In Network Steganography research, a covert channel is a stealthy communication channel and some covert channels are capable of performing a so-called Network Environment Learning phase (or: NEL phase). Such NEL-capable covert channels
- can determine how exactly data can be covertly exchanged between sender and receiver, and
- which types stealthy data transmissions will be blocked/modified by an active warden (e.g. a firewall or a traffic normalizer).
Although the NEL phase was already discussed in academia in 2008, no implementation was made available and my requests for a demo or code remained unanswered by the authors of that paper. Anyway, I wanted to use a NEL phase for my PhD. During my doctorate, I published work that extended the concept of the NEL phase (see references below) to make it more sophisticated.
In 2016, we decided to work on a new research paper for which we needed such a NEL implementation. While my PhD was using only a very basic NEL concept that required lots of work by hand and was not fully automated, I now decided to implement a complete NEL phase for this new paper and release it to the public using an open source license even before our paper was published (uploaded the code on GitHub in mid-May).
In a Nutshell, this NEL tool provides the first public implementation of a NEL phase on the basis of scapy and libpcap. It is no master piece, it just works and allows to perform measurements in the sense that one can measure the effect of an active warden on the NEL phase. The NEL tool is written in C and runs best under Linux.
- NEL tool code repository on GitHub: https://github.com/cdpxe/NELphase
- Documentation: https://github.com/cdpxe/NELphase/blob/master/documentation/README.md
- List of my other covert channel tools: http://steffen-wendzel.blogspot.de/p/covert-channel-software.html
- under review: W. Mazurczyk, S. Wendzel, M. Chourib, J. Keller: You Shall Not Pass: Countering Network Covert Channels with Dynamic Wardens
- S. Wendzel (2012): The Problem of Traffic Normalization Within a Covert Channel's Network Environment Learning Phase, Proc. Sicherheit 2012, LNI vol. 195, pp. 149-161, 2012.