A NOVEL APPROACH FOR COVERT COMMUNICATION OVER TCP VIA INDUCED CLOCK SKEW

The goal of this thesis is to determine the feasibility and provide a proof of concept for a covert communications channel based on induced clock skew. Transmission Control Protocol (TCP) timestamps provide a means for measuring clock skew between two hosts. By intentionally altering timestamps, a host can induce artificial clock skew as measured by the receiver, thereby providing a means to covertly communicate. A novel scheme for transforming symbols into skew values is developed in this work, along with methods for extraction at the receiver. We tested the proposed scheme in a laboratory network consisting of Dell laptops running Ubuntu 16.04. The results demonstrated a successful implementation of the proposed covert channel with achieved bit rates as high as 33 bits per second under ideal conditions. Forward error correction was also successfully employed in the form of a Reed–Solomon code to mitigate the effects of variation in delay over the Internet.Lieutenant, United States NavyApproved for public release; distribution is unlimited

Covert6: A Tool to Corroborate the Existence of IPv6 Covert Channels

Covert channels are any communication channel that can be exploited to transfer information in a manner that violates the system’s security policy. Research in the field has shown that, like many communication channels, IPv4 and the TCP/IP protocol suite have been susceptible to covert channels, which could be exploited to leak data or be used for anonymous communications. With the introduction of IPv6, researchers are acutely aware that many vulnerabilities of IPv4 have been remediated in IPv6. However, a proof of concept covert channel system was demonstrated in 2006. A decade later, IPv6 and its related protocols have undergone major changes, which has introduced a need to reevaluate the current state of covert channels within IPv6. The current research demonstrates the corroboration of covert channels in IPv6 by building a tool that establishes a covert channel against a simulated enterprise network. This is further validated against multiple channel criteria

Hiding out in plaintext: covert messaging with bitwise summations

Network-based information hiding is possible in even the most adverse conditions such as when an active warden reduces packets into a canonical form and enforces protocol specification. Covert channels in the TCP/IP protocol suite are surveyed from the network layer up to the application layer which is given special emphasis. Active wardens are discussed in detail, as those network devices attempt to thwart covert communications. Application layer hiding techniques are gaining popularity and can be viewed as a response to active wardens. However, even the best application layer techniques tend to be confined to a particular protocol. We define the theoretical foundations for a new scheme in which bitwise summations of application layer messages convey covert bits. A set of large HTTP queries is taken from Internet Traffic Archive for analysis. Two bitwise summation methods, an ad-hoc and a blind (cryptographic), are compared using the Web repository. The viability of both methods is established, though the cryptographic findings are more conclusive. Following the test results, a client/server model is outlined that utilizes either the ad-hoc or the blind method for covert communication. Development of a functioning prototype based on that model is described as well. The client, called tcphalm for hide application layer messages, can communicate without the requirement of superuser privileges by gathering socket messages through system call interposition. The server, tcphalmd, only supports the HTTP protocol but is demonstrative enough so that other application protocols can easily be incorporated into the code. Finally, future work is discussed which includes steps concerned network administrators can take to combat application layer hiding techniques. However, because hiding techniques can be adapted to handle such countermeasures, the covert messaging arms race will likely continue well into the future. For now, information hiding methods that employ bitwise summations enjoy a sizeable advantage over active wardens

Moving target network steganography

A branch of information hiding that has gained traction in recent years is network steganography. Network steganography uses network protocols are carriers to hide and transmit data. Storage channel network steganography manipulates values in protocol header and data fields and stores covert data inside them. The timing channel modulates the timing of events in the protocol to transfer covert information. Many current storage channel network steganography methods have low bandwidths and they hide covert data directly into the protocol which allows discoverers of the channel to read the confidential information. A new type of storage channel network steganography method is proposed and implemented which abstracts the idea of hiding data inside the network protocol. The addition of a moving target mechanism rotates the locations of data to be evaluated preventing brute force attacks. The bandwidth of the algorithm can also be controlled by increasing or decreasing the rate of packet transmission. A proof of concept is developed to implement the algorithm. Experimental run times are compared with their theoretical equivalents to compare the accuracy of the proof of concept. Detailed probability and data transfer analysis is performed on the algorithm to see how the algorithm functions in terms of security and bandwidth. Finally, a detection and mitigation analysis is performed to highlight the flaws with the algorithm and how they can be improved

A New covert channel over RTP

In this thesis, we designed and implemented a new covert channel over the RTP protocol. The covert channel modifies the timestamp value in the RTP header to send its secret messages. The high frequency of RTP packets allows for a high bitrate covert channel, theoretically up to 350 bps. The broad use of RTP for multimedia applications, including VoIP, provides plentiful opportunities to use this channel. By using the RTP header, many of the challenges present for covert channels using the RTP payload are avoided. Using the reference implementation of this covert channel, bitrates of up to 325 bps were observed. Speed decreases on less reliable networks, though message delivery was flawless with up to 1% RTP packet loss. The channel is very difficult to detect due to expected variations in the timestamp field and the flexible nature of RTP

KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures

Email breaches are commonplace, and they expose a wealth of personal, business, and political data that may have devastating consequences. The current email system allows any attacker who gains access to your email to prove the authenticity of the stolen messages to third parties -- a property arising from a necessary anti-spam / anti-spoofing protocol called DKIM. This exacerbates the problem of email breaches by greatly increasing the potential for attackers to damage the users' reputation, blackmail them, or sell the stolen information to third parties. In this paper, we introduce "non-attributable email", which guarantees that a wide class of adversaries are unable to convince any third party of the authenticity of stolen emails. We formally define non-attributability, and present two practical system proposals -- KeyForge and TimeForge -- that provably achieve non-attributability while maintaining the important protection against spam and spoofing that is currently provided by DKIM. Moreover, we implement KeyForge and demonstrate that that scheme is practical, achieving competitive verification and signing speed while also requiring 42% less bandwidth per email than RSA2048

A Covert Channel in Packet Switching Data Networks

This paper presents a covert communication channel that exists in virtually all forms of packet switching data networks. On the one hand, this covert channel, if used properly, can potentially enhance the overall security of data communications over networks. On the other hand, the covert channel can also potentially become a back door to access a destination computer, and hence becomes a security hazard to the computer. A simple protocol is specified for communications on the covert channel. A modified TFTP application is also presented to demonstrate how to use the covert channel to convey secret messages or to enhance the integrity of data communications. The application also illustrates a back door that leaks client’s data files without user notification. A sliding entropy method is also introduced to detect some cases of covert channels