Carlos Scott (2008) Network Covert Channels: Review of Current State and Analysis of Viability of the use of X.509 Certificates for Covert Communications.
Full text access: Open
The popularity of computer-based smuggling has increased as a result of organizations taking measures to prevent traditional means of data exfiltration. Most organizations depend on broad and heterogeneous communication networks, which provide numerous possibilities for malicious users to smuggle sensitive private information out of their boundaries. They can achieve that objective with the use of network covert channels, that apart from carrying the data outside of the organization, hide the fact that the communication is taking place. This study provides a comprehensive, up to date review of the current state of research in the field of network covert channels: hidden communication channels that abuse legitimate network communication channels. It also presents a novel technique to establish such channels based on the use Digital Certificates, along with an informal framework to exfiltrate data making use of the technique. It involves the use of the Transport Secure Layer protocol, a network protocol normally used to provide confidentiality and integrity services to applications. Several detection and prevention mechanisms and methodologies exist or have been proposed to counter the threats posed by this hidden communication channels. They are also identified and discussed in this work, explaining their applicability and limitations.
This is a Published version This version's date is: 15/01/2008 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/06e145a0-441d-c5ff-c41b-a039878dbaca/1/
Deposited by () on 28-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[1] Beijtlich, Richard, Powell, G.. The Tao of Network Security Monitoring. AddisonWesley. 2004
[2] Maney, Kevin. “Bin Laden’s Messages Could Be Hiding In Plain Sight.” USAToday December 19, 2001http://www.usatoday.com/life/cyber/ccarch/2001/12/19/maney.htm
[3] Simmons, Gustavus J. Prisoners’ Problem and the Subliminal Channel (The),CRYPTO83 - Advances in Cryptology, August 22-24. 1984. pp. 51-67.
[4] Pukhraj, Singh. Whispers on the Wire, Network Based Covert Channels,Whitepaper, http://gray-world.net/papers/pukhrajsingh_covert.doc
[5] Petitcolas, Fabien A., Ross J. Anderson and Markus G. Kahn, Information hiding- a Survey. part of IEEE special issue on protection of multimedia content 7/99http://www.cl.cam.ac.uk/~fapp2/publications/ieee99-infohiding.pdf
[6] Zander, Sebastian. Grenville, Armitage, Philip Branch. Covert Channels in the IPTime To Live field. Centre for Advanced Internet Architectures (CAIA), SwinburneUniversity of Technology, Melbourne, Australia
[7] Annarita Giani, Vincent H. Berk, George V. Cybenko. Data Exfiltration andCovert Channels. Thayer School of Engineering, Dartmouth College, Hanover, USA
[8] Lampson, W. A note on the confinement problem. Communications of the ACM,Volume 16, Issue 10. 1973
[9] U.S. Department of Defense. Trusted Computer System Evaluation “The OrangeBook”. Publication DoD 5200.28-STD. Washington: GPO 1985http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html
[10] Wang, Zhenghong: New Constructive Approach to Covert Channel Modelingand Channel Capacity Estimation, 2005, Department of Electrical Engineering,Princeton University, Princeton, NJ, USA.http://palms.ee.princeton.edu/PALMSopen/ISC05_w_cit.pdf
[11] Marc Smeets, Matthijs Koot. Research Report: Covert Channels. University ofAmsterdam, MSc in System and Network Engineering, 2006
[12] A guide to understanding Covert Channel Analysis of Trusted Systems , NationalComputer Security Center, Maryland, USA. 1993.http://www.fas.org/irp/nsa/rainbow/tg030.htm
[13] Gray-World.net Team: Covert channels through the looking glass. 2005.http://gray-world.net/pro jects/papers/cc.txt
[14] Zouheir Trabelsi, Hesham El-Sayed, Lilia Frikha, Tamer Rabie. A novel covertchannel based on the IP header record route option.International Journal of Advanced Media and Communication (IJAMC), Vol. 1, No.4, 2007.
