Documente Academic
Documente Profesional
Documente Cultură
30 Aug 06
NOSO
I&W ANALYSIS -
COVERT CHANNELS: CLOAK AND DAGGER IN THE INFORMATION AGE
INTRODUCTION
2. (U) In previous decades, much attention was paid to the threat of storage and
timing covert channels as they were implemented on an individual system1.
However, with the evolution of networking and the growth of large interconnected
networks, covert channels based upon existing network protocols gradually become
prevalent.
3. (U) Though this document will touch on the historical aspects of systemic
storage and timing covert channel techniques, its primary focus will be on network-
based covert channels and the possible countermeasures that can be implemented to
defend the organization's networks.
AIM
1
System - A framework of software and hardware designed to allow software programs to run; also often
referred to as a "platform" or "host".
1
DISCUSSION
7. (U) Depending on the intent of the party that has implemented the covert
channel, the channel can be used for several purposes in addition to data exfiltration
ad demonstrated in Annex B.
10. (U) Despite its advances, the Orange Book dealt exclusively at the system
level and did not address networks specifically; despite its limited scope, it did
introduce the two basic scovert channel methodologies:
2
Loïc Hélouët et al. "Covert Channels Detection in Protocols Using Scenarios".
3
Ibid, Loïc Hélouët et al.
4
National Computer Security Center - a child organization of the National Security Agency, was
established in 1981 and is responsible for testing and evaluating computer equipment for use in high
security and/or classified applications.
5
Department of Defence. "DoD 5200.280-STD: Department of Defence Trusted Computer System
Evaluation Criteria.
6
Rainbow Series - a series of computer security standards published by the United States government in
the 1980s that describe a process of evaluation for trusted systems.
7
Common Criteria - an international standard (ISO/IEC 15408) for computer security.
2
11. (U) In recent years, the widespread deployment of large interconnected
networks and the exploitation of protocols utilized in their information flows resulted
in the naissance of a new threat - network based covert channels. This new form of
covert channel, due to its very nature and modern society's dependence on network
based infrastructure, is far more pervasive than the system based covert channels of
auld.
12. (U) Unlike its antediluvian counterparts, which were utilized to convey
compartmentalized information between processes on a single system, network
based protocols utilize existing data fields in standard protocols to convey
information covertly across a network from one system to another. This
differentiation makes them inherently dangerous to the highly networked
infrastructure of the organization.
13. (U) As mentioned above, network based covert channels utilize either valid
data fields in existing communication protocols (IP, TCP, ICMP, HTTP and DNS) or a
temporal variance in order to convey data from a compromised system to another
"hostile" system.
14. (U) A network based covert channel's degree of obfuscation and level of utility
of is dependent on the manner in which the bits in the protocol headers are
manipulated. As detailed by David Llama in one of his papers: 8
...we identify two criteria. Whether or not the covert channel can be created without
violating the legal framework of the protocol and whether the channel can be created
within the constraints of actual implementations of the protocol.
This possibility arises because protocol implementations and their specifications are
not identical. Consequently, covert channels could follow the legal definition of the
filed to be manipulated but might not work at the implementation level, or they
could not strictly follow the legal definition but work at the implementation level.
8
David Llamas et al. "An Evaluation Framework for the Analysis of Covert Channels in the TCP/IP
Protocol Suite".
3
15. (U) In their report regarding covert channels, Marc Smeets and Matthijs Koot
identified two qualities that must be considered in addition to those above when
implementing a viable covert channel: 9
16. (U) Obviously, maximum obfuscation and high utility should be the ultimate
goal of any covert channel design. In addition, those covert channels that have a
high utility will:
17. (U) Failure to consider these two qualities and Llamas' criteria when
implementing a covert channel may cause the implementation to degrade, fail or
become easily detectable by standard network security facilities.
18. (U) In their aforementioned report, Smeets and Koot described the four
possible implementations of network based covert channels based loosely upon the
original classifications in the Orange Book:10
• Value-based spatial channel (storage): This class encodes data within a spatial
container11. Example: Covertly communicating the letter ‘A’ by using it’s 32 bit
representation from a Unicode character set as a TCP Initial Sequence Number.
9
Marc Smeets et al. "Research Report: Covert Channels".
10
Ibid, Marc Smeets et al.
11
Spatial container - A field of arbitrary length within a protocol header used to contain data of a specific
type, e.g. TCP flag field, IPID field, etc.
