Article

Embedding covert channels into TCP/IP

Authors:

Steven J. Murdoch,

Stephen LewisAuthors Info & Claims

IH'05: Proceedings of the 7th international conference on Information Hiding

Pages 247 - 261

https://doi.org/10.1007/11558859_19

Published: 06 June 2005 Publication History

Abstract

It is commonly believed that steganography within TCP/IP is easily achieved by embedding data in header fields seemingly filled with “random” data, such as the IP identifier, TCP initial sequence number (ISN) or the least significant bit of the TCP timestamp. We show that this is not the case; these fields naturally exhibit sufficient structure and non-uniformity to be efficiently and reliably differentiated from unmodified ciphertext. Previous work on TCP/IP steganography does not take this into account and, by examining TCP/IP specifications and open source implementations, we have developed tests to detect the use of naïve embedding. Finally, we describe reversible transforms that map block cipher output onto TCP ISNs, indistinguishable from those generated by Linux and OpenBSD. The techniques used can be extended to other operating systems. A message can thus be hidden so that an attacker cannot demonstrate its existence without knowing a secret key.

References

[1]

Simmons, G.J.: The prisoners' problem and the subliminal channel. In Chaum, D., ed.: Crypto '83. Advances in Cryptography, Plenum Press (1983) 51-67.

[2]

Handel, T., Sandford, M.: Hiding data in the OSI network model. In Anderson, R., ed.: Information Hiding. Volume 1174 of Lecture Notes in Computer Science., Springer-Verlag (1996) 23-38.

Digital Library

[3]

Szczypiorski, K.: HICCUPS: Hidden communication system for corrupted networks. In: International Multi-Conference on Advanced Computer Systems. (2003) 31-40 http://krzysiek.tele.pw.edu.pl/pdf/acs2003-hiccups.pdf.

[4]

Postel, J.: STD7: Transmission control protocol. IETF (1981).

[5]

Postel, J.: STD5: Internet protocol. IETF (1981).

[6]

Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: 5th Privacy Enhancing Technologies Workshop. (2005).

Digital Library

[7]

Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating steganography in Internet traffic with active wardens. In Petitcolas, F., ed.: Information Hiding. Volume 2578 of Lecture Notes in Computer Science., Springer-Verlag (2002) 18-35.

Digital Library

[8]

Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: 10th Usenix Security Symposium. (2001).

Digital Library

[9]

Jacobson, V., Braden, R., Borman, D.: RFC1323: TCP extensions for high performance. IETF (1992).

[10]

Fyodor: Idle scanning and related IPID games (2001) http://www.insecure.org/- nmap/idlescan.html.

[11]

Ahsan, K., Kundur, D.: Practical data hiding in TCP/IP. In: ACM Workshop on Multimedia and Security. (2002) http://ee.tamu.edu/~deepa/pdf/acm02.pdf.

[12]

Mogul, J., Deering, S.: RFC1191: Path MTU discovery. IETF (1990).

[13]

Bellovin, S.M.: Security problems in the TCP/IP protocol suite. Computer Communication Review 19 (1989) 32-48.

Digital Library

[14]

Rowland, C.H.: Covert channels in the TCP/IP protocol suite. First Monday 2 (1997) http://www.firstmonday.org/issues/issue2_5/rowland/.

[15]

Sohn, T., Seo, J., Moon, J.: A study on the covert channel detection of TCP/IP header using support vector machine. In Perner, P., Qing, S., Gollmann, D., Zhou, J., eds.: Information and Communications Security. Volume 2836 of Lecture Notes in Computer Science., Springer-Verlag (2003) 313-324.

[16]

Rutkowska, J.: The implementation of passive covert channels in the Linux kernel. In: Chaos Communication Congress, Chaos Computer Club e.V. (2004) http://www.ccc.de/congress/2004/fahrplan/event/176.en.html.

[17]

Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging in TCP. In Dingledine, R., Syverson, P., eds.: Privacy Enhancing Technologies. Volume 2482 of Lecture Notes in Computer Science., Springer-Verlag (2002) 194-208.

Digital Library

[18]

Bellovin, S.: RFC1948: Defending against sequence number attacks. IETF (1996).

Digital Library

[19]

de Raadt, T., Hallqvist, N., Grabowski, A., D. Keromytis, A., Provos, N.: Cryptography in OpenBSD: An overview. In: USENIX Annual Technical Conference (FREENIX Track). (1999) 93-102.

Digital Library

[20]

Kohno, T., Broido, A., claffy, k.: Remote Physical Device Fingerprinting. In: 2005 IEEE Symposium on Security and Privacy, Oakland, California, IEEE CS (2005) 211-225.

Digital Library

[21]

Hintz, A.: Covert channels in TCP and IP headers. Presentation at DEFCON 10 (2002) http://guh.nu/projects/cc/.

