Application Layer Covert Channel Analysis and ... - Bill Buchanan

More documents

Recommendations

Info

Z. Kwecka, BSc (Hons) Network Computing, 2006 81 Introduction1.1 Project OverviewThe foundation of the current most popular data channel, the Internet, is made ofprotocols, which allow a considerable amount of “freedom” to their designers. Eachof those protocols was defined based on a number of vendor specificimplementations, in order to provide common procedures for cross vendorcommunication. Thus, every millisecond there is thousands of bits of optional andredundant information being exchanged between computers from around the World.Those bits may be employed by intruders, criminals, and possibly even terrorists invarious types of malicious activity, since they are usually treated as irrelevant andignored by the security systems. There are very high chances of those bits being usedby perpetrators to implement covert channels, which are a form of secretcommunication medium. This poses a large risk to public and private informationconfinement.The overall aim of this Honours project is to investigate data hiding in the ApplicationLayer of Internet protocol suite and the main focus is on the detection of covertcommunication. Therefore, research into technology and knowledge required to builda successful covert channel detector and limiter were conducted. This includedliterature review of recent research publications dealing with covert channels, whitepapers and RFCs of specific technologies. In addition a prototype of Covert ChannelDetection System (CCDS) was designed and implemented in order to evaluate datagathered. The intentions were to establish whether detection and elimination of thecovert channels is possible, and where the further work should be conducted in orderto achieve those goals.1.2 BackgroundThe foundations of Internet were built in accordance to 7-layer Open SystemInterconnection (OSI) model, suggested by the International Standard Organisation(ISO). Each of the layers provides well-defined services to the layer directly aboveand exchanges data or control information with corresponding layer on remotemachine. It is also capable of employing services from the layer directly below. Forwell-defined services to operate, protocol stacks were designed to be as universal aspossible, and are defined in a way which is called “open”. Most implementations havean open-ended list of protocols that they are capable of providing services to. Forexample, the Layer 3 IP protocol carries an 8-bit protocol type field, thus allowing itto transfer 255 different Layer 4 protocols, of which only 138 are defined, 115 arefree for further development, and 2 are left for testing and experimental purposes.IP is the most widely employed protocol for computer networking and we can clearlystate that its versatility greatly contributed to this. However, the flexibility of Internetcommunication protocols, which allowed for the dream of simple data sharing, has atrade off, which is security. Optional protocols’ fields and variables which aretransmitted only to be ignored or discarded at the receiving end, pose a large threat forinformation confinement. Thus, organizations which permit any form ofcommunication of their employees, or computer systems, with the outside world,consequently consent for an arbitrary data leakage from their networks. Of course the
Z. Kwecka, BSc (Hons) Network Computing, 2006 9companies try to protect themselves from Internet threats in various ways, such aswith firewalls, proxies, and so on, but most of them focus only on direct informationtransfers, and neglecting the possibility of transferring data by other means. Astatefull firewall, often considered as sufficient protection by network administrators,acts like a locked gateway, allowing packets on selected Layer 4 ports to leave and thereturn packets to enter the secure perimeter. Thus only connections which originatedfrom within the network can proceed. Unfortunately, not all of these devices areperfect and methods for their deception exist, but what is even more important is thatmost of the time a message originating from within a network is allowed onto theInternet. Thus, this kind of protection is not enough to ensure confidentiality ofcorporate and private data. Some organisations may say that they trust all the users oftheir network, and there is no need to filter data leaving the network. But most ofthem neglect the fact that the users of the network are not only human operators, butalso automated software and hardware. Furthermore not all of these automatedsystems are legitimate, and some of them are malicious agent installed by hackers, oraccidentally downloaded by legitimate system users.The numbers of existing implementations of malicious agents are large and growevery day, so to protect against data leakage and dangerous software manyorganizations implement Proxy servers and intrusion detection systems (IDS). Proxyservers are protocol specific tools that act almost as transceivers 1 , where they checkand, if required, modify data transfers between two environments, where the IDSsconstantly monitor the network traffic, examining data content, statistic and any otherinformation useful in detection of malicious operations. These precautions give higherlevel of protection, however, most of them examine only legitimate data channels,that in the data payload and the transaction headers, while the legitimate data channelsare not the only way that information may leave secure perimeter. B. W. Lampson inhis document “A Note on the Confinement Problem” (Lampson, 1973) was first toformally suggest possibility of creating computer communication channels byemploying methods originally not intended for any form of communication. He calledthem covert channels and considered them to be one of the greatest threats toconfinement of information.1.3 Covert Channels TerminologyThe term covert channel describes a secret communication technique employed bytwo or more parties allowed to exchange information, while they assume the datachannel in use is under surveillance. Thus, they modify the content of the genuine lowsecurity message or the envelope used to carry this message, so that eavesdroppercannot read from the secret channel.EVEALICEBOBFigure 1-1 Communicating parties A and B, with eavesdropper E1 device capable of both transmitting and receiving, often used to allow connections between twodifferent technologies, devices or transmission mediums;
Page 1 and 2: Application Layer Covert ChannelAna
Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
Page 7: Z. Kwecka, BSc (Hons) Network Compu
Page 60 and 61:
Z. Kwecka, BSc (Hons) Network Compu
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113:
Page 116 and 117:
Page 118 and 119:
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138:
show all

Application Layer Covert Channel Analysis and ... - Bill Buchanan

Create successful ePaper yourself

Delete template?

Save as template?