Abstract
It is commonly believed that steganography within TCP/IP is easily achieved by embedding data in header fields seemingly filled with “random” data, such as the IP identifier, TCP initial sequence number (ISN) or the least significant bit of the TCP timestamp. We show that this is not the case; these fields naturally exhibit sufficient structure and non-uniformity to be efficiently and reliably differentiated from unmodified ciphertext. Previous work on TCP/IP steganography does not take this into account and, by examining TCP/IP specifications and open source implementations, we have developed tests to detect the use of naïve embedding. Finally, we describe reversible transforms that map block cipher output onto TCP ISNs, indistinguishable from those generated by Linux and OpenBSD. The techniques used can be extended to other operating systems. A message can thus be hidden so that an attacker cannot demonstrate its existence without knowing a secret key.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) Crypto 1983. Advances in Cryptography, pp. 51–67. Plenum Press, New York (1983)
Handel, T., Sandford, M.: Hiding data in the OSI network model. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 23–38. Springer, Heidelberg (1996)
Szczypiorski, K.: HICCUPS: Hidden communication system for corrupted networks. In: International Multi-Conference on Advanced Computer Systems, pp. 31–40 (2003), http://krzysiek.tele.pw.edu.pl/pdf/acs2003-hiccups.pdf
Postel, J.: STD7: Transmission control protocol. IETF (1981)
Postel, J.: STD5: Internet protocol. IETF (1981)
Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 147–166. Springer, Heidelberg (2006)
Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating steganography in Internet traffic with active wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 18–35. Springer, Heidelberg (2003)
Handley, M., Paxson, V., Kreibich, C.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: 10th Usenix Security Symposium (2001)
Jacobson, V., Braden, R., Borman, D.: RFC1323: TCP extensions for high performance. IETF (1992)
Fyodor: Idle scanning and related IPID games (2001), http://www.insecure.org/nmap/idlescan.html
Ahsan, K., Kundur, D.: Practical data hiding in TCP/IP. In: ACM Workshop on Multimedia and Security (2002), http://ee.tamu.edu/~deepa/pdf/acm02.pdf
Mogul, J., Deering, S.: RFC1191: Path MTU discovery. IETF (1990)
Bellovin, S.M.: Security problems in the TCP/IP protocol suite. Computer Communication Review 19, 32–48 (1989)
Rowland, C.H.: Covert channels in the TCP/IP protocol suite. First Monday 2 (1997), http://www.firstmonday.org/issues/issue2_5/rowland/
Sohn, T., Seo, J., Moon, J.: A study on the covert channel detection of TCP/IP header using support vector machine. In: Perner, P., Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 313–324. Springer, Heidelberg (2003)
Rutkowska, J.: The implementation of passive covert channels in the Linux kernel. In: Chaos Communication Congress, Chaos Computer Club e.V (2004), http://www.ccc.de/congress/2004/fahrplan/event/176.en.html
Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging in TCP. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003)
Bellovin, S.: RFC1948: Defending against sequence number attacks. IETF (1996)
de Raadt, T., Hallqvist, N., Grabowski, A.D., Keromytis, A., Provos, N.: Cryptography in OpenBSD: An overview. In: USENIX Annual Technical Conference (FREENIX Track), pp. 93–102 (1999)
Kohno, T., Broido, A., claffy, k.: Remote Physical Device Fingerprinting. In: 2005 IEEE Symposium on Security and Privacy, Oakland, California, pp. 211–225. IEEE CS, Los Alamitos (2005)
Hintz, A.: Covert channels in TCP and IP headers. Presentation at DEFCON 10 (2002), http://guh.nu/projects/cc/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Murdoch, S.J., Lewis, S. (2005). Embedding Covert Channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds) Information Hiding. IH 2005. Lecture Notes in Computer Science, vol 3727. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11558859_19
Download citation
DOI: https://doi.org/10.1007/11558859_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29039-1
Online ISBN: 978-3-540-31481-3
eBook Packages: Computer ScienceComputer Science (R0)