network administrators allowed almost any outgoingconnections of HTTP either directly or through proxies contributed strongly to thistrend. Nowadays almost any software application, which requires communicationover the Internet, employs HTTP or has a build in functionality allowing itsapplication layer protocol to be tunnelled in HTTP. Example of the first kind could beantivirus software that uses HTTP for downloading signatures of the newest threatsfrom the central server, or an update agent for an application like internet messenger.The implementations of the remote method invocation or remote procedure call are,thus, common examples of the second kind of the applications.HTTP was identified as one of three protocols, which can be employed to createcovert channels for sending data in and out of networks commonly considered to besecure. Thus the following section will identify, where RFC 2616 as the documentwhich defines the current version of HTTP in use, gives hackers an open field forhiding data.HTTP Syntax and Covert ChannelsRFC 2616 was created to clear up some hard to understand statements from theprevious documentations of HTTP (namely 1.0 and 0.9) and to introduce few optionalfeatures of HTTP/1.0 as standard in the new protocol HTTP/1.1. In the time when thisspecification was written the biggest concern of the creators was interoperability
Page 1 and 2:
Application Layer Covert ChannelAna
Page 3 and 4:
Z. Kwecka, BSc (Hons) Network Compu
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11:
Page 14:
Page 17 and 18: Z. Kwecka, BSc (Hons) Network Compu
Page 25: Z. Kwecka, BSc (Hons) Network Compu
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

Create successful ePaper yourself

Delete template?

Save as template?