Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Information Hiding

IH 2005: Information Hiding pp 247–261Cite as

Embedding Covert Channels into TCP/IP

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3727))

Abstract

It is commonly believed that steganography within TCP/IP is easily achieved by embedding data in header fields seemingly filled with “random” data, such as the IP identifier, TCP initial sequence number (ISN) or the least significant bit of the TCP timestamp. We show that this is not the case; these fields naturally exhibit sufficient structure and non-uniformity to be efficiently and reliably differentiated from unmodified ciphertext. Previous work on TCP/IP steganography does not take this into account and, by examining TCP/IP specifications and open source implementations, we have developed tests to detect the use of naïve embedding. Finally, we describe reversible transforms that map block cipher output onto TCP ISNs, indistinguishable from those generated by Linux and OpenBSD. The techniques used can be extended to other operating systems. A message can thus be hidden so that an attacker cannot demonstrate its existence without knowing a secret key.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) Crypto 1983. Advances in Cryptography, pp. 51–67. Plenum Press, New York (1983)

    Google Scholar 

  2. Handel, T., Sandford, M.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996)

    Google Scholar 

  3. Szczypiorski, K.: HICCUPS: Hidden communication system for corrupted networks. In: International Multi-Conference on Advanced Computer Systems, pp. 31–40 (2003), http://krzysiek.tele.pw.edu.pl/pdf/acs2003-hiccups.pdf

  4. Postel, J.: STD7: Transmission control protocol. IETF (1981)

    Google Scholar 

  5. Postel, J.: STD5: Internet protocol. IETF (1981)

    Google Scholar 

  6. Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 147–166. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  7. Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating steganography in Internet traffic with active wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 18–35. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  8. Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: 10th Usenix Security Symposium (2001)

    Google Scholar 

  9. Jacobson, V., Braden, R., Borman, D.: RFC1323: TCP extensions for high performance. IETF (1992)

    Google Scholar 

  10. Fyodor: Idle scanning and related IPID games (2001), http://www.insecure.org/nmap/idlescan.html

  11. Ahsan, K., Kundur, D.: Practical data hiding in TCP/IP. In: ACM Workshop on Multimedia and Security (2002), http://ee.tamu.edu/~deepa/pdf/acm02.pdf

  12. Mogul, J., Deering, S.: RFC1191: Path MTU discovery. IETF (1990)

    Google Scholar 

  13. Bellovin, S.M.: Security problems in the TCP/IP protocol suite. Computer Communication Review 19, 32–48 (1989)

    Article  Google Scholar 

  14. Rowland, C.H.: Covert channels in the TCP/IP protocol suite. First Monday 2 (1997), http://www.firstmonday.org/issues/issue2_5/rowland/

  15. Sohn, T., Seo, J., Moon, J.: A study on the covert channel detection of TCP/IP header using support vector machine. In: Perner, P., Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 313–324. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  16. Rutkowska, J.: The implementation of passive covert channels in the Linux kernel. In: Chaos Communication Congress, Chaos Computer Club e.V (2004), http://www.ccc.de/congress/2004/fahrplan/event/176.en.html

  17. Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging in TCP. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  18. Bellovin, S.: RFC1948: Defending against sequence number attacks. IETF (1996)

    Google Scholar 

  19. de Raadt, T., Hallqvist, N., Grabowski, A.D., Keromytis, A., Provos, N.: Cryptography in OpenBSD: An overview. In: USENIX Annual Technical Conference (FREENIX Track), pp. 93–102 (1999)

    Google Scholar 

  20. Kohno, T., Broido, A., claffy, k.: Remote Physical Device Fingerprinting. In: 2005 IEEE Symposium on Security and Privacy, Oakland, California, pp. 211–225. IEEE CS, Los Alamitos (2005)

    Chapter  Google Scholar 

  21. Hintz, A.: Covert channels in TCP and IP headers. Presentation at DEFCON 10 (2002), http://guh.nu/projects/cc/

Download references

Author information

Authors and Affiliations

  1. Computer Laboratory, University of Cambridge, 15 JJ Thomson Avenue, Cambridge, CB3 0FD, United Kingdom

    Steven J. Murdoch & Stephen Lewis

Authors
  1. Steven J. Murdoch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stephen Lewis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Ingegneria dell’Informazione, Università degli Studi di Siena, Italy

    Mauro Barni

  2. Universitat Oberta de Catalunya, Rbla del Poblenou, 156, 08018, Barcelona, Spain

    Jordi Herrera-Joancomartí

  3. Philips Research Europe, Information and System Security, Eindhoven, The Netherlands

    Stefan Katzenbeisser

  4. Departamento de Teoría de la Señal y Comunicaciones ETSI Telecom., Universidad de Vigo, 36200, Vigo,  

    Fernando Pérez-González

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Murdoch, S.J., Lewis, S. (2005). Embedding Covert Channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds) Information Hiding. IH 2005. Lecture Notes in Computer Science, vol 3727. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11558859_19

Download citation

  • DOI: https://doi.org/10.1007/11558859_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-29039-1

  • Online ISBN: 978-3-540-31481-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation