Covert Channel Analysis and Data Hiding in TCP/IP

Transcription

1 Covert Channel Analysis and Data Hiding in TCP/IP David Llamas A thesis submitted in partial fulfilment of the requirements of Napier University for the degree of Bachelor of Science with Honours in Software Technology May 2004 Supervisor: Dr. William Buchanan 2 nd Marker: Professor Peter Ross

2 David Llamas 1 AUTHORSHIP DECLARATION...4 ABSTRACT...5 LIST OF TABLES...7 LIST OF FIGURES ACKNOWLEDGEMENTS INTRODUCTION INTRODUCTION SCOPE, AIMS AND CONTRIBUTION OF THIS HONOURS PROJECT BACKGROUND HISTORY INFORMATION HIDING Classification THEORY INTRODUCTION COVERT CHANNELS Classification Potential uses TCP/IP PROTOCOL SUITE Physical Layer/Device Layer Internet Layer Transport Layer Application Layer Security REVERSE PROXY SERVER WINDOWS NT/2000 NETWORK SUBSYSTEM ARCHITECTURE Microsoft Windows NT/2000 network architecture components Network traffic filtering technologies for Windows LITERATURE REVIEW INTRODUCTION LAN ENVIRONMENTS LAN PROTOCOLS DATA HIDING IN OSI MODEL Physical layer Data Link layer...25

3 David Llamas Network layer Transport layer Session layer Presentation layer Application layer COVERT CHANNELS IN THE TCP/IP PROTOCOL SUITE Method One - Manipulation of the IP Identification Field Method Two - Initial Sequence Number Field Method Three - The TCP Acknowledge Sequence Number Field "Bounce" Method Four Through the packet sorting (IPSec) DESIGN INTRODUCTION SYSTEM SPECIFICATION DEVELOPMENT METHODOLOGY CLASSES, GLOBAL FUNCTIONS, VARIABLES AND STRUCTURES IMPLEMENTATION COVERT AGENT COVERT CONTROLLER REVERSE PROXY SERVER COVERT VIEWER PACKET SNIFFER RESULTS MONITORING AND DETECTION PREVENTION AND COUNTERMEASURES CAPACITY, PERFORMANCE AND PAYLOAD CONCLUSIONS AND FUTURE WORK REFERENCES APPENDIX HONOURS PROJECT CONTRACT DIARY SHEETS ECIW 2004 CONFERENCE PAPER SOURCE CODE Agent.cs Sniffer.cs MainForm.cs ReverseProxyServer.cs...105

4 David Llamas SnifferStateObject.cs CovertViewer.cs CovertViewerStateObject.cs CovertAgent.h CovertAgent.cpp ColumnDataCollection.cs ColumnData.cs...133

5 David Llamas 4 Authorship declaration I, David Llamas, confirm that this dissertation and the work carried out to complete it are all of my own achievement. 1. Where I have consulted and used work of others in the context of this dissertation, this has been clearly accredited 2. This dissertation is all my own work. 3. I have acknowledged all main sources of help. Signed: David Llamas BSc (Hons) Software Technology Student Phone : +44 (0) Fax : +44 (0) Mobile : +44 (0) @napier.ac.uk david@steganography.org david@inchcolm.org Web : Napier University School of Computing 10 Colinton Road Edinburgh EH10 5DT Scotland Date: 5 th May 2004

6 David Llamas 5 Abstract Data hiding methods can be used by intruders to communicate over open data channels (Rowland 1996; devivo, devivo et al. 1999), and can be used to overcome firewalls, and most other forms of network intrusion detection systems. In fact, most detection systems can detect hidden data in the payload, but struggle to cope with data hidden in the IP and TCP packet headers, or in the session layer protocol. This Honours Project proposes a novel architecture for data hiding, and presents methods which can be used to detect the hidden data and prevent the use of covert channels for its transmission. It also presents the method used in creating a system for Microsoft Windows platforms. The scenario consists of one user that from his computer connects to a web server. In fact, the connection is done to a Reverse Proxy Server (RPS) and this is the one in charge of connecting with the Web Server, collect the information requested and returns it to the user. For the user, this action takes place in a transparent manner as if he had connected directly to the Web Server. It has to be highlighted that the RPS does not need to be configured in advanced by the user. Because of that, the RPS becomes a strategic middleware piece of software able to analyze and manipulate the traffic between one user and a server in the Internet in a discrete mode. This ability has been used in this project to send covert messages in the outgoing packets that leave from the RPS going to the user. Whilst the user is navigating can observe, through a separate window provided by an application denominated Covert Viewer, the incoming covert message. In this Honours Project it has also been developed a network packet sniffer so the user can observe how the message is transmitted by the network packets through a technique that will be explained further later on. In the RPS side, we have basically two applications: the Data Hiding Intelligent Agent (DHIA) and the RPS itself. As has been explained above, the mission of the RPS it is to capture the requests of the user, transmit them to the relevant server, collect the answer from the server and sent it back to the user. The DHIA is in charge of manipulating the outgoing packets to send the covert message. The technique used by this component is inserting in the identification field of the IP header (version 4) the ASCII value of the character that wants to be sent. As explained further on, the TCP/IP Protocol Suite has some weaknesses on its design that facilitates the manipulation of its characteristics. The DHIA allows the configuration, through a XML File, of sending covert messages to specific IP addresses that have requested a specific port. This Honours Project has based the design and the implementation of the RPS and DHIA in the Microsoft Windows platform, which has increased the complexity of the development. Usually the development of tools for this kind of projects are done in Unix platforms as the source code of the operating system is available and can be manipulated for this purpose. In this case, we had to work with techniques that allow the interception of a subset of functions from the Kernel mode. There are several

7 David Llamas 6 techniques to do this, and in this case, for the Kernel mode traffic filtering we have used the NDIS Hooking Filter Driver. All the attempts to manipulate the IP header in the user mode, above the TCP/IP driver layer, have not been successful as the proprietary driver from Microsoft Windows Platforms did not allow it. At the Kernel mode level, intercepting the NDIS functions working below the TCP/IP driver of Microsoft Windows platform was possible although several issues had to be taken into account. For example, if a manipulated IP packet was requested again from the destination host to the sender, the sender did not recognize the manipulated packet so this had to be un-manipulated before. The implementation of all the pieces of software involved in this Honours Project has been successfully done by using the techniques explained earlier but, initially, an exhaustive research had to be done to learn the different systems and programming languages that could fulfil the objectives. The implementation has finally been done with the creation of a DLL in C++ in charge of the lower level aspects, such as the extraction at Data Link level of the Ethernet packets by then extracting the IP packets, manipulate the identification field, recalculate the checksum and resend. For the remaining functionalities, as we were using Microsoft Windows platforms, everything has been done in C#: the main functionality of the RPS, the Network packet sniffer and the covert message viewer. Regarding the results, it has been very interesting to observe, in the first place, that what was pretended by this Honours Project has been reached as the user receives the covert message according its specifications, taking into account that those were sent from a Microsoft Windows server using the techniques specified above. To test this, the results offered by the network packet sniffer have been essential. Secondly, has also been possible to probe that the DHIA combined with the RPS can do functions of monitoring, detection, prevention and countermeasures actions. Finally, we have obtained some metrics about capacity and performance that have confirmed the significant impact that the manipulation of IP packets has in comparison to the usual working of a network. Keywords: Data Hiding, Covert Channel, TCP/IP, Reverse Proxy Server, Microsoft Windows Note: This report follows the requirements specified in the Project Handbook v2 (Lawson and Varey 2001), and it is within the expected length of words for the main text. Report appendices are not considered part of the main text.

8 David Llamas 7 List of Tables TABLE 1 - NUMBER OF PUBLICATION ON DIGITAL WATERMARKING, INSPEC JANUARY TABLE 2 - CAPACITY ESTIMATION...54 List of Figures FIGURE 1 - INFORMATION HIDING TERMINOLOGY...12 FIGURE 2 - A CLASSIFICATION OF INFORMATION HIDING TECHNIQUES...13 FIGURE 3 - COVERT CHANNELS...15 FIGURE 4 - TCP/IP PROTOCOL SUITE...16 FIGURE 5 - OSI NETWORK MODEL VS. TCP/IP NETWORK MODEL...16 FIGURE 6 - CONVERT CHANNELS WITH DATA HIDING ON THE PROXY...19 FIGURE 7 - WINDOWS 2000 NETWORK ARCHITECTURE DIAGRAM...20 FIGURE 8 - OSI NETWORK MODEL...25 FIGURE 9 - IP HEADER V FIGURE 10 - THE AH HEADER...30 FIGURE 11 - THE ESP HEADER...30 FIGURE 12 - PACKETS GENERATED FROM IPSEC IMPLEMENTED NODE HAVING SORTED SEQUENCE NUMBERS...32 FIGURE 13 COMPONENTS DATA FLOW OF THE REVERSE PROXY SYSTEM...33 FIGURE 14 - NETWORK PACKETS...34 FIGURE 15 - SPIRAL MODEL...35 FIGURE 16 FROM COVERT AGENT...43 FIGURE 17 FROM COVERT AGENT...44 FIGURE 18 - FROM COVERT CONTROLLER...45 FIGURE 19 - FROM REVERSE PROXY SERVER...46 FIGURE 20 FROM COVERT VIEWER...47 FIGURE 21 - FROM PACKET SNIFFER...47 FIGURE 22 MINI-LABORATORY...48 FIGURE 23 - PACKET SNIFFER...49 FIGURE 24 - COVERT VIEWER...50 FIGURE 25 - COVERT CONTROLLER...51 FIGURE 26 - COVERT CONTROLLER XML FILE...52 FIGURE 27 - DATA-HIDING PROBLEM SPACE...53 FIGURE 28 - CAPACITY ESTIMATION...54

9 David Llamas 8 1 Acknowledgements I would like to thank my supervisor, Dr William Buchanan, for his help and encouragement throughout this project. Also I am grateful to Professor Peter Ross for being part of my Honours Project committee. In addition, I would also like to thank Colin MacKay for his advice about the technology aspects of the project, Charlie Hussey for his constant inspiration and unconditional support and Loreta Gaiteiro for her assistance in providing constant coffee during several weeks.

10 David Llamas 9 2 Introduction 2.1 Introduction This section is about an introduction to the report, by specifying the scope, aims and the contribution of this Honours Project, and by offering an introductory background to the subjects. 2.2 Scope, Aims and Contribution of this Honours Project A covert channel is an information flow mechanism within a system that is based on the use of system resources not normally intended for communication between the users of the system (McHugh 1995). The main aim of this project is investigate data hiding in general and to focus on the application of covert channels in the TCP/IP protocol suite. For this several pieces of software have been developed: A Reverse Proxy Server with an embedded Data Hiding Intelligent Agent (DHIA). A Data Hiding Viewer. A Packet Sniffer to analyse the network traffic and some specific aspects of the covert channel technique. This prototype, composed by all these elements, is focused on the manipulation of the IP Identification field technique on the IP header version 4 (Rowland 1996). While the user is navigating around a web site through the Reverse Proxy Server, the Data Hiding Viewer, on the client side, shows in a separated window the hidden data that is sent by the DHIA embedded in the Reverse Proxy Server. The Packet Sniffer shows the content of all IP packets. This project also makes the contribution of creating a full functional design and prototype to be run in Microsoft Windows proprietary platform. The Reverse Proxy Server and the DHIA, which have the ability of using covert channels techniques within the TCP/IP protocol suite in Microsoft Windows platforms, is a novel contribution to the community. No other application with these features using the Microsoft Windows platforms has been found, at least, at public domain level, after researching hundreds of papers and journal articles, Internet newsgroups and software databases. Most of the currently available tools related to data hiding techniques are based around the UNIX operating system, as the source code of this operating system is available and it can be modified for these purposes. To highlight the success of this project, a paper has been accepted for the 3rd European Conference on Information Warfare and Security (ECIW), held at Royal Holloway, University of London, on 28 and 29 June See appendixes for reading the paper.

11 David Llamas Background Security is now one of the major issues in computing. There is thus an increasing interest in information hiding, such as steganography, covert channels, watermarking, anonymity and so on, as they have been considered one of the most sophisticated and advanced techniques for attacking systems, networks, and so on, and can be used for passing information without being it detected. The increasing interest can be seen in Table 1 - Number of publication on digital watermarking, INSPEC January 99. No recent information can be found on this, but it can be seen that there has been a large number of publications in the past few years. Year Publications Table 1 - Number of publication on digital watermarking, INSPEC January 99 The covert channel technique is, in essence, communications which is not part of the actual or original computer or design, but can be used to transfer information between users. Covert channels have existed in many systems including in protocols used for internetworking and communication. These channels can go easily unnoticed, thus providing an excellent means for hiding information in them (Venkatesh 2003). Proxy servers are probably one of the most interesting applications for doing interventions in networks, as they can act at any level and can run in a discrete mode, where no-one can detect its observation or traffic manipulation. Because of this, proxy servers are the type of application that has been chosen for adding the DHIA embedded on it, in order to apply the covert channel technique. Along with this, in the TCP/IP protocol suite, there are numerous ways in which covert channels can be established and data can be surreptitiously passed between any two hosts. This Honours Project attempts to illustrate the weaknesses of the TCP/IP protocol suite, by analysing and using the data hiding covert channel techniques based on reverse proxy servers, in both, theoretical and practical examples, which are implemented in Microsoft Windows proprietary platform. 2.4 History Throughout history people have hidden messages using very different methods and techniques (Kahn 1996). These techniques have helped to win or lose wars, disguised secret religions or secure financial transactions (Wrixon 1998). Examples of Steganography go back to antique days. A famous example can be found at around 440 BC where two significant Persians leaders communicated secretly by shaving the head of one of their slaves with a tattooed message. Once the hair grew back, the slave was sent to co-conspirators who read the message by shaving the head again (Johnson and Jajodia 1998). A technique as simple as this was also used years later by Germans in the Second World War. Also another antiqued technique can be found in ancient Greece where a man warned Sparta of an imminent invasion by writing a message by scrapping wax off of a table. Once the message was written, he covered

12 David Llamas 11 the table back with wax again so it was not noticed that it had a message (the table looked like a blank one) (Petitcolas, Anderson et al. 1999). Another example of the technique was to hide messages with invisible ink. For this an innocent letter can cover a very different message written between the lines (Johnson and Jajodia 1998). As early as CE 600, the Arabs were using invisible inks to communicate throughout their extent empire (Wrixon 1998). Originally, these inks were made of commonly used organic substances such as onion, milk and vinegar (Katzenbeisser and Petitcolas 2000), and were developed in Europe in the Middle ages and, by 1700, knowledge of these methods has crossed the Atlantic (Wrixon 1998). Invisible ink was also used commonly during the first World War, however, with the invention of universal developers in the 20th Century they were capable of determining which part of a paper had been treated with these techniques (Petitcolas, Anderson et al. 1999). In 1857 Brewster suggested the idea of hiding secret messages in spaces not larger than a full stop or a small dot of ink (Petitcolas, Anderson et al. 1999). These techniques started to be developed during the Franco-Prussian War of were René dragon reduced military documents on film to a few millimetres. Although this did not helped French to win the war, it was important for what would be later be called the Microdot (Wrixon 1998). The microdot technique was further developed by the Germans during the First World War and was also used during the Second World War. The FBI director Edward Hoover referred to this technique as the enemy s masterpiece of espionage (Wrixon 1998). A modern adaptation of this techniques is still in use nowadays for document security (Katzenbeisser and Petitcolas 2000). Documents themselves can hide information. Open-coded messages, such an apparent innocent letter can hide information through the use of null ciphers (unencrypted messages). A good example of this it is the text below that was sent by a German spy in World War II (Johnson and Jajodia 1998): Apparently neutral s protest is thoroughly discounted and ignored. Isman hard hit. Blockade issue affects pretext for embargo on by-products, ejecting suets and vegetable oils. By extracting the second letter in each word the following hidden message can be read: Pershing sails from NY June 1 In the case of the watermarking, this technique has been used for more than 700 years ago in Italy to differentiate the paper brand and the mill that produced it (Al-Ahmad and Mualla) By the 1900s, watermarks on paper in Europe and America had been used as trademarks to record the manufactured date, or to indicate the size of original sheets. Watermarks are commonly used on paper money to avoid counterfeiting (Huang 2002) Nowadays, information-hiding techniques have gone public and are more commonly used. In any case, as has happened in the past, the military and security entities are the ones who contribute more to the developments of these techniques.

13 David Llamas Information Hiding Information hiding has been around for centuries. This section defines some of the terminology used in this topic and a classification proposal. Given the increased general interest over data hiding technique, some common terminology was agreed in the Information Hiding First International Workshop hold in Cambridge in It was decided that most of the applications have the common core explained in Figure 1 - Information hiding terminology (Pfitzmann 1996). The items used are: Embedded <datatype>. Something to be hidden, in something else. Stego-<datatype>. The output of the hiding process; something that has the embedded message hidden in it. Cover-<datatype>. An input with an original form of the stegomessage. In some applications, such a cover message is given from the outside, in others, it can be chosen during the hiding process. The latter is represented by the dashed extension to the inner hiding process. Stegokey or simply key. This is additional secret data that may be needed in the hiding process. In particular, the same key (or a related one) is usually needed to extract the embedded message again. Figure 1 - Information hiding terminology Classification Data hiding techniques have become much more open and public in the last few years. This has created some confusion in the terminology and the differences between the different techniques. In (Petitcolas, Anderson et al. 1999) it is suggested a classification of the information hiding techniques as can be seen in Figure 2 - A Classification of information hiding techniques. This is based on the agreements reached at the Information Hiding First International Workshop on the subject (Anderson 1996). Steganography it is the art of hiding information in ways that prevents the detection of hidden messages (Johnson and Jajodia 1998). In this case, the existence of the message it is not known, hence a successful attack will consist in detecting the existence. In the linguistic Steganography, the carrier medium is text whilst in the technical Steganography the carrier medium in non-text, such as graphic files, photos, and so on.

