Covert channels in TCP/IP protocol stack - extended version-

Abstract

We give a survey of different techniques for hiding data in several protocols from the TCP/IP protocol stack. Techniques are organized according to affected layer and protocol. For most of the covert channels its data bandwidth is given.

References

  1. [1]

    B. Lampson, A Note on the Confinement Problem, Communications of the ACM 16(10), 613–615, 1973

    Article  Google Scholar 

  2. [2]

    Department of Defence, Department of defence trusted computer system evaluation criteria, Technical Report DOD 5200.28-ST., Supersedes CSC-STD-001-83, December 1985

    Google Scholar 

  3. [3]

    J. Gray, Countermeasures and tradeoffs for a class of covert timing channels, 1994, Available at: http://repository.ust.hk/dspace/bitstream/1783.1/25/1/tr94-18.pdf

    Google Scholar 

  4. [4]

    P. R. Gallagher, A Guide to Understanding Covert Channel Analysis of Trusted Systems (National Computer Security Center, USA, 1993)

    Google Scholar 

  5. [5]

    G. J. Simmons, In: D. Chaum (ed.), The prisoners problem and the subliminal channel, Crypto’ 83, Advances in Cryptography (Springer, US, 1984) pp. 51–67

  6. [6]

    W. Mazurczyk, K. Szczypiorski, In: Z. Tari (ed.), Steganography of VoIP Streams On the Move to Meaningful Internet Systems (OTM 2008), Monterrey, Mexico, November 9–14, 2008, LNCS vol. 5332, 1001–1018

  7. [7]

    M. Wolf, In: T. A. Berson, Covert channels in LAN protocols, Beth, T. (Eds.) proceedings of: Workshop on Local Area Network Security (LANSEC 89), Karlsruhe, FRG, April 3–6, 1989, LNCS vol. 396, 91–102

  8. [8]

    T. Handel, M. Sandford, In Anderson R. (ed.), Hiding data in the OSI network model, Information Hiding, Cambridge, U.K., May 30–June 1, 1996, LNCS vol. 1174, 23–38

  9. [9]

    S. J. Murdoch, S. Lewis, In M. Barni, J. Herrera Joancomartí, S. Katzenbeisser, F. Pérez-González (Eds.), Embedding Covert Channels into TCP/IP, proceedings of: 7th Information Hiding Workshop, Barcelona, Spain, June 6–8, 2005, LNCS vol. 3727, 247–261

  10. [10]

    C. H. Rowland, Covert channels in the TCP/IP protocol suite, DoIS Documents in Information Science, May 1997

    Google Scholar 

  11. [11]

    D. V. Forte, SecSyslog: An Approach to Secure Logging Based on Covert Channels, In proceedings of: First International Workshop of Systematic Approaches to Digital Forensic Engineering (SADFE 2005), Taipei, Taiwan, November 7–10, 2005, 248–263

  12. [12]

    R. deGraaf, J. Aycock, M. Jacobson Jr., Improved Port Knocking with Strong Authentication, In proceedings of: the 21st Annual Computer Security Applications Conference (ACSAC 2005), Tucson, AZ, December 5–9, 2005

  13. [13]

    N. Feamster, M. Balazinska, G. Harfst, H. Balakrishnan, D. Karger, Infranet: Circumventing Web Censorship and Surveillance, In proceedings of: the 11th USENIX Security Symposium, San Francisco, CA, August 8–12, 2002, 247–262

  14. [14]

    S. Burnett, N. Feamster, S. Vempala, Chipping Away at Censorship Firewalls with User-Generated Content, In proceedings of: the 19th USENIX conference on Security (USENIX Security’10), Washington, DC, August 11–13, 2010

  15. [15]

    A. Houmansadr, T. Riedl, N. Borisov, E. Singer, I want my voice to be heard: IP over Voice-over-IP for unobservable censorship circumvention, In proceedings of: the 20th NDSS Symposium 2013, San Diego, USA, February 24–27, 2013