4
• Value-based temporal channel (time): This class encodes data by
modulating the occurrence of events (time dimension). Example: Using network
packet arrival times or packet arrival order to implement a binary channel.
19. (U) Unlike storage based covert channels which rely upon the manipulation of
storage containers within existing protocol fields, timing channels encode information
by means of a temporal variance (e.g. packet inter-arrival timings) in a
communication channel and are exceedingly more difficult to detect.
20. (U) The two types of covert timing channels include in common use at this
time are:
21. (U) The packet sorting method is self explanatory; the remainder of the this
report will deal with the more complex and more covert presence based timing
channel.
22. (U) Timing channels make use of a prearranged timing schema and protocol
to implement the channel. During each time interval the sender either transmits a
single packet or remains silent. The receiving party monitors the circuit during each
timing interval to determine whether or not a packet was received. The result is a
binary code in which "1" represents a received packet and "0" represents the
absence of a packet; this is demonstrated in Annex J.
23. (U) The data, prior to transmission, is subdivided into smaller blocks of binary
data, referred to as frames.15 While all the frames are of equal length, the actual
length, as well as the interval between frames, is influenced by the parameters of
the encoding schema and the network over which the data is being conveyed.
12
Jitter - a fluctuation in a network transmission; this term always referring to some offset of time and
space from the norm (e.g. in a network transmission, jitter would be a bit arriving either ahead or
behind a standard clock cycle or a variability in round trip times).
13
Sweety Chauhan. "Project Report: Analysis and Detection of Network Covert Channels".
14
Serdar Cabuk et al. "IP Covert Timing Channels: Design and Detection".
15
Frame - a fixed block of data consisting of the information being conveyed and all necessary system
overhead (encryption, protocol control information, etc.); individual frames are delimited by header
and trailer flags that "frame" each block.
5
24. (U) As with all binary communication circuits, the final interpretation of the bit
stream is determined by the prearranged coding and framing schema. In addition to
the information stream, additional overhead bits can be added to the frame for:
25. (U) The most common implementation of a covert timing channel is IP based;
such a channel can be configured to run on any application port. However, it is worth
noting that the choice of protocol used to convey the channel can drastically affect
the degree of obfuscation; this is due primarily to the unique traffic pattern usually
generated by covert channel activity.
26. (U) In addition to the decision regarding the protocol used to convey the
covert channel's information, several other factors that can affect channel
throughput must be taken into consideration:
16
Parity - a technique of checking whether data has been lost that involves the addition of a parity bit to
a group of information bits; this bit is used only for the purpose of identifying whether the information
bits have arrived intact.
17
CRC - "Cyclic Redundancy Check"; a type of hash function used to produce a checksum against a block
of data in order to implement an error detection facility.
18
Hamming Code - a linear error correcting code which can detect single and double-bit errors and
correct single-bit errors.
19
Reed-Solomon Code - an extremely robust detection block based error detection/correction code that
utilizes polynomial over sampling to facilitate advanced error correction.
20
Manchester Encoding - a synchronous communication encoding technique utilized to implement channel
self-timing; this is accomplished by encoding both the timing information (clock) and data into a single
bit stream.
6
27. (U) All four of these factors can affect the synchronization, maximum
throughput and available bandwidth of a timing based channel; they must therefore
be carefully considered when designing a such an implementation. Failure to consider
these factors could contribute to the degradation/failure of the channel and/or
reduce the effectiveness of the obfuscation.
28. (U) As will become evident when network based covert storage channels are
discussed below, the technical issues that must be addressed in order to successfully
implement a timing channel are considerable. However, timing based channels offer
several advantages over storage based channels:
29. (U) As mentioned previously, network based covert storage channels utilize
valid data fields in various protocols to convey the channel's information; each of the
protocols commonly utilized this type of channel will now be addressed individually.
These include:
7
Covert Channels in IP 21 22
30. (U) For the context of this paper, only IPv4 will be addressed as IPv6 has not
been implemented on the organization's networks as of this writing. As
demonstrated in Annex C, several fields exist within the IP header in which covert
channels can be implemented:
• Type of Service - The eight bits within the IP ToS field are rarely used with
original semantics and modern networks seldom make use of the field.
Considering this, up to eight bits of data could conceivably be concealed in
this field.
