The State of the Art in Digital Forensics - Advances in Computers

Information Technology Reference

In-Depth Information

A second definition similarly describes a covert channel as “any method that al-

lows the transmission of information via one or more global system variable not

officially designed for that purpose. 2 ”

5 . 1 C a t e g o r i e s

Covert channels can be divided into two main categories: storage channels and

timing channels . Their purpose is basically the same; they differ only in how the

information is made available.

The first category uses a shared global variable (an area of memory for IT spe-

cialists, for example, or a letter for a prisoner) which acts as a transmission channel

in which one of the two communicating parties can make changes to be read directly

or indirectly by the other. The second category allows us to transmit information by

modulating use of particular system resources (CPU time, receipt of a packet and

the relative response and so on), so as to exploit the differences from normal opera-

tion to codify the information transmitted. We can also create hybrid covert channels

combining the two methods described above to make the hidden channel even more

difficult to detect.

Where earlier research focused on covert channels that allowed information flows

between different processes in the same system, more recently interest has shifted

to allowing information to be sent from one host to another using channels exploit-

ing various possibilities offered by network protocols that are today the basis of the

Internet.

5 . 2 N e t w o r k C o v e r t C h a n n e l s : C u r r e n t U s e

TCP/IP protocols offer many ways to establish covert channels and transmit data

between hosts. Such methods can then be used for the following purposes (see next

page):

To by-pass perimeter security devices;

To implement techniques to evade network sniffers and NIDS;

To encapsulate information, encrypted or otherwise, in ordinary packets for

secret transmission in networks that prohibit such behavior (this is known as

TCP/IP Steganography ).

Here we will not only discuss techniques for manipulating TCP/IP headers, but

also those used for the ICMP protocol and higher levels such as HTTP and DNS.

2 Estimating and Measuring Covert Channel Bandwidth in Multilevel Secure Operating Systems ,

by Shiuh-Pyng Shieh . The translation is ours.

Search WWH ::

Custom Search

Home