  16. [16]

    W. Mazurczyk, Z. Kotulski, In: J. Górski (ed.), New VoIP Traffic Security Scheme with Digital Watermarking, proceedings of: SafeComp 2006, Gdansk, Poland, September 26–29, 2006, LNCS vol. 4166, 170–181

  17. [17]

    W. Mazurczyk, Z. Kotulski, New Security and Control Protocol for VoIP Based on Steganography and Digital Watermarking, Ann. UMCS Inform. 5, 417–426, 2006

    Google Scholar 

  18. [18]

    A. Houmansadr, N. Kiyavash, N. Borisov, RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows, In proceedings of: the 16th NDSS Symposium 2009, San Diego, USA, February 8–11, 2009

  19. [19]

    A. Houmansadr, N. Borisov, SWIRL: A scalable watermark to detect correlated network flows, In proceedings of: the 18th NDSS Symposium 2009, San Diego, USA, February 6–9, 2011

  20. [20]

    X. Wang, S. Chen, S. Jajodia, Tracking anonymous peer-to-peer voip calls on the internet, in proceedings of: the 2005 ACM Conference on Computer and Communications Security, November 2005

  21. [21]

    X. Wang, D. S. Reeves, Robust correlation of encrypted attack traffic through stepping stones by manipulation of inter packet delays, in proceedings of: the 2003 ACM Conference on Computer and Communications Security, October 2003

  22. [22]

    E. Jones, O. Le Moigne, J.-M. Robert, IP Traceback Solutions Based on Time to Live Covert Channel, In proceedings of: 12th IEEE International Conference on Networks (ICON 2004), November 16–19, 2004, 451–457

  23. [23]

    W. Mazurczyk, M. Karas, K. Szczypiorski, SkyDe: a Skype-based Steganographic Method, Int. J. Comput. Commun. Control 8(3), 389–400, 2013

    Google Scholar 

  24. [24]

    P. Kopiczko, W. Mazurczyk, K. Szczypiorski, StegTorrent: a steganographic method for P2P files sharing service, in proceedings of: IEEE Symposium on Security and Privacy Workshops 2013, San Francisco, CA, May 23–24, 2013, 151–157

  25. [25]

    P. Bialczak, W. Mazurczyk, K. Szczypiorski, Sending Hidden Data via Google Suggest, arXiv:1107.4062

  26. [26]

    X. Luo, E. Chan, R. Chang, Crafting Web Counters into Covert Channels, in proceedings of: IFIP 2007, Sandton, South Africa, 2007, 337–348

    Google Scholar 

  27. [27]

    E. Zielinska, W. Mazurczyk, K. Szczypiorski, Development Trends in Steganography, Commun. ACM 57(2), 2014 (in press)

    Google Scholar 

  28. [28]

    S. Zander, G. Armitage, P. Branch, A survey of covert channels and countermeasures in computer network protocols, IEEE Communications Surveys and Tutorials 9(3), 44–57, 2007

    Article  Google Scholar 

  29. [29]

    P. Peng, P. Ning, D. Reeves, On the secrecy of timing-based active watermarking trace-back techniques, in proceedings of: the 2006 IEEE Symposium on Security and Privacy, Oakland, USA, May 2006

  30. [30]

    D. Llamas, C. Allison, A. Miller, Covert Channels in Internet Protocols: A Survey, In proceedings of: the 6th Annual Postgraduate Symposium about the Convergence of Telecommunications, Networking and Broadcasting (PGNET), Liverpool, UK, June 27–28, 2005

  31. [31]

    M. Smeets, M. Koot, Covert Channels, Research Report (University of Amsterdam, Amsterdam, 2006)

    Google Scholar 

  32. [32]

    P. Allix, Covert channels analysis in TCP/IP networks, IFIPS School of Engineering, University of Paris-Sud XI, Orsay, France, 2007

    Google Scholar 

  33. [33]

    J. C. Smith, Covert Shells, SANS GIAC Reading Room, 2000

    Google Scholar 

  34. [34]

