Dienstag, 13. September 2016
How to optimize the stealthiness of covert channels?
Covert channels are created by network steganographic methods. They usually embed hidden data into parts of network packets (e.g. into fields of the header). In early 2012, I was trying to optimize such a placement of hidden data into network protocols. This posting summarizes the idea of the resulting paper.
For a covert channel, some secret data D must be hidden within a network protocol P. Several hiding tools simply select an area of the protocol P to place the hidden data D into. Such an attempt, however, does not result in an optimal stealthiness (or: covertness).
Our idea in only one paragraph:
We propose to model the protocol P using a simple formal grammar and we model D the same way. We model the grammar for P according to the standard of P (e.g. the RFC specification) and we model the grammar for D according to the structure of the type of data (e.g. it can be another protocol as shown in our paper but it can also have the structure of JPEG images, ASCII text or any other type of data). Every symbol in the grammars represents a bit of the P (we map both grammar's symbol sets to each other). We afterwards check whether all the words that can be produced by the language L(D) can also be produced by the language L(P). In other words, we check whether the embedding of hidden data D can produce some bit combination (e.g. header flag combination) that cannot occur in P without violating P's protocol specification and thus would make a detection easier (due to an anomaly). We present a framework that ensures that such a violation of P's rules is cannot be caused when D is hidden in P.
Read the paper:
The resulting paper is probably titled in an audience-misleading way: Systematic Engineering of Control Protocols for Covert Channels, Proc. 13th CMS, Springer, 2012. The title suggests that the work only deals with control protocols for covert channels, but as mentioned above, the general idea of using formal grammar to ensure a protocol-conform data hiding can be applied for basically all types of data/payload.
PS. Another paper on optimizing the stealthiness of covert channels (a predecessor of the above mentioned paper) is this one: Low-attention forwarding for mobile network covert channels, Proc. 12th CMS, Springer, 2011.