Application Layer Covert Channel Analysis and ... - Bill Buchanan

Z. Kwecka, BSc (Hons) Network Computing, 2006 9companies try to protect themselves from Internet threats in various ways, such aswith firewalls, proxies, and so on, but most of them focus only on direct informationtransfers, and neglecting the possibility of transferring data by other means. Astatefull firewall, often considered as sufficient protection by network administrators,acts like a locked gateway, allowing packets on selected Layer 4 ports to leave and thereturn packets to enter the secure perimeter. Thus only connections which originatedfrom within the network can proceed. Unfortunately, not all of these devices areperfect and methods for their deception exist, but what is even more important is thatmost of the time a message originating from within a network is allowed onto theInternet. Thus, this kind of protection is not enough to ensure confidentiality ofcorporate and private data. Some organisations may say that they trust all the users oftheir network, and there is no need to filter data leaving the network. But most ofthem neglect the fact that the users of the network are not only human operators, butalso automated software and hardware. Furthermore not all of these automatedsystems are legitimate, and some of them are malicious agent installed by hackers, oraccidentally downloaded by legitimate system users.The numbers of existing implementations of malicious agents are large and growevery day, so to protect against data leakage and dangerous software manyorganizations implement Proxy servers and intrusion detection systems (IDS). Proxyservers are protocol specific tools that act almost as transceivers 1 , where they checkand, if required, modify data transfers between two environments, where the IDSsconstantly monitor the network traffic, examining data content, statistic and any otherinformation useful in detection of malicious operations. These precautions give higherlevel of protection, however, most of them examine only legitimate data channels,that in the data payload and the transaction headers, while the legitimate data channelsare not the only way that information may leave secure perimeter. B. W. Lampson inhis document “A Note on the Confinement Problem” (Lampson, 1973) was first toformally suggest possibility of creating computer communication channels byemploying methods originally not intended for any form of communication. He calledthem covert channels and considered them to be one of the greatest threats toconfinement of information.1.3 Covert Channels TerminologyThe term covert channel describes a secret communication technique employed bytwo or more parties allowed to exchange information, while they assume the datachannel in use is under surveillance. Thus, they modify the content of the genuine lowsecurity message or the envelope used to carry this message, so that eavesdroppercannot read from the secret channel.EVEALICEBOBFigure 1-1 Communicating parties A and B, with eavesdropper E1 device capable of both transmitting and receiving, often used to allow connections between twodifferent technologies, devices or transmission mediums;