    M. C. Perkins, Hiding out in Plaintext: Covert Messaging with Bitwise Summations, Master thesis (Iowa State University, 2005)

    Google Scholar 

  35. [35]

    B. Jankowski, W. Mazurczyk, K. Szczypiorski, PadSteg: Introducing Inter-Protocol Steganography, Telecomm. Syst. 52(2), 1101–1111, 2013

    Google Scholar 

  36. [36]

    P. Dong, H. Qian, Z. Lu, S. Lan, A Network Covert Channel Based on Packet Classification, Int. J. Network Security 14(2), 109–116, 2012

    Google Scholar 

  37. [37]

    K. Ahsan, D. Kundur, Practical data hiding in TCP/IP, In proceedings of: Multimedia and Security Workshop at ACM Multimedia 2002, Juan-les-Pins, France, December 1–6, 2002

  38. [38]

    K. Ahsan, Covert channel analysis and data hiding in TCP/IP, Master thesis (University of Toronto, 2002)

    Google Scholar 

  39. [39]

    E. Cauich, R. Gómez, R. Watanabe, In: F. F. Ramos, V. L. Rosillo, H. Unger (Eds.), Data Hiding in Identification and Offset IP Fields, Proceedings of 5th International School and Symposium of Advanced Distributed Systems (ISSADS) 2005, LNCS vol. 3563, (Springer, Berlin, Heidelberg, 2005) pp. 118–125

  40. [40]

    W. Mazurczyk, K. Szczypiorski, Steganography in handling oversized IP packets, In proceedings of: First International Workshop on Network Steganography (IWNS 2009), Wuhan, China, November 18–20, 2009

  41. [41]

    H. Qu, P. Su, D. Feng, A Typical Noisy Covert Channel in the IP Protocol, In proceedings of: the 38th Annual International Carnahan Conference of Security Technology, October 11–14, 2004, 189–192

  42. [42]

    S. Zander, G. Armitage, P. Branch, Covert Channels in the IP Time To Live Field, In proceedings of: the Australian Telecommunication Networks and Applications Conference (ATNAC), Melbourne, December 4–6, 2006

  43. [43]

    vecna, B0CK, Butchered From Inside, 2000, 7(2)

    Google Scholar 

  44. [44]

    C. Abad, IP checksum covert channels and selected hash collision, Technical report (University of California, 2001)

    Google Scholar 

  45. [45]

    Z. Trabelsi, H. El-Sayed, L. Frikha, T. Rabie, Traceroute Based IP Channel for Sending Hidden Short Messages, In proceedings of: First International Workshop on Security Advances in Information and Computer Security (IWSEC 2006), Kyoto, Japan, October 23–24, 2006, LNCS vol. 4266, 421–436

  46. [46]

    Z. Trabelsi, H. El-Sayed, L. Frikha, T. Rabie, A novel covert channel based on the IP header record route option, Int. J. Adv. Media Commun 1(4), 328–350, 2007

    Article  Google Scholar 

  47. [47]

    W. Mazurczyk, K. Szczypiorski, Evaluation of steganographic methods for oversized IP packets, Telecommun. Syst. 49, 207–217, 2012

    Article  Google Scholar 

  48. [48]

    S. D. Servetto, M. Vetterli, Communication using phantoms: covert channels in the Internet. In proceedings of: IEEE International Symposium on Information Theory (ISIT), Washington, DC, June 24–29, 2001

  49. [49]

    A. El-Atawy, E. Al-Shaer, Building Covert Channels over the Packet Reordering Phenomenon, in proceedings of: IEEE INFOCOM 2009, 2186–2194

    Google Scholar 

  50. [50]

    A. Galatenko, A. Grusho, A. Kniazev, E. Timonina, Statistical Covert Channels Through PROXY Server, In proceedings of: Third International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security, St. Petersburg, Russia, 2005, LNCS vol. 3685, 424–429

  51. [51]