[15] Graf, Thomas. Messaging over IPv6 Destination Options,http://net.suug.ch/articles/2003/07/06/ip6msg.html
[16] J. Postel, INTERNET CONTROL MESSAGE PROTOCOL, DARPAINTERNET PROGRAM PROTOCOL SPECIFICATION, 1981.http://www.faqs.org/rfcs/rfc792.html
[17] Ahsan, Kamran. Covert Channel Analysis and Data Hiding in TCP/IP(master’s thesis). University of Toronto. 2002.http://gray-world.net/papers/ahsan02.pdf
[18] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1, RFC 2616. 1999.http://www.faqs.org/rfcs/rfc2616.html
[19] P. Mockapetris. Domain Names – Implementation and Specification. RFC 1035,1987.http://www.faqs.org/rfcs/rfc1035.html
[20] Vo2IP Project, Georgia Tech Information Security Center, GA, USAhttp://www.voipcc.gtisc.gatech.edu/vo2ip.php
[21] Song Li; Epliremides, A. A network layer covert channel in ad-hoc wirelessnetworks. Sensor and Ad Hoc Communications and Networks, 2004. IEEE SECON2004. 2004 First Annual IEEE Communications Society Conference onVolume , Issue , 4-7 Oct. 2004 Page(s): 88 – 96.
[22] R. Houley, W. Ford, W. Polk, D. Solo., Internet X.509 Public Key InfrastructureCertificate and CRL Profile, RFC 2459, 1999.http://www.ietf.org/rfc/rfc2459.txt
[23] Eu-Jin Goh , Dan Boneh , Benny Pinkas, and Philippe Golle. The Design andImplementation of Protocol-Based Hidden Key Recovery. Stanford University. 2002.
[24] Bejtlich, Richard. Integrating the Network Security Monitoring Model. SysadminMagazine. April 2004.
[25] Dyatlov, Alex. Castro, Simon. Exploitation of data streams authorized by anetwork access control system for arbitrary data transfers: tunneling and covertchannels over the HTTP protocol. Whitepaper. 2003.http://gray-world.net/projects/papers/covert_paper.txt
[26] Murdoch, Steven J., Lewis, Stephen. Embedding Covert Channels into TCP / IP.University of Cambridge, Computer Laboratory. 2005.
[27] Allix, Pierre. Covert Channels Analysis in TCP / IP networks. IFIPS School ofEngineering, University of Paris-Sud XI, Orsay, France. 2007
[28] Vincent Berk, Annarita Giani, George Cybenko, Covert Channel DetectionUsing Process Query Systems, 2005.
[29] Taeshik Sohn, JungTaek Seo, and Jongsub Moon, A Study on the CovertChannel Detection of TCP/IP Header Using Support Vector Machine, 2003.
[30] Gina Fisk, Mike Fisk, Christos Papadopoulos, and Josh Neil. EliminatingSteganography in Internet Traffic with Active Wardens. Los Alamos NationalLaboratory, University of Southern California.
[31] Ogurtsov, N.; Orman, H.; Schroeppel, R.; Oapos;Malley, S.; Spatscheck, O.Experimental results of covert channel limitation in one-waycommunication systems.Network and Distributed System Security, 1997. Proceedings., 1997 Symposium onVolume , Issue , 10-11 Feb 1997 Page(s):2 – 15.
[32] Scott, B. (2002) Decision-based model development for nuclear material, theft,smuggling and illicit use. Proceedings of international conference on physicalprotection (NUMAT). Salzburg: University of Salzburg.http://www.numat.at/list%20of%20papers/scott.pdf
[33] Cisco Systems Product Documentationhttp://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm#wp2468
[34] Benvenutti, Christian. Understanding Linux Network internals, O’ Reilly, 2005.http://safari.oreilly.com/0596002556/understandlni-CHP-25-SECT-1
[35] Unknown. Teach yourself TCP / IP in 14 days, Second Edition.http://www4.dogus.edu.tr/bim/bil_kay/network/tcpip/
[37] Wikipedia. http://en.wikipedia.org/wiki/X.509#Sample_X.509_certificates