• IP Flags - The 3 bit flag field is an optional field in the IP datagram and is
used to handle fragmentation issues. As explained in Yogi Mehta's paper23,
the "Don’t Fragment" (DF) flag may actually be considered to be a redundant
bit and thus may be set or unset without any influence on the IP delivery
process. Considering this, it is a possible carrier for covert channels, even
though it can only hold one bit per IP packet.
• IP Options - The 24 bit options (byte 11 and MSB24 of byte 12) field is
optional for each IP datagramme but are unnecessary for the most common
communications; as detailed in RFC 791, the options include provisions for
timestamps, security, and special routing. Despite the fact that some valid
values for this field are specified in RFC 1700, this field may still be used to
implement a covert channel.
• IP Padding - The 8-bit Padding field (LSB25 of byte 12) is used to pad the
Options a to 32-bits block; this field should only contain zeros but could easily
be used to implement a covert channel.
21
Marc Smeets et al, op. cit.
22
Steven Murdoch et al. "Embedding Covert Channels into TCP/IP".
23
Yogi Mehta. "Communication Over the Internet Using Covert Channels".
24
MSB - Most Significant Byte; the bit position in a binary number having the greatest value. The MSB is
sometimes referred to as the left-most bit.
25
LSB - Least Significant Bit; the bit position in a binary number having the least value. The LSB is
sometimes referred to as the right-most bit.
8
Covert Channels in TCP 26 27
31. (U) As was the case with the IP header, the TCP header contains fields in
which a covert channel may be implemented as demonstrated in Annex D:
• TCP Timestamp - The timestamp option consists of two 32 bit fields - the TS
value and the TS echo reply. A covert channel may be implemented in this
field by modulating the LSB of the TCP timestamps transmitted by a host as
described in the paper by John Giffin et al 28.
32. (U) As demonstrated in Annex E, the ICMP protocol has a large data field,
which may be utilized to implement a covert channel. Several tools/methods are
available that enable the implementation of ICMP-based covert channels:
26
Marc Smeets et al, op. cit.
27
Steven Murdoch et al, op. cit.
28
John Giffin et al. "Covert Messaging in TCP".
29
Marc Smeets et al, op. cit.
30
Daniel Stødle. "Ping Tunnel - For Those Times When Everything Else is Blocked".
31
Thorner Gil. "ICMPTX (IP-over-ICMP) HOWTO".
32
Grayworld.net Team. "Skeeve" (PoC tool).
9
• Loki - Loki is a client/server program enables a user to tunnel traffic
within an ICMP packet.33
34. (U) As demonstrated in Annex H, DNS contains several header fields that may
be manipulated to implement a covert channel:
33
Stephen Northcutt et al. "Intrusion Signatures and Analysis".
34
Marc Smeets et al, op. cit.
35
Ibid, Marc Smeets et al.
10
• ANCOUNT - The 16-bit ANCOUNT field is meant to specify the amount of
resource records in the answer section that appears after this header. A
hostile entity exercising control over a rogue DNS server can use this field to
hide up to 16 bits of data.
• QNAME - This field represents the string of text entered as the actual DNS
query and should be in the form of a FQDN36. The QNAME field is limited to
the maximum length of a FQDN, thus an adversary can use up to 255 bytes
so long as it complies to the limit of 63 octets per label in the FQDN.
Depending on the various implementations of the DNS protocol, a covert
channel can ignore these limits and use larger packets. Every answer to a
query consists of the message and query headers, appended with the answer
headers as demonstrated in Annex I; this message is the same for the
answer, authority and additional sections.
• NAME - This field represents the a FQDN to which the resource record
pertains. As with the QNAME field in the query message, the NAME field also
has to comply to the rules of a FQDN.
35. (U) In the case of the four *COUNT DNS fields, the hostile entity controlling
the rogue DNS server must add the proper amount of queries and answers in the
messages after this header as marked in the QDCOUNT, ANCOUNT, NSCOUNT and
ARCOUNT fields.
36. (U) By employing a custom algorithm, the hostile entity can use these fields
as a carrier for covert channels instead of only using it to point out how many
queries or answers will be after this header; this can be accomplished as long as the
number of queries and answers matches these fields.
37. (U) The DNS protocol has multiple potential carriers for covert channels. Tools
that make use of some of these carriers have been around for some time now; one
of the more popular tools, designed by Dan Kaminsky, is "Ozyman"37. In its current
implementation, data is hidden within QNAME and NAME fields, by mimicking queries
of DNS CNAME and TXT records.