    M. A. Padlipsky, D. W. Snow, P. A. Karger, Limitations of End-to-End Encryption in Secure Computer Networks, Technical Report ESD-TR-78-158, Mitre Corporation, August 1978

    Google Scholar 

  52. [52]

    S. Cabuk, C. E. Brodley, C. Shields, IP covert timing channels: Design and detection, In Proceedings of: the 11th ACM Conference on Computer and Communications Security, Washington DC, USA, 2004, ACM Press, 178–187

    Google Scholar 

  53. [53]

    V. Berk, A. Giani, G. Cybenko, Detection of Covert Channel Encoding in Network Packet Delays, Technical Report TR2005-536, Department of Computer Science, Dartmouth College, 2005

    Google Scholar 

  54. [54]

    G. Shah, A. Molina, M. Blaze, Keyboards and Covert Channels, In proceedings of: 15th USENIX Security Symposium, Vancouver, Canada, August 2006, 59–75

  55. [55]

    S. Cabuk, Network covert channels: design, analysis, detection and elimination, PhD thesis (Purdue University, 2006)

    Google Scholar 

  56. [56]

    S. Gianvecchio, H. Wang, D. Wijesekera, S. Jajodia, Model-based covert timing channels: Automated modeling and evasion, in: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008, LNCS, vol. 5230 (Springer, 2008) pp. 211–230

    Google Scholar 

  57. [57]

    S. H. Sellke, C.-C. Wang, S. Bagchi, N. Shroff, TCP/IP Timing Channels: Theory to Implementation, In proceedings of: the 28th Conference on Computer Communications (IEEE INFOCOM), Rio de Janeiro, Brazil, April 19–25, 2009

    Google Scholar 

  58. [58]

    V. Paxson, S. Floyd, Wide-area traffic: the failure of Poisson modeling, IEEE/ACM T. Network. 3(3), 226–244, 1995

    Article  Google Scholar 

  59. [59]

    S. Zander, G. Armitage, P. Branch, Stealthier Inter-packet Timing Covert Channels, in proceedings of: 10th International IFIP TC 6 Networking Conference, Valencia, Spain, May 9–13, 2011, LNCS vol. 6640, 458–470

  60. [60]

    Z. Trabelsi, I. Jawhar, Covert File Transfer Protocol Based on the IP Record Route Option, J. Inform. Assurance Security 5, 64–73, 2010

    Google Scholar 

  61. [61]

    S. Gianvecchio, H. Wang, An Entropy-Based Approach to Detecting Covert Timing Channels, IEEE T. Dependable and Secure Computing 8(6), 785–797, 2011

    Article  Google Scholar 

  62. [62]

    T. Graf, Messaging over IPv6 Destination Options, Swiss Unix User Group, 2003

    Google Scholar 

  63. [63]

    N. B. Lucena, G. Lewandowski, S. J. Chapin, In: G. Danezis, D. Martin (Eds.), Covert Channels in IPv6, Proceedings of: the 5th International Workshop Privacy Enhancing Technologies (PET 2005), Dubrovnik, May 30–June 1, 2005, 147–166

  64. [64]

    daemon9, AKA, and route, Project Loki, Phrack Magazine 49, 6, 1996

  65. [65]

    daemon9, Loki2 (the implementation), Phrack Magazine 51, 6, 1997

  66. [66]

    A. Singh, C. Lu, O. Nordstrom, A. L. M. dos Santos, In: Y. Mu, W. Susilo, J. Seberry (Eds.), Malicious ICMP Tunneling: Defense against the Vulnerability, proceedings of: the 8th Australasian Conference on Information Security and Privacy (ACISP), Wollongong, Australia, July 9–11, 2003, LNCS vol. 5107 (Springer, 2003) pp. 226–236

  67. [67]

    M. Muench, ICMP-Chat, 2003, Available at http://icmpchat.sourceforge.net/

    Google Scholar 

  68. [68]