Cited By

Mileva AVelinov AHartmann LWendzel SMazurczyk W(2021)Comprehensive analysis of MQTT 5.0 susceptibility to network covert channelsComputers and Security10.1016/j.cose.2021.102207104:COnline publication date: 1-May-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102207
Liu SFang ZGao FKoussainov BZhang ZLiu JZhu LGai KRaymond Choo KLiu J(2020)Whispers on Ethereum: Blockchain-based Covert Data Embedding SchemesProceedings of the 2nd ACM International Symposium on Blockchain and Secure Critical Infrastructure10.1145/3384943.3409433(171-179)Online publication date: 6-Oct-2020
https://dl.acm.org/doi/10.1145/3384943.3409433
Radej AJanicki A(2020)Modification of Pitch Parameters in Speech Coding for Information HidingText, Speech, and Dialogue10.1007/978-3-030-58323-1_55(513-523)Online publication date: 8-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-58323-1_55
Show More Cited By

Recommendations

TCP-Jersey for wireless IP communications

Improving the performance of the transmission control protocol (TCP) in wireless Internet protocol (IP) communications has been an active research area. The performance degradation of TCP in wireless and wired-wireless hybrid networks is mainly due to ...
TCP/IP Protocol Suite
Congestion control in TCP/IP networks: a combined ECN and BECN approach
MILCOM'03: Proceedings of the 2003 IEEE conference on Military communications - Volume I

In this paper a novel algorithm is proposed which combines the merits of Explicit Congestion Notification (ECN) and Backward Explicit Congestion Notification (BECN) mechanisms for congestion control in TCP/IP networks. A comparative performance ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

IH'05: Proceedings of the 7th international conference on Information Hiding

June 2005

414 pages

ISBN:3540290397

Editors:
Mauro Barni
Dipartimento di Ingegneria dell'Informazione, Università degli Studi di Siena, Italy
,
Jordi Herrera-Joancomartí
Dipartimento di Ingegneria dell'Informazione, Universitat Oberta de Catalunya, Rbla del Poblenou, 156, Barcelona, Spain
,
Stefan Katzenbeisser
Dipartimento di Ingegneria dell'Informazione, Philips Research Europe, Information and System Security, Rbla del Poblenou, 156, Eindhoven, The Netherlands
,
Fernando Pérez-González
Departamento de Teoría de la Señal y Comunicaciones ETSI Telecom., Universidad de Vigo, Rbla del Poblenou, 156, Vigo

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 06 June 2005

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mileva AVelinov AHartmann LWendzel SMazurczyk W(2021)Comprehensive analysis of MQTT 5.0 susceptibility to network covert channelsComputers and Security10.1016/j.cose.2021.102207104:COnline publication date: 1-May-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102207
Liu SFang ZGao FKoussainov BZhang ZLiu JZhu LGai KRaymond Choo KLiu J(2020)Whispers on Ethereum: Blockchain-based Covert Data Embedding SchemesProceedings of the 2nd ACM International Symposium on Blockchain and Secure Critical Infrastructure10.1145/3384943.3409433(171-179)Online publication date: 6-Oct-2020
https://dl.acm.org/doi/10.1145/3384943.3409433
Radej AJanicki A(2020)Modification of Pitch Parameters in Speech Coding for Information HidingText, Speech, and Dialogue10.1007/978-3-030-58323-1_55(513-523)Online publication date: 8-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-58323-1_55
Jun WBin GChunhui H(2019)Domain Neural Chinese Word Segmentation with Mutual Information and EntropyProceedings of the 2019 7th International Conference on Information Technology: IoT and Smart City10.1145/3377170.3377205(75-79)Online publication date: 20-Dec-2019
https://dl.acm.org/doi/10.1145/3377170.3377205
Eger MGruss DDeterding SKhosmood FPirker JApperley T(2019)Wait a secondProceedings of the 14th International Conference on the Foundations of Digital Games10.1145/3337722.3337744(1-7)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3337722.3337744
Wendzel SEller DMazurczyk W(2018)One Countermeasure, Multiple PatternsProceedings of the Central European Cybersecurity Conference 201810.1145/3277570.3277571(1-6)Online publication date: 15-Nov-2018
https://dl.acm.org/doi/10.1145/3277570.3277571
Wendzel S(2018)Get Me Cited, Scotty!Proceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3233265(1-8)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3233265
Geisler DMazurczyk WKeller J(2018)Towards Utilization of Covert Channels as a Green Networking TechniqueProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3233262(1-10)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3233262
OConnor TEnck WPetullo WVerma A(2018)PivotWallProceedings of the Symposium on SDN Research10.1145/3185467.3185474(1-14)Online publication date: 28-Mar-2018
https://dl.acm.org/doi/10.1145/3185467.3185474
Ghassami AKiyavash N(2018)A Covert Queueing Channel in FCFS SchedulersIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.279795313:6(1551-1563)Online publication date: 1-Jun-2018
https://dl.acm.org/doi/10.1109/TIFS.2018.2797953
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents