Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 68between all the applications using the new standard and a backward compatibility tothe already existing implementations, which conformed to previous RFCs. Somesecurity concerns were raised, regarding leakage of personal information, attacksbased on path names and DNS spoofing, however threats of covert channels’implementation was overlooked. Following interpretation of a RFC 2616, describesoperation of HTTP and highlights areas where transfer of data in a covert manner ispossible.General syntaxThe basic units of HTTP communication are messages, made up of a structuredsequence of octets and transmitted via a transport layer virtual circuit (connection).There are two types of messages allowed: requests and responses. Both use genericmessage format. This consists of a start-line, zero or more header-fields (headers), anempty line and optional message body:generic-message = start-line ; a Request-line or a Status-line*(message-header CRLF) ; one or more headerCRLF; compulsory empty line[ message-body ] ; optional application layer dataStart-line is made of either a Request-line in a request message or a Status-line in aresponse message. CRLF is the only end-of-line marker allowed for all HTTPprotocol elements except the entity-body. It stands for carriage return (CR) and linefeed (LF). This is a good practice, there is only one standard allowed, which makesprotocol implementation easier, and prevents information hiding. There are fewdifferent types of message-headers: general-header, request-header, response-headerand entity-header. All of them are built using the same syntax. Each header consists ofa case-insensitive field name followed by a colon and an optional field value.message-header = field-name “:” [ field-value ]Case-insensitivity.Field-names are case-insensitive, thus they are ideal carrier for hiding bits (payload).Both clients and the servers will interpret a field-name in the same way no matter thecase of the letters. The coincidence is that capital letters in the ASCII code differ fromthe lower case letters only by a value of the 3 rd bit. Thus binary form of letter “R” is01010010 and the one of letter “r” is 01110010. Then a mask of 0xDF can beemployed to extract or encode a payload in ASCII characters. Lower case letterswould decode as 1’s, where capital letters would decode as 0’s. An example followsto illustrate how covert payload maybe hidden in a typical HTTP header given below:Connection: keep-aliveThis header can be modified to carry the bit pattern of 0111001011 and would look asfollows:ConnECtIon: keep-aliveConsequently above encoding method can be employed to transfer as many bits ofpayload as the total number of letters in field-names in any particular message. Avisual inspection of the HTTP envelope would reveal this covert channel, however asit is unusual for anybody to examine HTTP message header and HTTP clients and
Z. Kwecka, BSc (Hons) Network Computing, 2006 69servers would ignore casing, this kind of covert channel could be successfullydeployed.Linear white spacing.Another reason for concern is the fact that according to RFC 2616 the field-content(the data part of field-value) can be preceded and followed by an optional linear whitespacing (LWS). LWS can be made up from a non-compulsory CRLF and one or morespace (SP) or horizontal tab (HT) character.LWS = [CRLF] 1*(SP|HT)Header values may be folded onto multiple lines using CRLF as long as the new linestarts with a space or horizontal tab. Thus, all linear white space in a header may bereplaced with a single SP before processing or forwarding the message downstream.This allows for a text decoration in the HTTP messages and has no real meaning inprocessing of the requests and responses. However it creates room for bidirectionalcovert channels. In a case where there is no HTTP Proxy between communicatingsites, or linear white spaces are left unaltered by a Proxy, it is possible to encodeinformation using SP and HT characters. An example illustrates how linear whitespace characters may be employed to transfer covert payload in the following header:“Connection: keep-alive”Header name “Connection” followed by a colon “:”, a space SP and the value “keepalive”:“Connection” “:” SP “keep-alive”Let assume that 1’s are encoded as HTs and 0’s as SPs. Now if the single SP would bereplaced with a combination of HTs and SPs, the meaning of the HTTP header wouldnot change, but a binary stream could be hidden in the header. Thus a byte ofinformation which in binary form is 01011100 could be encoded in one of thefollowing ways:“Connection” “:” SP HT SP HT HT HT SP SP “keep-alive”“Connection” “:” SP “keep-alive” SP HT SP HT HT HT SP SP“Connection” “:” SP “keep-alive” CRLFSP HT SP HT HT HT SP SPThere is virtually no limit to a number of bits per message that can be sent using thismethod, apart of the size limits set for different kinds of requests and responses. If bitsencoded in this way are placed in front of a header value a visual examination of theHTTP message would be enough to reveal the disguise, however if they follow thefield-value contents or a CRLF only examination of the message bytes would exposethe covert channel.Order of headers.Above technique is not the last reason why HTTP messages are such s good carrierfor covert channels. The generic-message syntax does not specify the order in whichthe headers should occur in the massages. Although it suggests that it is “goodpractice” to include general-header fields first, followed by request or response
Page 1 and 2:
Application Layer Covert ChannelAna
Page 3 and 4:
Z. Kwecka, BSc (Hons) Network Compu
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11:
Page 14:
Page 17 and 18: Z. Kwecka, BSc (Hons) Network Compu
Page 25: Z. Kwecka, BSc (Hons) Network Compu
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?