14 David Llamas 13 In the case of the copyright marking, the most important characteristic it is the robustness against possible attacks (Petitcolas, Anderson et al. 1999). In fact, there are many copyright marks that are not hidden, such as a company logo, and whose main purpose it is to differentiate one product, or service, against others and thus give a unique identity. Cryptography is commonly used in information hiding. However, it not included within this area as the message is not hidden, and is thus it is clear that there is a message, but it cannot be read unless the required decoding method is known. Unlike Steganography, the main issue it is not to detect the message, as this can be easily intercepted, but to decrypt it once has been intercepted. Figure 2 - A Classification of information hiding techniques

15 David Llamas 14 3 Theory 3.1 Introduction This section provides the theory behind the main aspects of the project, which are: Covert channels. TCP/IP communications and its protocol suite. Reverse proxy servers. The kernel mode in Microsoft Windows NT platforms. 3.2 Covert Channels A covert channel is a communication channel that allows two cooperating processes to transfer information in a manner that violates the system s security policy (Berg 1998). It is thus a way of communicating which is not part of the original design of the system, but can be used to transfer information to a process or user, that, a priori, would not be authorised to access to that information. They typically only exist in systems with multilevel security (Proctor and Neumann 1992), which contain and manage information with different sensitivity levels. Thus they allow different users to access to the same information, at the same time, but from different points-of-view, depending on their requirements to know and their access privileges Classification The covert channel concept was introduced in 1973 (Lampson 1973), and are now generally, classified based on (Gligor 1993): Scenarios. In general, when building covert channels scenarios, there is a differentiation between storage and timing covert channels (Lipner 1975). Storage covert channels are where one process uses direct (or indirect) data writing, whilst another process reads the data. They generally use a finite system resource that is shared between entities with different privileges. Covert timing channels use the modulation of certain resources, such as the CPU timing, in order to exchange information between processes. Noise. As with any other communication channel, covert channels can be noisy, and vary in their immunity to noise. Ideally, a channel immune to noise is one where the probability of the receiver receiving exactly what the sender has transmitted is unity, and there are no interferences in the transmission. Obviously, in real-life, it is very difficult to obtain these perfect channels; hence, it is common to apply error correction codes, which can obviously reduce the bandwidth. Information flows. With conventional lines of transmission different techniques are applied to increase the bandwidth. A similar method can be achieved in the covert channels. Channels where several information flows are transmitted between sender and receiver are defined as aggregated channels, and depending on how sent variables are initialized, read and reset, aggregations can be classified as serial, parallel, and so on. Channels with a unique information flow are denominated non-aggregated.

16 David Llamas Potential uses The concern for the presence of covert channels is common in high security systems (Figure 3 - Covert Channels), such as military ones, where typically two observed users know that someone wishes to listen to their conversations. Many of the studies on these attacks, based on covert channels and their prevention, have been done by US government and military bodies, such as the National Security Agency, US Air Force, National Computer Security Centre, and so on (Buchanan and Llamas 2004). However, in other environments it is also possible the existence of covert channels, especially in protocols like the TCP/IP protocol suite (Rowland 1996). Bank records Internet communications Wire taps Suspect A Suspect B A covert covert channel channel is is typically typically used used when when the the suspects suspects know know that that they they are are being being monitored monitored Postal messages Mail messages Figure 3 - Covert Channels 3.3 TCP/IP Protocol Suite TCP/IP is a set of protocols developed for the Internet in the 1970s to provide an orderly flow of information between one host and another, over a network. A highlevel explanation based on Figure 4 - TCP/IP Protocol Suite is offered by (Johnston 2003). The layers of model are covered next Physical Layer/Device Layer At the lowest layer is the Physical Layer, which is concerned with the electrical and mechanical connections to the network (HyperDictionary 2003). Above this is the Device Layer which is a set of software protocols. These check for transmission errors in the device layer and control the line discipline of setting up the connection.

17 David Llamas 16 Figure 4 - TCP/IP Protocol Suite Figure 5 - OSI Network Model vs. TCP/IP Network Model

18 David Llamas 17 See Figure 5 - OSI Network Model vs. TCP/IP Network Model for comparing both network models Internet Layer The network layer provides network addressing and data routing. It also ties all the device layers together and enables data packets to be routed between networks that are not directly connected, where each packet can go through multiple hops. A good example of network address is IP which stands for Internetworking Protocol. Also with this other protocols such as ICMP provides the control messages this requires like Host unreachable and Connection refused. BGP and OSPF are vital, as they let routers exchange information about who is connected to whom. This is what enables a data packet to go from a host to anywhere on the Internet Transport Layer Above the network layer there are various protocols in the Transport Layer. This layer determines uses the network layer to provide a virtual error-free, point-to-point connection so that host A can send messages to host B, so that they will arrive uncorrupted and in the correct order. For this it establishes and dissolves connections between hosts (HyperDictionary 2003). Two of the most popular transport layer protocols are UDP and TCP. UDP provides a quick, but not-guaranteed way to send individual data packets. On the other hand, TCP uses a complex system of acknowledgements and retransmissions to provide a reliable two-way data stream. An important feature of these transport protocols is that they contain the port number that enables multiple network applications to run on a single host Application Layer At the top is the Application Layer which contains all the protocols used for the application such as for , remote administration, and so on. This layer handles issues like network transparency, resource allocation and problem partitioning. The application layer is concerned with the user s view of the network, such as formatting electronic mail messages (HyperDictionary 2003). An important application is DNS (Domain Name System) which translates host names into IP addresses. As TCP and IP provide the foundation to the connection, these protocols can be relatively simple. In the simplest case a WWW browser just says "GET /" and the server sends back the index page Security There are two main provisions for Security: SSL (Secure Sockets Layer) and IPSec. SSL provides encryption for a TCP connection. First a digital certificate is presented by the server so that the client knows that the site really does match the domain name, and then all communication is encrypted to prevent eavesdropping. Most high-level protocols work the same over SSL, such as HTTPS which is just HTTP over SSL. IPSec is an alternative approach that provides encryption without the TCP layer; this is more useful in creating a Virtual Private Network (VPN).

19 David Llamas Reverse Proxy Server The systems used in covert channels typically have to be fairly standard in their design. Thus an ordinary proxy server could be used as an intermediate server that sits between the client and the origin server. In order to get content from the origin server, the client sends a request to the proxy naming the origin server of the target. The proxy then requests the content from the origin server, and returns it to the client. The client must thus be specially configured to use the forward proxy to access other sites (Apache 2001). These proxies can either be forward-looking devices, or work in reverse. A forward proxy typically provides Internet access to internal clients that are otherwise restricted by a firewall, and can use caching to reduce network usage. A reverse proxy, by contrast, appears to the client just like an ordinary WWW server, where no special configuration on the client is necessary. The client thus makes ordinary requests for content in the name-space of the reverse proxy. The proxy then decides where to send these requests, and returns the content as if it was itself the originator (Apache 2001). A typical usage of a reverse proxy is to provide Internet users access to a server that is behind a firewall (Buchanan and Llamas 2004). With security, with control over the information transport mechanisms it is more important than ever to guarantee its correct operation under normal circumstances and also when attacks take place. It is also required to ensure that these transport mechanisms, which are typically the protocols used, are not used to hide information. An ordinary proxy server is thus useful for this as it concentrates on the traffic associated to the user, both incoming and outgoing, and allows the creation of different kinds of restriction rules, authentication rules, and so on. The use of forward proxy servers implies a specific configuration in on client-side, which, in some ways, assumes that the user is aware of their connection with external networks, and will be subject to some rules and controls. In a reverse proxy server, the client views the accessed device like an ordinary service (for example, a WWW server). Thus, no special configuration on the client is required. Depending on the kind of reverse proxy server, the returned content can be as if it was itself the origin. This project proposes a novel architecture for data hiding and detection through a Data Hiding Intelligent Agent (DHIA) which is embedded on a reverse proxy server (Figure 6 - Convert channels with data hiding on the proxy). The DHIA is responsible for hiding and detection activities, as well as prevention management and for the application of countermeasures to the use of protocols as a mechanism of transport of information. In the current security context, where almost anything can be considered as information, it is highly recommended the use of solutions based on stegano-components, which allow for hidden components that can work in a discrete mode (Buchanan and Llamas 2004). Although it is not the focus of this project, a novel technique known as Dynamic Reverse Proxy (DRP) is presented, where a dynamic connection is established between the user and the reverse proxy server, without requiring any configuration in the client-side. This link is totally independent and with its own properties and methods, and is in charge of the control and analysis of the traffic, and is always operating in a hiding way, and in a discrete mode.

20 David Llamas 19 Packet Packet Packet Packet Packet Packet Proxy Proxy F Packet Packet Packet Packet Packet Packet Firewall treats the page as a valid one. F A modifies the data packets by adding information into the unused parts of the packet A B uses a WWW browser to access and view page, but uses a packet reader to read the required field in the packet B Figure 6 - Convert channels with data hiding on the proxy 3.5 Windows NT/2000 Network subsystem architecture A novel aspect of this project is the implementation of the covert channels on a Microsoft Windows platform. In all the Windows operating systems, the TCP/IP protocol is proprietary, and its source code is not accessible which means that the manipulation of the packets in any of the TCP/IP protocol suite is not possible from levels above the TCP/IP driver layer. This makes the use of these techniques in a Windows platform more complex Microsoft Windows NT/2000 network architecture components The Microsoft Windows NT/2000 network architecture is composed of software components that provide networking abilities to the operating system. Network communication begins when an application program attempts to access resources on another computer, normally using a layered approach (such as using the network layer for network addressing, and the transport layer for data segmentation). Each layer is thus able to communicate with the layer immediately above and below itself (Microsoft Corporation 2000). From operation point-of-view, this layered approach is typically seen from two levels: Kernel mode. This is where the processor executes all instructions, including those designated privileged, and can access all of the memory. The mode provides a set of services that the rest of system can use. In Windows, it calls the Hardware Abstraction Layer (HAL) to handle any necessary platform-specific operations.