    L. Zelenchuk, Skeeve — ICMP Bounce Tunnel, 2004, available at: http://www.gray-world.net/poc_skeeve.shtml

    Google Scholar 

  69. [69]

    G. Thomer, IP-over-ICMP using ICMPTX, 2005, available at: http://thomer.com/icmptx/

    Google Scholar 

  70. [70]

    D. Stødle, Ping Tunnel, 2011, Available at: http://www.cs.uit.no/~daniels/PingTunnel/

    Google Scholar 

  71. [71]

    R. Murphy, V00d00n3t — Ipv6 / ICMPv6 Covert Channel, DefCon, Las Vegas, 2006

    Google Scholar 

  72. [72]

    K. Stokes, B. Yuan, D. Johnson, P. Lutz, In: K. Elleithy, T. Sobh, M. Iskander, V. Kapila, M. A. Karim, A. Mahmood (Eds.), ICMP covert channel resiliency, Technological Developments in Networking, Education and Automation, 2010, 503–506

  73. [73]

    B. Ray, S. Mishra, In: L. Korba, S. Marsh, R. Safavi-Naini (Eds.), A Protocol for Building Secure and Reliable Covert Channel, proceedings of: the Sixth Annual Conference on Privacy, Security and Trust (PST 2008), Fredericton, New Brunswick, Canada, October 1–3, 2008, 246–253

  74. [74]

    C. Scott, Network Covert Channels: Review of Current State and Analysis of Viability of the use of X.509 Certificates for Covert Communications, Technical Report RHUL-MA-2008-11, Department of Mathematics, Roal Holloway, University of London, 2008

    Google Scholar 

  75. [75]

    R. Rios, J. A. Onieva, J. Lopez, HIDE_DHCP: Covert Communications Through Network Configuration Messages, In proceedings of: 27th IFIP TC 11 Information Security and Privacy Conference, Heraklion, Crete, Greece, June 4–6, 2012, IFIP Adv. Inform. Commun. Technol. 376, 162–173, 2012

    Google Scholar 

  76. [76]

    J. Giffin, R. Greenstadt, P. Litwack, R. Tibbetts, In: R. Dingledine, P. Syverson (Eds.), Covert Messaging Through TCP Timestamps, Proceedings of the 2nd international conference on Privacy enhancing technologies (PET 2002), San Francisco, CA, April 14–15, 2002, 194–208

  77. [77]

    L. Ji, Y. Fan, C. Ma, Covert channel for local area network, In proceedings of: IEEE International Conference of Wireless Communications, Networking and Information Security (WCNIS 2010), 2010, 316–319

    Google Scholar 

  78. [78]

    J. Rutkowska, The Implementation of Passive Covert Channels in the Linux Kernel, Chaos Communication Congress, 2004

    Google Scholar 

  79. [79]

    A. Hintz, Covert Channels in TCP and IP Headers, DefCon 10, Las Vegas, Nevada, August 2–4, 2003

  80. [80]

    E. Tumoian, M. Anikeev, Detecting NUSHU Covert Channels Using Neural Networks, Technical report (Taganrog State University of Radio Engineering, 2005)

    Google Scholar 

  81. [81]

    R. Chakinala, A. Kumarasubramanian, R. Manokaran, G. Noubir, C. Pandu Rangan, R. Sundaram, Steganographic communication in ordered channels, In proceedings of: the 8th International Conference on Information Hiding Workshop, Alexandria, VA, USA, July 10–12, 2006 (Springer-Verlag Berlin, Heidelberg, 2006) pp. 42–57

    Google Scholar 

  82. [82]

    X. Luo, E. Chan, R. Chang, Cloak: A ten-fold way for reliable covert communications, in proceedings of: ESORICS 2007, Dresden, Germany, September 24–26, 2007, LNCS vol. 4734, 283–298

  83. [83]

    X. Luo, E. Chan, R. Chang, TCP Covert Timing Channels: Design and Detection, In proceedings of: IEEE International Conference on Dependable Systems and Networks With FTCS and DCC, Anchorage, Alaska, June 24–27, 2008, 420–429

