Embedding Covert Channels into TCP/IP

Murdoch, Steven J.; Lewis, S. R.

doi:10.1007/11558859_19

Cited by 204 publications

(153 citation statements)

References 14 publications

(19 reference statements)

Supporting

Mentioning

153

Contrasting

Order By: Relevance

“…NUSHU sender modifies the Initial Sequence Number (ISN) and Acknowledge Sequence Number fields generated by OS. Murdoch and Lewis [85] developed a robust scheme, Lathra, which generates ISNs for OpenBSD and Linux, that are almost indistinguishable from those generated by a genuine TCP stack, except by wardens with knowledge of a shared secret key.…”

Section: Steganography In Transport Layermentioning

confidence: 99%

“…Several covert channels can be eliminate by blocking protocols/ports by firewalls (Loki [22,23], ICMPTX [113], Skeeve [128], ICMP-Chat [84]) or ingress/egress filtering (B0CK [120], Skeeve [128], false IPv6 Source Address Covert−TCP [98] can be detected using a Support Vector Machine (SVM) [109], and together with NUSHU [99] by [85] anomaly tests, because covert headers are easily distinguished from those generated by a genuine TCP/IP stack.…”

Section: Defence Mechanismsmentioning

confidence: 99%

See 1 more Smart Citation

Covert channels in TCP/IP protocol stack - extended version-

Mileva

Panajotov

2014

Open Computer Science

View full text Add to dashboard Cite

We give a survey of different techniques for hiding data in several protocols from the TCP/IP protocol stack.Techniques are organized according to affected layer and protocol. For most of the covert channels its data bandwidth is given. IntroductionAn overt channel is a communication channel within a computer system or network, designed for the authorized transfer of data. A covert channel (first introduced by Lampson [62]), on the other hand, is any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy [26]. Any shared resource can potentially be used as a covert channel. Covert channels can be divided primarily in storage and timing channels. In a case of the storage channels, usually one process writes (directly or indirectly) to a shared resource, while another process reads from it. Timing channel is essentially any technique that conveys information by the timing of events, in which case the receiving process needs a clock. Special timing covert channel is counting channel which carries data by counting the occurrences of certain events [44].Additionally, timing channels can be active if they generate additional traffic or passive if they manipulate the timing of existing traffic. As any other communication channel, covert channel can be noisy or noiseless.According to the number of information flows between the sender and the receiver -several or one, there are aggregated and non-aggregated covert channels [36]. According to the presence or absence of the intermediate node in the communication, covert channels can be indirect or direct. Payload tunnel is a covert channel, where one protocol is tunnelled in the payload of the other protocol. Covert channels are studied as a part of the science * E-mail: aleksandra.mileva@ugd.edu.mk † E-mail: boris.panajotov@ugd.edu.mk steganography, and different steganographic methods used in telecommunication networks are known as network steganography.The adversary model is based on the Simmons prisoner problem [105]: two parties want to communicate confidentially and undetected over an insecure channel, the warden. The warden can be passive -which monitor traffic and report when some unauthorized traffic is detected, or active -which can modify the content of the messages with the purpose of eliminating any form of hidden communication. Simmons introduced the term subliminal channel, a variant of covert channel which uses cryptographic algorithm or protocol for hiding messages. A composition of covert channel with subliminal channel is the hybrid channel.Covert channels can be analysed by the total number of steganogram bits transmitted during a second (Raw Bit Rate -RBR), or by the total number of steganogram bits transmitted per PDU (for example, Packet Raw BitRate-PRBR) [78]. In ideal case, if no packets are lost, capacity of some storage channels can be expressed as Steganography in Internet layerInternet Protocol (IP) is the primary protocol in the TCP/IP protocol stack, ...

show abstract

Section: Steganography In Transport Layermentioning

confidence: 99%

Section: Defence Mechanismsmentioning

confidence: 99%

Covert channels in TCP/IP protocol stack - extended version-

Mileva

Panajotov

2014

Open Computer Science

View full text Add to dashboard Cite

show abstract

“…In the network layer, many methods have been proposed to hide data in the IP packets and ICMP packets. Virtually all possible fields in the IP headers have been exploited for storage covert channels [9,16,17,18]. The fields in the TCP header are also equally exploited for embedding storage covert channels [9,19,20,17].…”

Section: Related Workmentioning

confidence: 99%

Crafting Web Counters into Covert Channels

Wang

Chan

Chang

2007

New Approaches for Security, Privacy and Trust in Complex Environments

View full text Add to dashboard Cite

Abstract. We present in this paper a new network storage channel WebShare that uses the plentiful, public Web counters for storage. Therefore, the physical locations of the WebShare encoder and decoder are not restricted to a single path. To make WebShare practical, we have addressed a number of thorny issues, such as the "noise" introduced by other legitimate Web requests, and synchronization between encoder and decoder. For the proof-of-concept purpose, we have experimented a WebShare prototype in the Internet, and have showed that it is practically feasible even when the Web counter and the encoder/decoder are separated by more than 20 router hops.

show abstract

“…A covert channel needs to be undetectable, meaning that the covert traffic should not be distinguishable from a legitimate traffic. Murdoch et al show that many of the storage covert channels can be detected easily since the covert message modifies the benign pattern of the utilized header fields [17]. Also, different statistical tests have been utilized to detect covert timing channels [2,7].…”

Section: Introductionmentioning

confidence: 99%

CoCo: Coding-Based Covert Timing Channels for Network Flows

Houmansadr

Borisov

2011

Information Hiding

View full text Add to dashboard Cite

Abstract. In this paper, we propose CoCo, a novel framework for establishing covert timing channels. The CoCo covert channel modulates the covert message in the inter-packet delays of the network flows, while a coding algorithm is used to ensure the robustness of the covert message to different perturbations. The CoCo covert channel is adjustable: by adjusting certain parameters one can trade off different features of the covert channel, i.e., robustness, rate, and undetectability. By simulating the CoCo covert channel using different coding algorithms we show that CoCo improves the covert robustness as compared to the previous research, while being practically undetectable.

show abstract

Embedding Covert Channels into TCP/IP

Cited by 204 publications

References 14 publications

Covert channels in TCP/IP protocol stack - extended version-

Covert channels in TCP/IP protocol stack - extended version-

Crafting Web Counters into Covert Channels

CoCo: Coding-Based Covert Timing Channels for Network Flows

Contact Info

Product

Resources

About