21 David Llamas 20 User mode. This is where an application can only access the memory to which the operating system has granted it permission. A user-mode program can ask the operating system to change the memory map, but, it is the Kernel mode which actually makes the change, if it decides the change is permissible. Figure 7 - Windows 2000 Network Architecture Diagram shows the view of these modes and the affected drivers and components. 7 Application 6 Presentation 5 Session RPC Providers Named Pipes NetBios driver Redirector Servers Winsock Drv User Mode Kernel Mode Transport Driver Interface STREAMS 4 Transport 3 Network Transport protocols 2 Data Link (LLC) NDIS Interface STREAMS (MAC) Network Adapter Card Drivers 1. Physical Network Interface Card(s) 0. Media Figure 7 - Windows 2000 Network Architecture Diagram

22 David Llamas Network traffic filtering technologies for Windows The research has involved an extensive search for methods which could be used to implement a system which allowed a system to hook into the data transmissions. In Microsoft Windows this is not an easy task. In general there are several ways to network traffic filtering (Divine 2002) on a Windows system. For user-mode traffic filtering the methods are: Winsock Layered Service Provider (LSP). This is method determines the process that called Windows Sockets, such as for QOS (Quality Of Service), encryption of data streams, etc. Unfortunately, this approach cannot be used on routers, because packets are routed on the TCP/IP level (or even on MAC level). Windows 2000 Packet Filtering Interface. Windows 2000 provides API which can install a set of filter descriptors, which can be used by TCP/IP for packet filtering (PASS/DROP). However, rules for filtering are rather limited (pass/drop based on IP address and port information), and this approach can be only be used from Windows 2000 and onwards. Substitution of Winsock DLL. This approach mentioned only for security reasons, and is thus not recommend. Global hook of all dangerous functions. These might include starting with Windows sockets, DeviceIoControl, and so on, and can be done, but it may have an impact on overall system stability and security. For a kernel-mode traffic filtering: Kernel-mode sockets filter. This technology is applicable for Windows NT/2000, and is based on the interception of all calls from msafd.dll (the lowest level user-mode Windows Sockets DLL) to the kernel-mode module afd.sys (the TDI [Transport Driver Interface]-client, which is a kernel-mode a part of Windows Sockets). This method is interesting, but its possibilities are no much wider, than LSP s. Unfortunately, it has limited portability. TDI-filter driver. This technology can be implemented on a wide range of Windows platforms, but they vary in their implementation method. As for Windows NT/2000, in the case of TCP/IP filtering, it is necessary to intercept all calls directed to devices created by tcpip.sys driver. NDIS Intermediate Driver. NDIS Intermediate drivers introduced in NT 4.0 to allow developers to write packet capture drivers. These drivers can see all the network traffic on the system as they are placed between protocol drivers and network drivers. Many developers use NDIS Intermediate drivers to provide faulttolerant and load-balancing options for NICs. Unfortunately, the driver must be digitally sign at Microsoft. Windows 2000 Filter-Hook Driver. The Filter-Hook Driver was introduced by Microsoft in Windows 2000 DDK (Driver Development Kit). It is not a new network driver class and it is only a way to extend IP Filter Driver to Windows 2000 functionality. NDIS Hooking Filter Driver. The technique is based on the interception of a subset of NDIS functions which allows it to trace the registration of all protocols installed in the operating system, and opening of network interfaces by them.

23 David Llamas 22 Among advantages of this is that it has an ease of installation and is transparent support of Dial-Up interfaces. This technique is the one that has been used to implement the Data Hiding Intelligent Agent (DHIA). The Network Driver Interface Specification allows a hook into the network layer as Ethernet data frames are being passed to and from the Network Interface Card at the Windows Kernel mode. Through API s, the interception of these packets can be finally done in the Windows User mode where most of the Windows software runs. A C DLL was written to intercept and modify outgoing packets and to allow information to be reported to a controlling application.

24 David Llamas 23 4 Literature Review 4.1 Introduction As it has been said before, the number of articles related to information hiding and covert channels and their techniques has been increasing. It has to be taken into account that covert channels techniques can be involved in anything based on a protocol, even out of the networking scope. In this section, covert channels are analysed within the scope of computer networks, by focusing on its relationship with the LAN environment, LAN protocols, the OSI network model and the TCP/IP protocol suite. 4.2 LAN Environments According to (Ahsan 2002), Local Area Network environments are susceptible of being used for creating covert channels. (Girling 1987) first analyzed covert channels in a network environment, where he focused on local area networks (LANs) in which have three obvious covert channels (two storage channels and one timing channel). This demonstrates the real examples of the bandwidth possibilities for simple covert channels in LANs. For a specific LAN environment, he introduced the notion of a wiretapper which monitors the activities of a specific transmitter on a LAN. The covertly communicating parties are the transmitter and the wiretapper. The covert information, according to Girling, can be communicated through any of the following obvious ways: By observing the addresses as approached by the transmitter. If total number of addresses, a sender can approach is 16, then there is a possibility of secret communication having 4 bits for the secret message. The author termed this possibility as covert storage channel as it depends on what is sent (i.e. which address is approached by the sender). In the same way, the other obvious storage covert channel would depend on the size of the frame sent by the sender. For the 256 possible sizes, the amount of covert information deciphered from one size of the frame would be of 8 bits. Again this scenario was termed as the covert storage channel. The third scenario presented is pertaining to the existence of covert timing channel. The time between the successive sends can be observed by the wiretapper to decipher for instance 0 for the odd time difference and 1 for the even time difference. The scenario transmits covert information through a whenis-sent strategy therefore termed as the timing covert channel. The time to transmit a block of data is calculated as a function of software processing time, network speed, network block sizes and protocol overhead. Assuming blocks of various sizes are transmitted on the LAN, the software overhead is computed on average and novel time evaluation is used to estimate the bandwidth (capacity) of the covert channel. Furthermore, solutions for reducing the bandwidth of covert channels are also presented. The work paves the way for future research.

25 David Llamas 24 In particular, (Girling 1987) does not take into account the effect of the existence of covert channels on the overall network performance. 4.3 LAN Protocols Focusing the research on Local Area Network protocols, (Ahsan 2002) identifies what it has been done after (Girling 1987) investigations. In (Wolf 1989), Wolf presents results that can be regarded as a logical extension of (Girling 1987), but applied to LAN protocols. Wolf establishes the fact that encryption, the basic mechanism of LAN security, cannot ensure the proper blocking of unauthorized information via covert channels. The work points to the unused bandwidth possible for covert transmission in most commonly used LAN architecture standards such as IEEE 802.2, 802.3, 802.4, and The focus is on LAN implementations opposed to the architecture itself. The work implies that covert channels can be expected in every system in which resources are shared. It also highlights the relationship between covert storage channels and protocol format, and the link between covert timing channels and protocol procedure elements taking into account the frame layouts of the LAN protocols. Covert storage channels utilize the reserved fields, pad fields and undefined fields of the frames. The fields identified, as means to covertly send information, can easily be detected through the implementation of automated mechanisms. Such mechanisms only monitor such fields, which would discard such frames utilizing these fields irrespective of their purpose. 4.4 Data Hiding in OSI Model In (Handel and Sandford 1996) the OSI (Open System Interconnection) network model (see Figure 8 - OSI network model) is taken as a basis of their development in which they characterize system elements having potential to be used for data hiding. Foolproof steganographic schemes are not devised. Rather, basic principles for data hiding in each of the seven OSI layers are established and identifies covert channel figures of merit such as (Ahsan 2002): Detectability: covert channel must be measurable by the intended recipient only. Indistinguishability: covert channel must lack identification; must appear as overt channel. Bandwidth: number of data hiding bits per channel use. Each layer has specific characteristics for hiding data (Handel and Sandford 1996) Physical layer The physical layer transmits data through the network s communications channels. Clear to Send, Ready to Send (CTS/RTS) can be adjusted independently from the data rate (this method is limited to point to point connections). The collision detection system (Carrier Sense Multiple Access / Collision Detection CSMA/CD) in the Ethernet physical layer can also be modified to transmit hidden data by adjusting the control mechanism of collision.

26 David Llamas Data Link layer The data link layer shapes the network data structure. Frames are created containing data to be transmitted over physical circuits. In this case, unused portions of the frame can be used to store covert data. Hiding data is stored in the buffer, beginning at the end of the buffer and working toward the valid data. When the packet is transmitted, the entire buffer is exported, including the covert data. The OSI network model Application Presentation Session Transport Network Network layer The network layer is the internal delivery system. Fields from the header of the packets that work at this level can be manipulated to store covert data. For instance, the identification field of the IP protocol helps with re-assembly of packet data by remote routers and host systems. Its purpose is to give a unique value to packets so if fragmentation occurs along a route, they can be accurately re-assembled. This value it is generated at the origin, which means that the Identification field can be used to store a specific value to be passed to the other end. This will be extended in the next section. Data-Link Transport layer Physical Figure 8 - OSI network model Session layer The transport protocol is responsible for delivering data from the network to the correct process within the computer. In this case as well, the manipulation for storing covert data can be done by, for instance, by utilizing the unused data bits in the TCP header. The session layer is the user s access point to the network. Once there, users may have access to restricted resources of other users on the network, including servers that may require further authentication. Functionality at the session layer is archived through the use of a redirector, that determines if the requested function call can be processed by the local operating system, or processed on the remote system using a remote procedure calls (RPC). If a user can interact with a remote device, for instance, then a covert channel can be established by creating a protocol about its activity Presentation layer The presentation layer handles the network s interface to devices, such as printer, video displays, and the file system. The presentation layer is the proper location for encryption and compression processes, etc. In this case, the multimedia components of the presentation layer can act as hidden data transport mechanisms, for example, by replacing properties of audio and video information (that contains stochastic noise) by pseudo-random noise containing hidden data.