36
FQDN - "Fully Qualified Domain Name"; an unambiguous domain name that specifies the node's
absoloute position in the DNS tree hierarchy.
37
Dan Kaminsky. "Attacking Distributed Systems - The DNS Case Study".
11
Network Based Covert Channels - Countermeasures
38. (U) Despite the insidious nature of covert channels, countermeasures are
readily available that can mitigate the threat posed to the integrity of the
organization's networks. Various countermeasure techniques for each of the
protocols and methods discussed earlier will be touched on below.
40. (U) This being stated, several non-commercial solutions have been proposed
in several whitepapers; these include:
41. (U) Unfortunately, as of this writing, research has failed to yield any results in
regards to commercial solutions specifically designed to perform detection of covert
timing channels.
e. define a standard policy on the use of IP ToS field and Option tags
and enforce that policy using an IP-aware traffic normalizer.
38
Vincent Berk et al. "Covert Channel Detection Using Process Query Systems".
39
Marc Smeets et al, op. cit.
40
Traffic Normalizer - A device that sits between the internet and an internal network and removes
"ambiguities" from the traffic flow.
12
Covert Channel Countermeasures - TCP 41
43. (U) The following countermeasures are recommended to counter TCP based
covert channels:
b. route all TCP traffic through a proxy device which establishes a TCP-
connection to the endpoint on behalf of the originator but utilizes its
own ‘trusted’ sequence number generator; and
44. (U) The following countermeasures are recommended to counter ICMP based
covert channels:
c. analysis of the the payload field of ICMP traffic for known magic
numbers, such as ‘0xD5200880’ which is a default for ptunnel traffic;
41
Marc Smeets et al, op. cit.
42
Ibid, Marc Smeets et al.
13
Covert Channel Countermeasures - HTTP 43
45. (U) The following countermeasures are recommended to counter HTTP based
covert channels:
a. define a policy on the use of HTTP headers and enforce that policy
using an HTTP-aware proxy;
46. (U) DNS analysis can be difficult at the best of times. However, several
approaches are available to identify a covert channel within the DNS protocol. Some
points to consider when attempting to identify a DNS-based covert channel are as
follows:
• Is the queried DNS server only used by one or two hosts in the network?
• Does the length of queries and responses outreach the average length?
• Is there excessive use of a particular record that normally isn’t used (e.g.
TXT)?
47. (U) Although a small number of positive answers to the points above
shouldn’t make a host suspect as a rule, it should be clear that with the number of
questions answered in the affirmitive, the likeliness of a covert channel existing in
the DNS traffic flow increases.
43
Marc Smeets et al, op. cit.
44
Borders, Kevin et al. "Wire Tap: Detecting Covert Web Traffic".
45
Marc Smeets et al, op. cit.
14
48. (U) Should the next two points be answered in the negative, it is highly likely
that one is dealing with a covert channel:
• Do replayed lookups through that DNS server provide the same result?
• Do replayed lookups through another DNS server provide the same result?
49. (U) The following countermeasures are recommended to counter DNS based
covert channels which depend (either partially or fully) on crafting DNS headers or
packets:
c. implement a custom IDS ruleset that will alarm on DNS TXT strings
that both exceed a certain length and meet some to the criteria
mentioned above. 46
50. (U) Network based covert communication channels present a clear and
present danger to the integrity of the organization's networks. Considering this,
covert channel countermeasures, such as those discussed above, should be
implemented as soon as the technical/fiscal means become available.
51. (U) Any questions regarding this I&W report may be addressed to the
undersigned.
//signed//
Attachments:
References
Annexes A-K
46
A rule for the detection of TXT based DNS tunnelling already exists in Cisco IDS' rule set (SID
6066.0/TID 4249) but visualization of this signature is current suppressed in NSM5.
15
References
Berk, Vincent et al. "Covert Channel Detection Using Process Query Systems". Date
unknown. Accessed on 12 August 2006. www.pqsnet.net/publications/
CovCh_Flocon05_pres.pdf.
Berk, Vincent et al. "Detection of Covert Channel Encoding in Network Packet Delays".
November 2005. Accessed on 05 August 2006. http://www.ists.dartmouth.edu/
library/149.pdf
Borders, Kevin et al. "Wire Tap: Detecting Covert Web Traffic". Date unknown.
Accessed on 24 August 2006. http://www.eecs.umich.edu/aprakash/papers/
borders-prakash-ccs04.pdf.
