Embedding covert channels into tcp ip
1 / 40

Embedding Covert Channels into TCP/IP - PowerPoint PPT Presentation

  • Uploaded on

Embedding Covert Channels into TCP/IP. S.J. Murdoch, S. Lewis University of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005 Sweety Chauhan October 26, 2005. Overview. New and Significant

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Embedding Covert Channels into TCP/IP' - mya

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Embedding covert channels into tcp ip l.jpg

Embedding Covert Channels into TCP/IP

S.J. Murdoch, S. LewisUniversity of Cambridge, United Kingdom 7th Information Hiding Workshop, June 2005

Sweety Chauhan

October 26, 2005

Overview l.jpg

  • New and Significant

  • Overview of Covert Channels

  • TCP/IP based Steganography

  • Detection of TCP/IP Steganography

  • Conclusion

New and significant l.jpg
New and Significant

  • Proposed a scheme “Lathra” for encoding data in TCP/IP header not detected by warden

  • A message can be hidden so that an attacker cannot demonstrate its existence without knowing a secret key

Covert channels l.jpg
Covert Channels

  • Communication in a non-obvious manner

  • Potential methods - to get information out of the security perimeter

  • Two Types:

    • Storage

    • Timing

Where is this relevant l.jpg
Where is this relevant?

  • The use of covert channels is relevant in organizations that:

    • restrict the use of encryption in their systems

    • have privileged or private information

    • wish to restrict communication

    • monitor communications

Network covert channels l.jpg
Network Covert Channels

  • Information hiding

    • placed in network headers AND/OR

    • conveyed through action/reaction

  • Goal - channel undetectable or unobservable

  • Network watchers (sniffer, IDS, ..) will not be aware that data is being transmitted

  • Taxonomy i l.jpg
    Taxonomy (I)

    • Network covert channels can be

      • Storage-based

      • Timing-based

      • Frequency-based

      • Protocol-based

      • any combination of the above

    Taxonomy ii l.jpg
    Taxonomy (II)

    • Each of the above categories constitute a dimension of data

      • Information hiding in packet payload is outside the realm of network covert channels

      • These cases fit into the broader field of steganography

    Packet header hiding l.jpg

    20-64 bytes

    20-64 bytes

    0-65,488 bytes

    IP Header

    TCP Header


    This is Information

    Assurance Class

    TCP Source Port

    TCP Destination Port

    TCP/IP Header can serve as a carrier for a steganographic covert channel

    IP Source Address

    IP Destination Address

    Packet Header Hiding

    Ip header l.jpg



    Fields that may be used to embed steganographic data

    IP Header

    Tcp header l.jpg




    TCP Header

    Storage based l.jpg
    Storage Based

    • Information is leaked by hiding data in packet header fields

      • IP identification

      • Offset

      • Options

      • TCP Checksum

      • TCP Sequence Numbers

    Timing channels i l.jpg
    Timing Channels (I)

    • Information is leaked by triggering or delaying events at specific time intervals

    Frequency based i l.jpg
    Frequency Based (I)

    • Information is encoded over many channels of cover traffic

    • The order or combination of cover channel access encodes information

    Protocol based l.jpg
    Protocol Based

    • Exploits ambiguities or non-uniform features in common protocol specifications

    Traditional detection mechanisms l.jpg
    Traditional Detection Mechanisms

    • Statistical methods

    • Storage-based

      • Data analysis

  • Time-based

    • Time analysis

  • Frequency-based

    • Flow analysis

  • Threat model l.jpg
    Threat Model

    • Passive Warden Threat Model

    • Active Warden Threat Model

    Ip covert channel l.jpg
    IP Covert Channel

    • IP allows fragmentation and reassembly of long datagrams, requiring certain extra headers

    • For IP Networks:

      • Data hidden in the IP header

      • Data hidden in ICMP Echo Request and Response Packets

      • Data tunneled through an SSH connection

      • “Port 80” Tunneling, (or DNS port 53 tunneling)

      • In image files

    Ip id and tcp isn implementation l.jpg
    IP ID and TCP ISN Implementation

    • Two fields which are commonly used to embed steganographic data are the IP ID and TCP ISN

    • Due to their construction, these fields contain some structure

      • Partially unpredictable

    Detection of tcp ip steganography l.jpg
    Detection of TCP/IP Steganography

    • Each operating system exhibits well defined characteristics in generated TCP/IP fields

      • can be used to identify any anomalies that may indicate the use of steganography

  • suite of tests

    • applied to network traces to identify whether the results are consistent with known operating systems

  • Ip id characteristics l.jpg
    IP ID Characteristics

    • Sequential Global IP ID

    • Sequential Per-host IP ID

    • IP-ID MSB Toggle

    • IP-ID Permutation

    Tcp isn characteristics l.jpg
    TCP ISN Characteristics

    • Rekey Timer

    • Rekey Counter

    • ISN MSB Toggle

    • ISN Permutation

    • Zero bit 15

    • Full TCP Collisions

    • Partial TCP Collisions

    Explicit steganography detection l.jpg
    Explicit Steganography Detection

    12. Nushu Cryptography

    • encrypts data before including it in the ISN field

    • results in a distribution which is different from normally generated by Linux and so will be detected by the other TCP tests

    Slide27 l.jpg

    13. TCP Timestamp

    • If a low bandwidth TCP connection is being used to leak information

    • a randomness test can be applied to the least significant bits of the timestamps in the TCP packets

    • If “too much“ randomness is detected in the LSBs → a steganographic covert channel is in use

    Slide28 l.jpg

    14. Other Anomalies

    • unusual flags (e.g. DF when not expected, ToS set)

    • excessive fragmentation

    • use of IP options

    • non-zero padding

    • unexpected TCP options (e.g. timestamps from operating systems which do not generate them)

    • excessive re-ordering

    Detection resistant tcp steganography schemes l.jpg
    Detection-Resistant TCP Steganography Schemes

    • Lathra - Robust scheme, using the TCP ISNs generated by OpenBSD and Linux as a steganographic carrier

    • Simply encoding data within the least significant 24 bits of the ISN could be detected by the warden

    Conclusion l.jpg

    • TCP/IP header fields can be used as a carrier for a steganographic covert channel

    • Two schemes for encoding data with ISNs generated by OpenBSD and Linux

      • indistinguishable from those generated by a genuine TCP stack

    Future work l.jpg
    Future Work

    • Flexible covert channel scheme which can be used in many channels

    • Create a protocol for jumping between multiple covert channels

    • New schemes to detect different encoding mechanisms in TCP/IP Header fields

    References l.jpg

    • Hide and Seek: An Introduction to Steganography, Niels Provos, Peter Honeyman, IEEE Security and Privacy Journal, May-June 2003

    • Embedding Covert Channels into TCP/IP, Steven J. Murdoch, Stephen Lewis, 7th Information Hiding Workshop, Barcelona, Catalonia (Spain) June 2005

    Thanks a lot l.jpg
    Thanks a lot …

    For Your


    Homework l.jpg

    Presentation Slides and Research Papers are available at :


    Covert channel tools l.jpg
    Covert Channel Tools

    • SSH (SCP, FTP Tunneling, Telnet Tunneling, X-Windows Tunneling, ...) - can be set to operate on any port (<1024 usually requires root privilege).

    • Loki (ICMP Echo R/R, UDP 53)

    • NT - Back Orifice (BO2K) plugin BOSOCK32

    • Reverse WWW Shell Server - looks like a HTTP client (browser). App headers mimic HTTP GET and response commands.