27 David Llamas Application layer The application layer is nearest the user. Users create applications utilizing system resources, including the network. Many of classical steganographic approaches can be used at the application level. What is originally done with pencil and paper can be done here. For example, a covert messaging system can be devised using word substitution by using an system. As it can be seen, the OSI model reveals that a variety of locations exist for hiding data. 4.5 Covert Channels in the TCP/IP Protocol Suite As a protocol suite based on layers, the TCP/IP has a number of weaknesses that allow an attacker to leverage techniques in the form of covert channels to surreptitiously pass data in otherwise benign packets. Many techniques are based on encoding data in the protocol header. Figure 9 - IP header v4 Some explanation and detailed methods will be illustrated next (Rowland 1996). Within each header there are multitudes of areas that are not used for normal transmission or are "optional" fields to be set as needed by the sender of the datagrams. An analysis of the areas of a typical IP header (see Figure 9 - IP header v4) that is either unused or optional reveals many possibilities where data can be stored and transmitted. The basis of the exploitation here relies in encoding ASCII values of the range into the selected fields. Using this method it is possible to pass data between hosts in packets that appear to be initial connection requests, established data streams, or other intermediate steps. These packets can contain no actual data, or can contain data designed to look innocent. These packets can also contain forged source and destination IP addresses as well as forged source and destination ports. This can be

28 David Llamas 27 useful for tunnelling information past some types of packet filters. Additionally, forged packets can be used to initiate an anonymous TCP/IP "bounced packet network" whereby packets between systems can be relayed off legitimate sites to thwart tracking by sniffers and other network monitoring devices Method One - Manipulation of the IP Identification Field The identification field of the IP protocol helps with re-assembly of packet data by remote routers and host systems. Its purpose is to give a unique value to packets so if fragmentation occurs along a route, they can be accurately re-assembled. The first encoding method simply replaces the IP identification field with the numerical ASCII representation of the character to be encoded. This allows for easy transmission to a remote host which simply reads the IP identification field and translates the encoded ASCII value to its printable counterpart Method Two - Initial Sequence Number Field The Initial Sequence Number field (ISN) of the TCP/IP protocol suite enables a client to establish a reliable protocol negotiation with a remote server. As part of the negotiation process for TCP/IP, several steps are taken in what is commonly called a "three way handshake" as was described earlier. For our purposes the sequence number field serves as a perfect medium for transmitting clandestine data because of its size (a 32 bit number). In this light, there are a number of possible methods to use. The simplest is to generate the sequence number from our actual ASCII character we wish to have encoded Method Three - The TCP Acknowledge Sequence Number Field "Bounce" This method relies upon basic spoofing of IP addresses to enable a sending machine to "bounce" a packet of information off of a remote site and have that site return the packet to the real destination address. This has the benefit of concealing the sender of the packet as it appears to come from the "bounce" host. This method could be used to set up an anonymous one-way communication network that would be difficult to detect especially if the bounce server is very busy. This method relies on the characteristic of TCP/IP where the destination server responds to an initial connect request (SYN packet) with a SYN/ACK packet containing the original initial sequence number plus one (ISN+1). As discussed above, other protocols can be used in a similar manner and in some cases may provide a more reliable channel of data transmission as the packet can hold much more data Method Four Through the packet sorting (IPSec) This method presented by (Ahsan 2002) deals with the use of packet ordering to convey covert information. The possible ways to arrange objects in a set is surprisingly complex and offers a correspondingly large opportunity for steganography. Changing the order of the packets requires no change in the packet content (i.e. the payload and the headers are not affected).

29 David Llamas 28 Therefore no major modifications are expected either in the protocol definition/design or in the overall system in order to implement a data-hiding scenario. The sorting/resorting process holds a surprisingly large amount of information. Based on these facts, data hiding feasibility is explored in the TCP/IP protocol based on packet sorting and resorting processes at source and destination, respectively. The packet sorting and resorting processes require some reference in order to relate packet numbers to their actual order. The natural packet ordering is needed so that the stego packet ordering (sorting) can be undone (resorting). This reference is not available at the transport layer using TCP. Sequence number field and acknowledgement number field point to the number of octets of data and are not directly related to the packet number. Moreover, the data packetised at the transport layer can be broken down into fragments at the Internet layer and would further complicate the notion of a packet order. Similarly, if we look at the IP, the Identification field (16 bit) of the IPv4 header, as mentioned in the previous section, is unique to the specific source-destination and protocol fields and cannot be associated with a packet sequencing mechanism. In contrast, within the IPSec environment, the two protocol headers, ESP and AH headers provide a 32-bit sequence number field. The primary aim of this field is to detect replay attacks; hence it is directly related to packet numbers. Anti-replay mechanism is intended to determine whether a packet received is a duplicate or not. When a Security Association (SA) is first established for a flow of data, this field is set to zero. The sequence number of each packet under this SA is incremented by 1 during outbound processing. Thus, this replay protection identifies a natural ordering of the packet stream that can be used for packet sorting and resorting processes at both ends. The term IPSec refers to a set of mechanisms designed to protect the traffic at the IP level, suited for both versions of IP i.e. IPv4 and IPv6. The security services afforded by this security protocol are: Connectionless Integrity, Data origin authentication Protection against replays and Confidentiality IPSec implementation is optional in IPv4. It is however, mandatory for any implementation of IPv6, therefore can rightly be regarded as the security architecture for the current as well as the future IP traffic. The kind of security services it offers made this set of mechanisms an industry standard in December As mentioned above, IPSec fulfills the following: Encryption and/or Authentication of all traffic at IP level. Supports all varied distributed applications. Thus remote log on, Client/Server, , file transfer, Web access can be secured.

30 David Llamas 29 The following are relevant features of IPSec: IPSec is meant for off site traffic. Therefore traffic within a company or work group does not incur the overhead of security related processing. IPSec in a firewall is resistant to by-pass if all incoming traffic must use IPSec and firewall is the only means of entrance from the Internet into the organization. The IPSec implementation in a firewall or router or end system, requires no change in the software on a user or server system. The architecture does not need keys specific to users. IPSec is useful for off site workers and for setting up a secure virtual sub network within an organization for sensitive applications. Several possible ways to utilize IPSec are outlined: IPSec protocols operate in networking devices like routers or firewalls that connect each LAN to the outside world. These routers or firewalls (IPSec networking device) will typically encrypt and compress all traffic going into the WAN and decrypt and decompress traffic coming from the WAN. The above operations are transparent to work stations and servers on the LAN. For individual users who dial into the WAN (connected directly), they must implement the IPSec protocols to ensure security. IPSec provides security services at the IP layer by: Enabling a system to select required security protocols Determining the algorithms to use for the services Putting in place any cryptographic keys required to provide the requested services The following are a list of key security technologies enabling IPSec: The Diffie Hellman key exchange to deliver keys between systems on the public network. Public key cryptography for signing the Diffie Hellman exchanges, which guarantees both sides of the negotiation. Support for standard keyed hash algorithms for authenticating packets. The standard authenticators are (RFC ) and (RFC ). Support for a variety of encryption algorithms. Mandatory to implement cipher is DES-CBC (with an explicit Initialization Vector) (RFC ). After the standardization of AES (Advanced Encryption Standard) by the US Government in Fall 2001, the current status of the standard cipher is not yet known. Support for X.509 digital certificates for validating public keys. The objectives of IPSec are met through the use of two security mechanisms, the AH (Authentication header) and the ESP (Encapsulating Security Payload). Authentication Header (AH) is conceived to ensure integrity and authentication of IP datagrams, without data encryption i.e. without confidentiality. AH adds an additional header to the traditional IP datagram; this header makes it possible for the

31 David Llamas 30 receiver to check the authenticity of the data included in the datagram. The header can be shown as per Figure 10 - The AH header. Figure 10 - The AH header Encapsulating Security Payload (ESP) is designed for ensuring confidentiality, but can also provide data authenticity. It generates from a traditional IP datagram, a new datagram having additional ESP header, in which the data and eventually the original header are encrypted. The ESP header is shown in Figure 11 - The ESP header. Figure 11 - The ESP header These protocols can be made to operate in either of the following modes (Doraswamy and Harkins 1999):

32 David Llamas 31 Transport Mode: In transport mode, AH and ESP protect the transport header. In this mode, AH and ESP intercept the packets flowing from the transport layer into the network layer and provide the configured security. Tunnel Mode: IPSec in tunnel mode is normally used when the ultimate destination of the packet is different from the security termination point. Tunnel mode, by adding an additional IP header, protects the complete IP datagram i.e. data with TCP header and the IP header. Security Association (SA) is a one way connection that affords security services to the traffic carried by it. A SA is unidirectional, therefore a typical bi-directional communication requires two SAs. The security services are provided either by the use of either AH or ESP (not both). If both of them are applied to the traffic in question, then two (or more) SAs are expected to protect the traffic. Such a situation would be termed as security bundle. Each security association is uniquely identified by the following triple: Packet s Destination Address Security Protocol Identifier (AH or ESP) and Security Parameter Index (SPI); A SPI is a 32 bit block transmitted in clear in the header of each exchanged packet; the receiver chooses it. Security Association Database (SADB); IPSec stores active security associations in a database called security association database. It contains all the parameters related to each SA and is consulted to know how to treat each received or sent packet. The SADB is maintained with SAs either manually or via an automatic key management system such as IKE (Internet Key Exchange). Security Policy Database (SPD); IPSec policy is maintained in the security policy database. Each entry of the SPD defines the traffic to be protected, how to protect it and with whom the protection is shared. For each packet entering or leaving the IP stack, the SPD must be consulted for the possible applications of security. Let s continue with the explanation of the method. The Packet Sorting / Resorting technique employs packet ordering to convey covert information. As mentioned earlier, this does not require changes either in the header or in the process of the system. The suggested packet sorting technique, as mentioned earlier, utilizes the sequence number field of AH and ESP headers (IPSec Protocols). Before discussing the technique, let consider three packets generated from an IPSec implemented node having packet-sorting algorithm incorporated. Figure 12 - Packets generated from IPSec implemented node having sorted sequence numbers shows these packets, only indicating their sequence numbers (original and sorted both):

