Crafting Web Counters into Covert Channels

  • Xiapu Luo
  • Edmond W. W. Chan
  • Rocky K. C. Chang
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


Almost all the previously proposed network storage channels write covert messages in the packets’ protocol fields. In contrast, we present in this paper a new network storage channel WebShare that uses the plentiful, public Web counters for storage. Therefore, the physical locations of the WebShare encoder and decoder are not restricted to a single path. To make WebShare practical, we have addressed a number of thorny issues, such as the “noise” introduced by other legitimate Web requests, and synchronization between encoder and decoder. For the proof-of-concept purpose, we have experimented a WebShare prototype in the Internet, and have showed that it is practically feasible even when the Web counter and the encoder/decoder are separated by more than 20 router hops.


Covert Channel Covert Communication Spread Spectrum Communication Network Time Protocol Storage Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bauer. New covert channels in HTTP: Adding unwitting Web browsers to anonymity sets. In Proc. ACM Workshop on Privacy in the Electronic Society, 2003.Google Scholar
  2. 2.
    K. Borders and A. Prakash. Web Tap: Detecting covert Web traffic. In Proc. ACM CCS, 2004.Google Scholar
  3. 3.
    DoD US. Department of defense trusted computer system evaluation criteria (orange book). Technical Report DoD 5200.28-STD, National Computer Security Center, Dec. 1985.Google Scholar
  4. 4.
    V. Gligor. A guide to understanding covert channel analysis of trusted systems (light pink book). Technical Report NCSC-TG-030, National Computer Security Center, Nov. 1993.Google Scholar
  5. 5.
    E. Cronin, M. Sherr, and M. Blaze. The eavesdropper’s dilemma. Technical Report MS-CIS-05-24, University of Pennsylvania, February 2006.Google Scholar
  6. 6.
    R. Kemmerer. Shared resource matrix methodology: A practical approach to indetifying covert channels. ACM Transactions on Computer Systems, 1(3), 1983.Google Scholar
  7. 7.
    C. Tsai and V. Gligor. A bandwidth computation model for covert storage channels and its applications. In Proc. IEEE Symp. Security and Privacy, 1988.Google Scholar
  8. 8.
    G. Danezis. Covert communications despite traffic data retention., 2006.
  9. 9.
    C. Rowland. Covert channels in the TCP/IP protocol suite. First Monday: Peerreviewed Journal on the Internet, 2(5), 1997.Google Scholar
  10. 10.
    Fyodor. Idle scanning and related IPID games.
  11. 11.
    F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In Proc. IEEE Symp. Security and Privacy, 2002.Google Scholar
  12. 12.
    H. Lee, E. Chang, and M. Chan. Pervasive random beacon in the Internet for covert coordination. In Proc. Information Hiding Workshop, 2005.Google Scholar
  13. 13.
    M. Simon, J. Omura, R. Scholtz, and B. Levitt. Spread Spectrum Communications Handbook. McGraw-Hill, 2002.Google Scholar
  14. 14.
    D. Kreher and D. Stinson. Combinatorial Algorithms: Generation, Enumeration and Search. CRC press, 1998.Google Scholar
  15. 15.
    W. Myrvold and F. Ruskey. Ranking and unranking permutations in linear time. Information Processing Letters, 79:281–284, 2001.MATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    K. Ahsan and D. Kundur. Practical data hiding in TCP/IP. In Proc. Workshop on Multimedia Security, 2002.Google Scholar
  17. 17.
    S. Murdoch and S. Lewis. Embedding covert channels into TCP/IP. In Proc. Information Hiding Workshop, 2005.Google Scholar
  18. 18.
    C. Abad. IP checksum covert channels and selected hash collision,, 2001.
  19. 19.
    J. Giffen, R. Greenstadt, P. Litwack, and R. Tibbetts. Covert messaging through TCP timestamps. In Proc. PET Workshop, 2002.Google Scholar
  20. 20.
    J. Rutkowska. The implementation of passive covert channels in the Linux kernel. In Proc. Chaos Communication Congress, 2004.Google Scholar
  21. 21.
    K. Moore. On the use of HTTP as a substrate. RFC 3205, Feb. 2002.Google Scholar
  22. 22.
    Gray-World Team. Covert channel and tunneling over the HTTP protocol detection: GW implementation theoretical design., 2003.
  23. 23.
    N. Feamster, M. Balazinska, W. Wang, H. Balakrishnan, and D. Karger. Thwarting Web cenorship with untrusted messenger discovery. In Proc. PET Workshop, 2003.Google Scholar
  24. 24.
    J. Seo T. Sohn and J. Moon. A study on the covert channel detection of TCP/IP header using support vector machine. In Proc. ICICS, 2003.Google Scholar
  25. 25.
    E. Tumoian and M. Anikeev. Network based detection of passive covert channels in TCP/IP. In Proc. IEEE LCN, 2005.Google Scholar
  26. 26.
    D. Pack, W. Streilein, S. Webster, and R. Cunningham. Detecting HTTP tunneling activities. In Proc. IEEE Annual Information Assurance Workshop, 2002.Google Scholar
  27. 27.
    N. Feamster, M. Balazinska, G. Harfst, H. Balakrishnan, and D. Karger. Infranet: Circumventing censorship and surveillance. In Proc. USENIX Security Symp., 2002.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Xiapu Luo
    • 1
  • Edmond W. W. Chan
    • 1
  • Rocky K. C. Chang
    • 1
  1. 1.Department of ComputingThe Hong Kong Polytechnic UniversityHong KongChina

Personalised recommendations