Research On Covert Channels Based On Network Protocol

Communication security is one of the important issues of network security. Information, if not protected well, will be easily tampered during the process of communication, thus may bring significant losses to users. As a kind of security technology, covert channels provide a method to secure communication security. Initially proposed as a security threat on monolithic systems, covert channels have extended to network protocols with the popularization of computer network. The huge amount of data and vast number of different protocols in the Internet give network traffic a good vehicle for covert communication.Traditionally covert channels were classified into storage and timing channels. On the basis of in-depth analysis of the principle and format of various Internet protocols, we have a deep research on the covert channels based on three protocols: ICMP, HTTP and DNS. The main work and contribution of this paper are as follows:(1) A storage covert channel based on ICMP payload is implemented, and arbitrary information tunneling is generated in the payload of ICMP packets. If too much data is embedded into ICMP payload it will arouse suspicion. So during the implementation we limit the size, and by taking proper coding and encryption we strengthen the confusion of arbitrary data.(2) A covert timing channel based on HTTP is implemented. The ETag field of HTTP response header provides the current value of the entity tag for the requested variant, and by manipulating the ETag field covert data can be transmitted. With the huge amount of HTTP traffic, this timing covert channel presents a good property of anti-detection.(3) A covert storage channel based on multiple fields of DNS is proposed. The upper layer protocol of DNS being UDP, gives the covert channel based on DNS a characteristic of unreliability. To solve this problem, we make a comprehensive use of multiple fields of DNS to conduct a reliable communication, while TTL field is manipulated to transmit the covert data. At the same time, the Query Name and data resource record field carry sequencing information and checksum of the covert data respectively.The traffic though these channels is detected with the security detection software and detection results show that the first two covert channels have a good quality of security, and the third channel has a good quality of security as well as reliability.