33 David Llamas 32 Figure 12 - Packets generated from IPSec implemented node having sorted sequence numbers Here there are two types of ordering: Original Ordering; the sequence numbers assigned to the packets by the standard IPSec process. Sorted Ordering; the sequence numbers assigned to the packets by any structure which would sort the original ordering by any set criteria. The covert information intended to be communicated is the difference between these two orderings. Referring to Figure 12 - Packets generated from IPSec implemented node having sorted sequence numbers, for three packets, there can be six possible permutations (i.e. 123, 132, 231, 213, 321, 312). Generally speaking, the packet-sorting algorithm generates specific sorted sequence of packets from six possible permutations based on some structure (as defined in the algorithm, below). Figure 12 - Packets generated from IPSec implemented node having sorted sequence numbers shows the generated packets, from left to right, having sorted sequence as 132 against the original 123. These packets traverse the network and reach the destination bearing the same numbers. The packet resorting process at the destination node, recovers the original sequence from the received sorted sequence based on some structure. The difference between the original sequence and the sorted sequence carries the covert information for the destination. Ideally speaking, for packet sequence comprising three packets, there would be six possible covert messages bearing covert information of 3 bits, as expressed in Figure 10 - The AH header. This is the basic concept of packet sorting and how this process would transmit covert information, and it has been identified the reference, providing the original sequence of packets which would be sorted according to a structure.

34 David Llamas 33 5 Design 5.1 Introduction This section explains the proposed architecture for the management of hidden information, as well as the mechanism for its monitoring and detection, prevention and countermeasures activation is the DHIA which is embedded in a Reverse Proxy Server. It is specified as well the application, classes, member functions, member variables and structures that have been used for building the whole prototype. 5.2 System specification As it has been said, four main pieces of software have been developed for this project: A Reverse Proxy Server with an embedded Data Hiding Intelligent Agent, a Data Hiding Viewer and a Packet Sniffer to analyse the network traffic and some specific aspects of the covert channel technique.while the user is navigating around a web site through the Reverse Proxy Server, the Data Hiding Viewer, on the client side, shows in a separated window the hidden data that is sent by the Data Hiding Intelligent Agent embedded in the Reverse Proxy Server. The Packet Sniffer shows the content of all IP packets. This prototype will be focus on the manipulation of the IP Identification field technique on the IP header version 4 (Rowland 1996). Figure 13 Components Data Flow of the reverse proxy system At present, the designed prototype manages requests at the full range of session/application layer protocols, such as HTTP, FTP, TELNET, etc. All protocol channels are implemented. The user thus thinks that they are connecting to a WWW server and navigates on it, and is transparent for the navigation.

35 David Llamas 34 Figure 13 Components Data Flow of the reverse proxy system outlines the mechanics of such a system, which are: Reverse Proxy Server. Embedded DHIA. The DHIA component must be tested in different location within the scenario where it should operate, in order to find its most convenient situation, taking also into account the Dynamic Reverse Proxy technique. Data Hiding Viewer. This is run on the client side and shows the hidden data sent by the DHIA embedded in the Reverse Proxy Server. The system implements covert communication through the manipulation of the Identification field of the IP protocol header (Rowland 1996). In this case, it is implemented using the first byte as sequencer, and the second byte to host the character in ASCII code (multiple packets will thus contains the overall message). The Identification field of the IP protocol header helps with the re-assembly of packet data by remote routers and host systems. Its purpose is to give a unique value to packets, so, if fragmentation occurs along a route, they can be accurately reassembled (see Figure 14 - Network packets). Figure 14 - Network packets

36 David Llamas 35 The incoming packets processed by the software proposed for this project, process the packets at Ethernet level. From that point, the IP packet is extracted (see Figure 9 - IP header v4). 5.3 Development methodology The software developed for this Honours Project has been created following the basic concepts of Waterfall Methodology and Rapid Application Development (RAD) methodology, by using the defined sections from the former, and the evolutionary developing methodology and the early prototyping and reiterative testing of designs from the second. Figure 15 - Spiral model The main reason of doing that is because the project was well defined from the beginning. Based on this evolutionary developing method, the purpose of the individual elements could be well defined according the temporary implementation results, as well as coordinated and synchronised with the system. Figure 15 - Spiral model shows an approach to this methodology and its life-cycle.

37 David Llamas 36 The Spiral Model (Boehm 1988) can be summarised as follows: Emphasis is on the problematic areas of software development & importantly the use of an iterative non-linear approach to projects. Basically, the idea is evolutionary development, using the waterfall model for each step; it's intended to help manage risks. Don't define in detail the entire system at first. The developers should only define the highest priority features. Define and implement those, then get feedback from users/customers (such feedback distinguishes "evolutionary" from "incremental" development). With this knowledge, they should then go back to define and implement more features in smaller chunks. 5.4 Classes, global functions, variables and structures In this section the global functions, variables and structures of each application involved in this project is shown. Because not a lot of object orientation development has been needed, the modules are shown in structural view instead of UML representation. See appendixes for seeing the source code. These are the meanings of the icons: - Application - Class - Method or Member function - Member variables - Structures

38 David Llamas 37 CovertAgent

39 David Llamas 38 CovertController

40 David Llamas 39 CovertViewer

41 David Llamas 40 Kernel ReverseProxyServer

42 David Llamas 41 Packet Sniffer

43 David Llamas 42 Packet Sniffer (cont)

44 David Llamas 43 6 Implementation The controlling application was written with Microsoft Visual C#.NET 1.1. Due to security in Windows, the.net Framework raw sockets and the Berkeley specification are not fully supported. Thus modifying packets at this level is not possible, as the.net Framework and the Windows operating system will correct any faults it perceives in the header or ignores the header completely and treats it as the payload. This is undesirable behaviour for a system which requires direct hooks into the data traffic flow. For this reason, a Covert Agent based on NDisAPI driver has been developed in C Covert Agent Figure 16 from Covert Agent

45 David Llamas 44 The code that is shown on Figure 16 from Covert Agent, reads the packets that are passing through the network adapter in either direction. Incoming packets are ignored and passed straight through, however out going IP packets are checked against the filter criteria. The agent has a list of clients that are registered to receive covert messages and it will modify the packet that is destined for any of these clients. If the destination of the packet is not registered, but the port number matches the port for default messages then a new client registration is made and the packet is modified. Figure 17 from Covert Agent The code shown in Figure 17 from Covert Agent, modifies a packet. The function takes a pointer to a covert information structure that contains the details for the covert message for the current client. There is also a parameter that points to the packet to be modified. The packet s identification element is replaces with the covert information. In the high order byte is placed the offset of the character, this ensures that while the message is being sent the ID field in the IP Header is always ascending making it look like the packet is coming from a busy server. The low order byte of the ID field contains a single character from the covert message. The covert information structure is also updated by incrementing the offset so that the next time a packet is modified the next character in the message is set. Finally a datastamp is applied to the covert information structure. This is because as new clients are registered the array that holds details on the clients will become full and a last accessed-first out algorithm is in place to determine which of the clients drops off the list to make way for a new client registration.

46 David Llamas Covert Controller Figure 18 - from Covert Controller Figure 18 - from Covert Controller is part of the packet processing on the Covert Controller. In a normal.net application a callback method can be set up when the application enters idle time. Nortmally this would perform some low priority task and return control to the built in message pump, however there is no mechanism to repeatedly call this callback method. Here, the callback method repeatedly calls the DoIdleTimeProcessing which returns false when it doesn t need to be called again, and during each loop the events are processes as normal so that the application will respond normally to events, such as the user pressing the stop button, or closing the application. The DoIdleTimeProcessing calls into the CovertAgent to process packets for 1000 milliseconds before returning control to the.net application.

47 David Llamas Reverse Proxy Server Figure 19 - from Reverse Proxy Server When the proxy receives a request (see Figure 19 - from Reverse Proxy Server), it needs to forward it on to the relevant server; the above method takes the HTTP request, locates the host entry in the header and replaces it with the real IP and port. This can then be used to form the request to the actual server.

48 David Llamas Covert Viewer Figure 20 from Covert Viewer Figure 20 from Covert Viewer takes the covert information and displays it on the form. The form displays the information as a hexadecimal display and of the characters. Each of these is a set of 16 label controls that contain 16 characters. When a new covert character is received the existing string in the control is modified by replacing the relevant character with the covert character. 6.5 Packet Sniffer Figure 21 - from Packet Sniffer The code shown in Figure 21 - from Packet Sniffer is used in both the sniffer and the covert viewer. This sets the socket option Receive All which allows the socket to receive all packets. This is necessary as the socket will not be the primary target of the communication and is only a passive participant in the communication.

49 David Llamas 48 The laboratory, that it has been used for developing, testing and getting results, looks like: Figure 22 Mini-laboratory Web pages come originally from MULL Server ( ) but, in fact, they are requested by the Reverse Proxy Server and sent to you as if it was itself the origin (see Figure 22 Mini-laboratory). For getting results, extra hubs and a laptop were added at specific segment, according the purpose of the test.

50 David Llamas 49 7 Results Results are explained in this section by showing some screenshots of the tools that have been developed for monitoring the network traffic packets, for seen the covert messages, for managing them and so on. It also includes results related to the capacity estimation, performance and payload Monitoring and detection The monitoring is performed using the common method of placing the network card in promiscuous mode and sniffing the network traffic. It is well-known that covert channels, as well as the steganographical techniques, have a high level of difficulty relating to detection issues. The methods designed by the DHIA are those related with the detection of sequences in the fields of the headings of the different packets that propagate in the network. Other techniques such as the extra traffic payload sensoring and the analysis of encrypted content or the creation of packets ad-hoc have no effect. For Monitoring, a special version of Packet Network Sniffer has been developed (see Figure 23 - Packet Sniffer): Figure 23 - Packet Sniffer

51 David Llamas 50 This version shows the covert index and the covert character values. From them, the packet identification field value is calculated and, as it can be seen, it appears as a standard value for this field. CovertIndex field is taken from the sequencer field from the TCP header and it represents the first byte of the identification field (which has 16 bits length). The second byte has the ASCII code of the character that has to be stored. Both values are summed for the final value of the packet identification field. Figure 24 - Covert Viewer The Covert Viewer (see Figure 24 - Covert Viewer) is the application that shows the covert message while you are navigating using your favourite Internet browser. In this case it can be seen the message This is a covert message from the heart of the universe 8-D. The Covert Controller (see Figure 25 - Covert Controller) is in the server side interacting with the Data Hiding Intelligent Agent, which is embedded in the Reverse Proxy Server. From that place, the covert messages can be managed through a XML file (see Figure 26 - Covert Controller XML file). The Covert Controller can send general message or a specific one if the remote IP address is specified. All outgoing packets to that address will be manipulated to store the covert message. Apart from that, as an advanced feature, it can be specified as well to which port the connection has to be established for sending a specific covert message (see Figure 26 - Covert Controller XML file for further details). To ensure that the performance would be good enough, the server that has been used for this implementation is a very old PC Pentium 166 Mhz with 256 Mb RAM, 2 network cards and 8 Gb HD. More details are given below.

52 David Llamas 51 Figure 25 - Covert Controller

53 David Llamas 52 Figure 26 - Covert Controller XML file

54 David Llamas Prevention and Countermeasures The prevention and countermeasures for the communication based on covert channels will depend on the techniques from which protection is required. The use of the reverse proxy server as a middleware element implies a scenario based on a minimum of two connections. This is where one is done by the user from his computer to the reverse proxy server in a transparent way, and the other is between the reverse proxy server and the WWW server which the user wants to navigate in. This system allows for an easy control of the packets when they go from one segment to another, and involves the overwriting of the Identification field, which will automatically mean the elimination of the original content of the field. The Identification field will not be used i n communications which do not have fragmented data packets. This is because the window size of the TCP connection is normally large enough on interconnection systems 7.3 Capacity, Performance and Payload Figure 27 - Data-Hiding problem space According (Bender, Gruhl et al. 1996), each application of data hiding requires a different level of resistance to modification and a different embedded data rate. These form the theoretical data-hiding problem space (see Figure 27 - Data-Hiding problem space). There is an inherent trade-off between bandwidth and robustness, or the degree to which the data are immune to attack or transformations that occur to the host signal through normal usage, e.g., compression, resampling, etc. The more data to be hidden, e.g., a caption for a photograph, the less secure the encoding. The less data to be hidden, e.g., a watermark, the more secure the encoding. In this section, both types of network packets (normal network packets and stego network packets) are messured to get some results about the difference in capacity of network traffic. (Ahsan 2002) concludes that the capacity is one of the most significant performance measures of covert channels. The capacity estimation relates the cost of data hiding, both in terms of the time taken by the TCP/IP software to process stegano-network packet and protocol header overheads with the total time to transmit a stego-network

55 David Llamas 54 packet from a source. Covert channel capacity is the number of bits used for data hiding per packet which can be evaluated from the total time taken to transmit a stego network packet from the network layer. The capacity estimation would be equivalent to (Girling 1987) estimation, as the scenario presented in this Honours Project is also applicable to a LAN environment. Based on this, capacity can be estimated as follows: Where: T = Time to transmit a block of data (seconds) S = Time used in software; independent of block size (seconds) B = Size of transmitted block or frame [Ethernet] (bytes) N = Size of network protocol overhead (bytes) V = Network Speed (bits per second) Surprisingly the results are proportionally quite similar to the ones obtained by (Girling 1987), as it can be seen in Table 2 - Capacity estimation. A graphic has been created for improving the view (see Figure 28 - Capacity estimation) Network Speed (V) Frame Size (B) Capacity (Girling Capacity This 1987) Project 10 Mbps 64 octets 113 bits / sec X 100 Mbps 64 octets 114 bits / sec X 1000 Mbps 64 octets 114 bits / sec X 10 Mbps 1518 octets 100 bits / sec 566 bits / sec 100 Mbps 1518 octets 113 bits / sec 669 bits / sec 1000 Mbps 1518 octets 114 bits / sec 679 bits / sec Table 2 - Capacity estimation Bits / sec Girling's This project Type of netw ork Figure 28 - Capacity estimation

56 David Llamas 55 As it can be seen in Table 2 - Capacity estimation, the impact of the software that has to be used for manipulating the header, affects a lot the performance of the generation of network packets. The software proposed in this Honours Project offers better results in this aspect, taking into account as well that, despite it has been used a very old PC Pentium 166 Mhz with 256 Mb RAM, this is better than the one used by (Girling 1987), despite the analysis have to be focused in the proportionality of the results within the different scenarios. It has been notice as well that depending on the technique used for this purpose, the results change as well. (Girling 1987) also concludes that channel capacity decreases with the increase in the size of the frame. Another interesting result that has been analysed is that the network speed does not make considerable increase in the covert channel capacity..

57 David Llamas 56 8 Conclusions and future work Modern information systems provide a very rich environment for hiding data. The flexibility intentionally designed into network communications using the layered model makes identifying and exploiting covert channels easier than for stand-alone systems (Handel and Sandford 1996). This work has shown that, applications that can operate in a middleware location and in a discrete mode, such as the Reverse Proxy Server presented in this Honours Project, can be essential components involved in the monitoring, detection and prevention of the use of information hiding techniques. The middleware location offers the possibility of observing the communication between the two parts. It is obvious that the existence of these two parts is inherent to any communication process hence, being between these two parts it is the most adequate position for the analysis of that communication. About doing this analysis in discrete mode, we can say that it is also essential as, if the parts detect that the communication is being observed and / or altered, the parts could change the original meaning of the communication. As explained through this Honours Project as well as demonstrated in the implementation, the Reverse Proxy Server it is a highly strategic tool as can interact with both sides: the users and the content servers. In the weaknesses side, the Reverse Proxy Server should be the only connection point between these parts as, if not, would allow the user to reach the conclusion that the results obtained through the proxy server differ from those obtained connecting directly with the content server. Those results are based on parameters such as the answer timing, the packets route and so on. Another weak point of the Reverse Proxy Server, which has been identified through the test results, is that the time that the component needs to manipulate the packets where the covert message is injected can be too long to be used in communications where high speed is required such as applications where video and audio are used through the network. Because of this, and as an experimental concept, the word intelligent was added to the agent in charge of the information hiding management, which is called Data Hiding Intelligent Agent. This indicates that it is essential to give some artificial intelligent to these kind of operations as this component should only act when the performance metrics where the appropriate ones. It is well known that in order to observe what takes place in a process and obtain metrics of the way it works, the process itself is affected somehow. Due to the importance that the interception it is not identified by the parts, the agent in charge of the information hiding management needs some capacity of acting in the most optimized way within the established parameters so it is not identified. Everything explained above would be part of a scenario where a corporation, company or association is affected by these techniques. But things would be very different if the scenario were one where someone wants to use these tools for the direct covert communication with other people. This would be the case of a web server with apparently innocuous content that, in order to be accessed requires going through the Reverse Proxy Server. The final user that deliberately wants to receive the