Cabuk, Serdar et al. "Covert Timing Channels: Design and Detection". 2005.
Accessed on 24 August 2006. http://www.cs.jhu.edu/~fabian/courses/CS600.624/
slides/week2.pdf.
Cabuk, Serdar et al. "IP Covert Timing Channels: An Initial Exploration". 2004.
Accessed on 24 August 2006. www.cs.georgetown.edu/~clay/research/pubs/
cabuk.ccs2004.pdf.
Castro, Simon. "Covert Channel and Tunnelling Over the HTTP Protocol Detection".
November 2003. Accessed on 09 August 2006. http://www.gray-world.net/
projects/papers/html/cctde.html.
Castro, Simon. "Covert Channel Tunneling Tool Manual". June 2003. Accessed on 10
August 2006. http://www.entreelibre.com/cctt/man_en.html.
Cooper, Robert et al. "The Covert Channel Problem". August 1996. Accessed on 26
August 2006. http://www.cs.unb.ca/tech-reports/files/TR96_111.pdf.
Dubrawsky, Ido. "Data Driven Attacks Using HTTP Tunnelling". August 2004.
Accessed on 12 August 2006. http://www.securityfocus.com/infocus/1793.
i
Giani, Annarita et al. "Data Exfiltration and Covert Channels". Date unknown.
Accessed on 10 August 2006. http://www.pqsnet.net/publications/
Giani_SPIE2006.pdf.
Giffin, John et al. "Covert Messaging in TCP". 2002. Accessed on 24 August 2006.
http://www.eecs.harvard.edu/~greenie/tcpcovertchannels.ps.
Grayworld.net Team. "Skeeve" (PoC tool). June 2004. Accessed on 23 August 2006.
http://gray-world.net/poc_skeeve.shtml.
Harris, Shon. "CISSP All-in-One Exam Guide". Third Edition. Emeryville: McGraw-Hill
Osbourne Media. 2003.
Hélouët, Loïc et al. "Covert Channels Detection in Protocols Using Scenarios". Date
unkown. Accessed on 29 July 2006. http://www.labri.fr/~zeitoun/research/articles/
confs/03-SPV/spv03.pdf.
Hoglund, Greg et al. "Rootkits: Subverting the Windows Kernel". First edition.
Boston: Addison Wesley Professional. 2005.
Kaminsky, Dan. "Attacking Distributed Systems -The DNS Case Study". 2003.
Accessed on 22 August 2006. http://www.doxpara.com/slides/
BH_EU_05-Kaminsky.pdf.
Llamas, David et al. "An Evaluation Framework for the Analysis of Covert Channels in
the TCP/IP Protocol Suite". June 2005. Accessed on 1 August 2006.
http://www.davidllamas.org/Portals/2/0507-ECIW/0507-ECIW-Paper.pdf.
Llamas, David et al. "Covert Channel Analysis and Detection with Reverse Proxy
Servers using Microsoft. Windows". June 2004. Accessed on 4 August 2006.
http://www.davidllamas.org/Portals/2/0406-ECIW/0406-ECIW-Paper.pdf.
Llamas, David et al. "Covert Channels in Internet Protocols: A Survey". June 2005.
Accessed on 4 August 2006. http://www.davidllamas.org/Portals/2/0506-PGNET
/0506-PGNET-Paper.pdf.
ii
MacLure, Stuart et al. "Hacking Exposed: Network Security Secrets and Solutions".
Fourth edition. Berkeley: McGraw-Hill Osborne Media. 2003.
Mehta, Yogi. "Communication Over the Internet Using Covert Channels". July 2005.
Accessed on 20 August 2006. http://www.cs.drexel.edu/~vp/CS743/Papers/
ypm23-hw2.pdf.
Murdoch, Steven et al. "Covert Channels in TCP/IP: Attack and Defence". December
2005. Accessed on 7 August 2006. http://www.cl.cam.ac.uk/~sjm217/talks/
ccc05covert-tcp.pdf.
Murdoch, Steven et al. "Embedding Covert Channels into TCP/IP". July 2005.
Accessed on 29 July 2006. http://www.cl.cam.ac.uk/~sjm217/papers/
ih05coverttcp.pdf.
Rutkowska, Joanna. "Concepts for the Stealth Windows Rootkit". September 2003.
Accessed on 20 August 2006. http://www.invisiblethings.org/papers/
chameleon_concepts.pdf.
