Crafting Web Counters into Covert Channels
Almost all the previously proposed network storage channels write covert messages in the packets’ protocol fields. In contrast, we present in this paper a new network storage channel WebShare that uses the plentiful, public Web counters for storage. Therefore, the physical locations of the WebShare encoder and decoder are not restricted to a single path. To make WebShare practical, we have addressed a number of thorny issues, such as the “noise” introduced by other legitimate Web requests, and synchronization between encoder and decoder. For the proof-of-concept purpose, we have experimented a WebShare prototype in the Internet, and have showed that it is practically feasible even when the Web counter and the encoder/decoder are separated by more than 20 router hops.
KeywordsCovert Channel Covert Communication Spread Spectrum Communication Network Time Protocol Storage Channel
- 1.M. Bauer. New covert channels in HTTP: Adding unwitting Web browsers to anonymity sets. In Proc. ACM Workshop on Privacy in the Electronic Society, 2003.Google Scholar
- 2.K. Borders and A. Prakash. Web Tap: Detecting covert Web traffic. In Proc. ACM CCS, 2004.Google Scholar
- 3.DoD US. Department of defense trusted computer system evaluation criteria (orange book). Technical Report DoD 5200.28-STD, National Computer Security Center, Dec. 1985.Google Scholar
- 4.V. Gligor. A guide to understanding covert channel analysis of trusted systems (light pink book). Technical Report NCSC-TG-030, National Computer Security Center, Nov. 1993.Google Scholar
- 5.E. Cronin, M. Sherr, and M. Blaze. The eavesdropper’s dilemma. Technical Report MS-CIS-05-24, University of Pennsylvania, February 2006.Google Scholar
- 6.R. Kemmerer. Shared resource matrix methodology: A practical approach to indetifying covert channels. ACM Transactions on Computer Systems, 1(3), 1983.Google Scholar
- 7.C. Tsai and V. Gligor. A bandwidth computation model for covert storage channels and its applications. In Proc. IEEE Symp. Security and Privacy, 1988.Google Scholar
- 8.G. Danezis. Covert communications despite traffic data retention. http://www.homes.esat.kuleuven.be/gdanezis/cover.pdf, 2006.
- 9.C. Rowland. Covert channels in the TCP/IP protocol suite. First Monday: Peerreviewed Journal on the Internet, 2(5), 1997.Google Scholar
- 10.Fyodor. Idle scanning and related IPID games. http://www.insecure.org/nmap/idlescan.html.
- 11.F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proc. IEEE Symp. Security and Privacy, 2002.Google Scholar
- 12.H. Lee, E. Chang, and M. Chan. Pervasive random beacon in the Internet for covert coordination. In Proc. Information Hiding Workshop, 2005.Google Scholar
- 13.M. Simon, J. Omura, R. Scholtz, and B. Levitt. Spread Spectrum Communications Handbook. McGraw-Hill, 2002.Google Scholar
- 14.D. Kreher and D. Stinson. Combinatorial Algorithms: Generation, Enumeration and Search. CRC press, 1998.Google Scholar
- 16.K. Ahsan and D. Kundur. Practical data hiding in TCP/IP. In Proc. Workshop on Multimedia Security, 2002.Google Scholar
- 17.S. Murdoch and S. Lewis. Embedding covert channels into TCP/IP. In Proc. Information Hiding Workshop, 2005.Google Scholar
- 18.C. Abad. IP checksum covert channels and selected hash collision, http://www.gray-world.net/papers/ipccc.pdf, 2001.
- 19.J. Giffen, R. Greenstadt, P. Litwack, and R. Tibbetts. Covert messaging through TCP timestamps. In Proc. PET Workshop, 2002.Google Scholar
- 20.J. Rutkowska. The implementation of passive covert channels in the Linux kernel. In Proc. Chaos Communication Congress, 2004.Google Scholar
- 21.K. Moore. On the use of HTTP as a substrate. RFC 3205, Feb. 2002.Google Scholar
- 22.Gray-World Team. Covert channel and tunneling over the HTTP protocol detection: GW implementation theoretical design. http://www.gray-world.net/projects/papers/cctde.txt, 2003.
- 23.N. Feamster, M. Balazinska, W. Wang, H. Balakrishnan, and D. Karger. Thwarting Web cenorship with untrusted messenger discovery. In Proc. PET Workshop, 2003.Google Scholar
- 24.J. Seo T. Sohn and J. Moon. A study on the covert channel detection of TCP/IP header using support vector machine. In Proc. ICICS, 2003.Google Scholar
- 25.E. Tumoian and M. Anikeev. Network based detection of passive covert channels in TCP/IP. In Proc. IEEE LCN, 2005.Google Scholar
- 26.D. Pack, W. Streilein, S. Webster, and R. Cunningham. Detecting HTTP tunneling activities. In Proc. IEEE Annual Information Assurance Workshop, 2002.Google Scholar
- 27.N. Feamster, M. Balazinska, G. Harfst, H. Balakrishnan, and D. Karger. Infranet: Circumventing censorship and surveillance. In Proc. USENIX Security Symp., 2002.Google Scholar