58 David Llamas 57 covert message would not be affected at all by the time required by the Reverse Proxy Server and the Data Intelligent Agent. In this case the weak points would almost not exist in the covert message communicating system, so future work should include research in identification and detection of the use of these techniques, otherwise the use of these techniques on peer-to-peer scenarios would difficultly be detectable. The scope of this Honours Project also defines the problems that the Windows 2000/NT architecture causes in covert channel development, and proposed the use of the NDIS Hooking Filter Driver. Different aspects of working with this proprietary platform such as packet retry control, the effects of having to install a driver, the massive use of this operating system, etc., will be aspects to develop in the future, but that need to be taken into account as, as the Microsoft Windows TCP/IP driver source code it is not available, the only way of ensuring that the system works it is through the control of its behaviour. Also it is concluded that, although it has been possible the implementation of this Honours Project in Microsoft Windows platforms, the low performance level suggests future research in this area in order to obtain better speed metrics. In this thought would be included all the scenarios where these techniques could not be implemented by modifying directly the driver source code. I have the personal believe that there are better techniques that can improve the obtained results under Microsoft Windows, and this would be one of the future work areas. Due to this conclusion a proposal for future research would be the design and implementation of a similar solution using the real-time systems methodology, this means, by using a hardware device that could integrate the functionality of the Reverse Proxy Server and the Data Hiding Intelligent Agent. This hardware device should be located at any place between the user and the content server where its traffic could be seen. This hardware device would be integrated in a network system by plugging the network cable from both sides into it. In this case, the Microsoft Windows would not be involved and the analysis and manipulation of the traffic would be done through a program, supposedly developed in C, and integrated in the hardware device, which without any doubt would increase the performance and would be operating system platform independent. Future work would be continuing in performing more extensive experiments that will involve the inclusion of new covert channel techniques associated to the manipulation of the heading fields of any of the TCP/IP protocol suite (or other techniques that we are currently investigating such as the use of the TTL field), the implementation of the techniques specified in this scenario in a hardware device, an extension to the Reverse Proxy Server to manage requests at different levels and with better performance under proprietary platforms and the effect of all this under new versions of any of the protocols of the TCP/IP protocol suite, such as IP version 6. Talking about other protocols in the TCP/IP protocol suite, future works could be done related to the manipulation of the TCP packet header. For example, the TCP header has a 6 bit field labelled as code bits (URG, ACK, PSH, RST, SYN, FIN). These bits determine the purpose and content of the TCP segment; these 6 bits tell a network how to interpret other fields in the header. This fields allows 64 potential combinations, of which only 29 have a meaning. Managing this redundancy, a covert channel could be done through the TCP packet header. Protocols such as the IGMP

59 David Llamas 58 (Internet Group Management Protocol) and the ICMP (Internet Control Message Protocol) are also possible candidates to be used for covert communication through the manipulation of their headers. Other examples can take place in other layers such as the application layer. The commonly used HTTP protocol has multiple possibilities for its structure to be used as a covert channel as well, as many parameters of this header are used in a way that creates spaces for storing extra information. Other important conclusions derived from this Honours Project would be the impact and use of these techniques in the running of our society. Our society is prepared to react to the detection of a problem but things become more complicated if that problem not only it is not detected but simply could no be detected as can not be identified. As I usually comment with my colleagues, there is no worst attack than the one that can not be identified. I have observed that in the actual literature about these matters, there is an attempt to involve methodology designed for cryptography to detect the use of steganographical or covert channels techniques. In my opinion, I think that all cryptography related matters should be taken into account and, probably, in some cases, the use of some of the proposals would be of help in the information hiding field, but I also believe that it is required to do specific research in this area. It has always been said that these advanced information hiding techniques have, and are used, by terrorist groups, criminal bands, military organisations and so on. The nature of the main groups interested in the use of these techniques it has a significant importance in the society, so this means that this matter has to be taken into account. The main problem of information hiding, specifically in the steganography and covert channels, is that any communication apparently innocuous can contain a covert message. This makes society highly vulnerable, especially society nowadays where the exchange of information reaches very high volumes. In this current society, laws for the control of that information and the security of its custody are being developed. Even though if that laws and controls are very advanced, the actual techniques for covert channels communication can break the final aim of them. I will try to explain this by this example: A secretary needs the details of a customer. To obtain this she accesses the database through a software application. The data is stored in an encrypted way in the database and are unencrypted by the software application. The database and the software application are in the secretary PC. This is not connected to any type of wired or wireless network. The monitor is facing to the wall so, what is displayed can not be seen by anyone else (I am specifying this because very often confidential information is obtained by seeing what the monitor displays through a window or from another desk using a mini-telescope). The secretary s computer is therefore aisled, and the monitor away from undesired viewers. How could we get the information that the secretary is viewing by using a system that appears innocuous?. There are probably several answers to this question but the one I have been working in is a middleware component that interacts very close to the hardware abstract layer (HAL in Windows Microsoft Platforms) and is capable of modifying slightly the frequency that the video card produces to the monitor. This is inspired in the spread spectrum techniques, another great field that can be related to the Information Hiding.

60 David Llamas 59 Components from the monitor produce different low level noise depending on the frequency that is working, which is called high-frequency background noise. This difference gives the chance of sending covert messages that can be received within the local area around the secretary by using an appropriate frequency scanner device. That middleware component can be, in a more sophisticated scenario, the display driver itself as it would be possible as well that the Reverse Proxy Server and the Data Hiding Intelligent Agent would be implemented in a TCP/IP clone driver for Microsoft Windows Platforms. As it c an be seen, this is an interesting area for research where I would like to go further.

61 David Llamas 60 9 References Ahsan, K. (2002). Covert Channel Analysis and Data Hiding in TCP/IP. Department of Electrical and Computer Engineering. Toronto, University of Toronto. Al-Ahmad, H. A. and M. A.-M. Mualla Information Hiding: Steganography and Watermarking. Anderson, R. (1996). Lecture Notes in Computer Science.Information Hiding: First International Workshop, Cambridge. Apache (2001). HTTP Server documentation. v. 1.3, ttpd.apache.org/docs. Bender, W., D. Gruhl, et al. (1996). "Techniques for Data Hiding." IBM Systems Journal 35. Berg, S. (1998). Glossary of Computer Security Terms. Technical Report NCSC-TG- 004, National Computer Security Centre. Boehm, B. W. (1988). A Spiral Model of Software Development and Enhancement.5th international software process workshop, 61-72, IEEE Computer Society Press. Buchanan, W. and D. Llamas (2004). Covert Channel Analysis and Detection with Reverse Proxy Servers using Microsoft Windows.The 3rd European Conference on Information Warfare and Security, Royal Holloway, University of London, UK, Management Centre International Limited. devivo, M., G. O. devivo, et al. (1999). "Internet Vulnerabilities Related to TCP/IP." SIGCOMM Computer C ommunication Review 29. Divine, T. F. (2002). Windows Network Dat a and Packet Filtering. I. Printing Communications Assoc. Doraswamy, N. and D. Harkins ( 1999). IPSec; The New Security Standard for the Internet, Intranets and Virtual Private Networks., Prentice Hall. Girling, C. G. (1987). Covert Channels in LAN`s.IEEE Transactions on Software Engineering, Gligor, V. D. (1993). A Guide to understanding Covert Channel Analysis of Trusted Systems, National Computer Security Centre.

62 David Llamas 61 Handel, T. G. and M. T. Sandford (1996). Hiding Data in OS I Model.Information Hiding: First International Workshop, Cambridge, Springer. Huang, C.-H. (2002). Digital Watermarking. Communication and Multimedia Lab.Department of CSIE, NTU. HyperDictionary (2003). HyperDictionary. Johnson, N. F. and S. Jajodia (1998). "Exploring Steganography: Seeing the Unseen." IEEE Computer Feb 1998: Johnston, P. (2003). The TCP/IP protocol suite. Kahn, D. (1996). The Code Breakers New York, Scribner. Katzen beisser, S. and F. A. P. Petitcolas (2000). Information hiding techniques for steganography and digital watermarking / Stefan Katzenbeisser, Fabien A.P. Petitcolas, editors. Artech House computer security series Boston, Artech House. Lampson, W. (1973). "A note on the Confinement Problem.Communications of the ACM." (16(10)): Lawson, A. and A. Varey (2001). Project Handbook, Napier University. Lipner, S. B. (1975). "A note on the Confinement Problem." Operating Systems Review, 9(5): McHugh, J. (1995). "Covert Channel Analysis." Handbook for the Computer Security Certification of Trusted Systems. Microsoft Corporation (2000). kit/en-us/tcpip/part4/tcpappb.mspx. Petitcolas, F., R. Anderson, et al. (1999). Information Hiding - A survey.proceedings of the IEEE, Pfitzmann, B. (1996). Information Hiding Terminology.Information Hiding: First International Workshop, Cambridge, , Springer. Proctor, N. E. and P. G. Neumann (1992). "Architectural implications of Covert Channels." 15th National Computer Security Conference Proceedings of the 15th National Computer Security Conference:

63 David Llamas 62 RFC 2403 (1996). "HMAC-MD5-96." RFC 2404 (1996). "HMAC-SH A-96." RFC 2405 (2000). "DES-CBC." / Rowland, C. H. (1996). "Covert Channels in the TCP/IP Protocol Suite." First Monday Peer-Reviewed Journal on the Internet. Venkatesh, B. (2003). Securing Network Protoclls Using Active Wardens. Computing Department. Arizona, Ariona State University. Wolf, M. (1989). "Covert channels in LAN protocols." LANSEC 89. Wrixon, F. B. (1998). Codes Ciphers & Other Cryptic & Clandestine Communication New York, Black Dog & Leventhal Publisher, Inc.

64 David Llamas Appendix 10.1 Honours Project Contract

65 David Llamas 64

66 David Llamas 65

67 David Llamas 66

68 David Llamas 67

69 David Llamas 68

70 David Llamas Diary sheets

71 David Llamas 70

72 David Llamas 71

73 David Llamas 72

74 David Llamas 73

75 David Llamas 74

76 David Llamas 75

77 David Llamas 76

78 David Llamas 77

79 David Llamas 78

80 David Llamas ECIW 2004 Conference paper

81 David Llamas 80

82 David Llamas 81

83 David Llamas 82

84 David Llamas 83

85 David Llamas 84

86 David Llamas 85

87 David Llamas 86

88 David Llamas 87