Network Covert Channels: Review of Current State and Analysis of Viability of the use of X.509 Certificates for Covert Communications

The popularity of computer-based smuggling has increased as a result of organizations taking measures to prevent traditional means of data exfiltration. Most organizations depend on broad and heterogeneous communication networks, which provide numerous possibilities for malicious users to smuggle sensitive private information out of their boundaries. They can achieve that objective with the use of network covert channels, that apart from carrying the data outside of the organization, hide the fact that the communication is taking place. This study provides a comprehensive, up to date review of the current state of research in the field of network covert channels: hidden communication channels that abuse legitimate network communication channels. It also presents a novel technique to establish such channels based on the use Digital Certificates, along with an informal framework to exfiltrate data making use of the technique. It involves the use of the Transport Secure Layer protocol, a network protocol normally used to provide confidentiality and integrity services to applications. Several detection and prevention mechanisms and methodologies exist or have been proposed to counter the threats posed by this hidden communication channels. They are also identified and discussed in this work, explaining their applicability and limitations

A MAC layer covert channel in 802.11 networks

Covert channels in modern communication networks are a source of security concerns. Such channels can be used to facilitate command and control of botnets or inject malicious contents into unsuspected end-user devices or network nodes. The vast majority of the documented covert channels make use of the upper layers of the Open Systems Interconnection (OSI) model. In this thesis, we present a new covert channel in IEEE 802.11 networks, making use of the Protocol Version field in the Medium Access Control (MAC) header. This is achieved by forging modified Clear To Send (CTS) and Acknowledgment (ACK) frames. Forward error correction mechanisms and interleaving were implemented to increase the proposed channel's robustness to error. A laboratory implementation of the proposed channel is presented by developing the necessary code in Python, operating in a Linux environment. We present the results of tests conducted on the proposed channel, including measurements of channel errors, available data rate for transmission, and level of covertness.http://archive.org/details/amaclayercovertc1094548138Lieutenant, Portuguese NavyApproved for public release; distribution is unlimited

An approach towards anomaly based detection and profiling covert TCP/IP channels

Firewalls and detection systems have been used for preventing and detecting attacks by a wide variety of mechanisms. A problem has arisen where users and applications can circumvent security policies because of the particularities in the TCP/IP protocol, the ability to obfuscate the data payload, tunnel protocols, and covertly simulate a permitted communication. It has been shown that unusual traffic patterns may lead to discovery of covert channels that employ packet headers. In addition, covert channels can be detected by observing an anomaly in unused packet header fields. Presently, we are not aware of any schemes that address detecting anomalous traffic patterns that can potentially be created by a covert channel. In this work, we will explore the approach of combining anomaly based detection and covert channel profiling to be used for detecting a very precise subset of covert storage channels in network protocols. We shall also discuss why this method is more practical and industry-ready compared to the present research on how to profile and mitigate these types of attacks. Finally, we shall describe a specialized tool to passively monitor networks for these types of attacks and show how it can be used to build an efficient hybrid covert channel and anomaly based detection system

Behavioral Mimicry Covert Communication

Covert communication refers to the process of communicating data through a channel that is neither designed, nor intended to transfer information. Traditionally, covert channels are considered as security threats in computer systems and a great deal of attention has been given to countermeasures for covert communication schemes. The evolution of computer networks led the communication community to revisit the concept of covert communication not only as a security threat but also as an alternative way of providing security and privacy to communication networks. In fact, the heterogeneous structure of computer networks and the diversity of communication protocols provide an appealing setting for covert channels. This dissertation is an exploration on a novel design methodology for undetectable and robust covert channels in communication networks. Our new design methodology is based on the concept of behavioral mimicry in computer systems. The objective is to design a covert transmitter that has enough degrees of freedom to behave like an ordinary transmitter and react normally to unpredictable network events, yet it has the ability to modulate a covert message over its behavioral fingerprints in the network. To this end, we argue that the inherent randomness in communication protocols and network environments is the key in finding the proper medium for network covert channels. We present a few examples on how random behaviors in communication protocols lead to discovery of suitable shared resources for covert channels. The proposed design methodology is tested on two new covert communication schemes, one is designed for wireless networks and the other one is optimized for public communication networks (e.g., Internet). Each design is accompanied by a comprehensive analysis from undetectability, achievable covert rate and reliability perspectives. In particular, we introduced turbo covert channels, a family of extremely robust model-based timing covert channels that achieve provable polynomial undetectability in public communication networks. This means that the covert channel is undetectable against any polynomial-time statistical test that analyzes samples of the covert traffic and the legitimate traffic of the network. Target applications for the proposed covert communication schemes are discussed including detailed practical scenarios in which the proposed channels can be implemented