Smeets, Marc et al. "Research Report: Covert Channels". February 2006. Accessed
on 13 August 2006. http://www.os3.nl/~mrkoot/courses/RP1/researchreport_2006-
02-15_final2.pdf.
Stevens, W.R. "TCP/IP Illustrated Volume 1: The Protocols". First edition. Boston:
Addison Wesley Professional. 1994.
Stødle, Daniel. "Ping Tunnel - For Those Times When Everything Else is Blocked".
May 2005. Accessed on 22 August 2006. http://www.cs.uit.no/daniels/PingTunnel.
Van Horenbeeck, Maarten. "Entity Tags as an HTTP Covert Channel". June 2006.
Accessed on 12 August 2006. http://www.daemon.be/maarten/etagtunnel.html.
Wagner, Aaron et al. "Information Theory of Cover Timing Channels. 2003. Accessed
on 05 August 2006. http://www.eecs.berkeley.edu/~ananth/2005+/Aaron/
VA_ArmeniaNew.pdf.
iii
Annex A - Simple Covert Channel 47
The diagram above demonstrates a rudimentary covert channel that has been
implemented by a hostile party. The workstation on the internal network has been
compromised and a covert channel has been brought online by a Trojan.
The firewall allows certain protocols (e.g. HTTP, HTTPS, DNS) to pass
between the internal network and the internet with no restrictions. The hostile party
takes advantage of this and sets up a covert channel which allows information to
covertly tunneled through the firewall in an allowed protocol.
47
Marc Smeets et al, op. cit.
A-1
Annex B - Potential Purposes of a Covert Channel 48
The basic purposes of covert channels will vary depending on the direction of
traffic flow and whether or not the flow is continuous or blocked; this is
demonstrated in the table above.
Annex C – IP v4 Header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset....|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding....|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
48
Marc Smeets et al, op. cit.
A-2
Annex D – TCP Header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options (including timestamp).........| Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The TCP header contains several fields that may be utilized to implement a
covert channel; the fields in question are highlighted above.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data .....................................................|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
The ICMP header contains a single field that may be utilized to implement a
covert channel; the field in question is highlighted above.
Full-Request = Request-Line
*( General-Header
| Request-Header
| Entity-Header )
CRLF
[ Entity-Body ]
The HTTP 1.0 request specification contains several fields that may be utilized
to implement a covert channel; the fields in question are highlighted above.
A-3
Annex G - HTTP 1.0 Response Specification
Full-Response = Status-Line
*( General-Header
| Response-Header
| Entity-Header )
CRLF
[ Entity-Body ]
The HTTP 1.0 response specification contains several fields that may be
utilized to implement a covert channel; the fields in question are highlighted above.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|......................ID.......................|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR| Opcode |AA|TC|RD|RA| Z | RCODE |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|................... QDCOUNT....................|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|................... ANCOUNT....................|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|................... NSCOUNT....................|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|................... ARCOUNT....................|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| |
/ QNAME /
/ /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| QTYPE |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| QCLASS |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
A-4
DNS Response Header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| |
/ /
/ NAME /
|...............................................|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| TYPE |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| CLASS |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| TTL |
| |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| RDLENGTH |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
/ RDATA /
/ /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Covert channels may be ensconced within the *NAME fields of DNS query and
Answer headers; the fields in question are highlighted above.
A-5
Annex J - Network Based Covert Timing Channel Example 49
In the example above, the data (in this case, a passage from the Bard's
"Tragedie of Macbeth") is encoded using a predetermined coding scheme. The
encoded data is then sequentially transmitted one bit at a time at a predetermined
timing interval to the receiver; a predetermined delay interval acts to separate each
byte of information.
49
Serdar Cabuk et al, op. cid.
A-6
Annex K - Covert Channel Analysis - PQS Lab Display50
50
Thayer School of Engineering at Dartmouth College. PQS Project. http://www.pqsnet.net/display.
A-7
Annex L - Acknowledgements
Information regarding this paper's subject was culled from many sources as
noted in the references; however, the bulk of the information deals with the
decades-old concepts of system-based covert channels.
This being stated, the majority of the information regarding network based
covert channels was gleaned from the works of:
a. Mr. Marc Smeets and Mr. Matthijs Koot ("Research Report: Covert
Channels");
c. Mr. Serdar Cabuk, Mrs. Carla Brodley and Mr. Clay Shields (multiple
publications);
A-8