    Google Scholar 

  84. [84]

    X. Luo, E. Chan, R. Chang, CLACK: A network covert channel based on partial acknowledgement encoding, In proceedings of: IEEE International Conference on Communications, Dresden, Germany, June 14–18, 2009, 1–5

  85. [85]

    X. Luo, P. Zhou, E. Chan, R. Chang, W. Lee, A Combinatorial Approach to Network Covert Communications with Applications in Web Leaks, In proceedings of: IEEE/IFIP 41st International Conference on Dependable Systems and Networks (DSN 2011), Hong Kong, June 27–30, 2011, 474–485

  86. [86]

    G. Fisk, M. Fisk, C. Papadopoulos, J. Neil, In: F. A. P. Petitcolas (Ed.), Eliminating steganography in Internet traffic with active wardens, 5th International Workshop on Information Hiding (IH), 2002, LNCS vol. 2578, 18–35

  87. [87]

    J. S. Thyer, Covert Data Storage Channel Using IP Packet Headers (SANS Institute, 2008)

    Google Scholar 

  88. [88]

    W. Mazurczyk, M. Smolarczyk, K. Szczypiorski, Retransmission Steganography Applied, In proceedings of: 2010 International Conference on Multimedia Information Networking and Security (MINES), Nanjing, China, November 4–6, 2010, 846–850

  89. [89]

    W. Mazurczyk, M. Smolarczyk, K. Szczypiorski, On Information Hiding in Retransmissions, Telecommun. Syst. Modelling, Analysis, Design and Management 52(2), 1113–1121, 2013

    Google Scholar 

  90. [90]

    K. Anjan, J. Abraham, Behavioral Analysis of Transport Layer Based Hybrid Covert Channel, In proceedings of: Third International Conference of Recent Trends in Network Security nd Applications (CNSA 2010), Chennai, India, July 23-25, 2010 (Springer Berlin Heidelberg, 2010) pp. 83–92

    Google Scholar 

  91. [91]

    K. Anjan, J. Abraham, M. Jadhav, Design of Transport Layer Based Hybrid Covert Channel Detection Engine, arXiv:1101.0104

  92. [92]

    vanHauser, Placing Backdoors through Firewalls, The Hacker’s Choice, 1999

    Google Scholar 

  93. [93]

    P. Pack, W. Streilein, S. Webster, R. Cunningham, Detecting http Tunneling Activities, in proceedings of: 3rd Annual Information Assurance Wksp., West Point, NY, USA, June 17–19, 2002

  94. [94]

    K. Borders, A. Prakash, Web Tap: Detecting Covert Web Traffic, in proceedings of: 11th ACM Conf. Computer and Communications Security (CCS), 110–120, October 2004

    Google Scholar 

  95. [95]

    P. Padgett, Corkscrew, 2011, Available at http://www.agroman.net/corkscrew/

    Google Scholar 

  96. [96]

    L. Bowyer, Firewall Bypass via protocol Steganography, Network Penetration, 2002

    Google Scholar 

  97. [97]

    A. Dyatlov, S. Castro, Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over the http protocol, Gray-world, USA, June, 2003

    Google Scholar 

  98. [98]

    M. Bauer, New Covert Channels in http: Adding Unwitting Web Browsers to Anonymity Sets. In Proceedings of Workshop on Privacy Electronic Society (WPES 2003), Washington, DC, USA, October 30, 2003, 72–78

    Google Scholar 

  99. [99]

    H. -G. Eßer, F. C. Freiling, Kapazitätsmessung eines verdeckten Zeitkanals über http, Technical Report TR-2005-10 (Universität Mannheim, 2005)

    Google Scholar 

  100. [100]

    P. LeBoutillier, 2005, HTTunnel, Available at: http://sourceforge.net/projects/httunnel/

    Google Scholar 

  101. [101]

    Z. Kwecka, Application Layer Covert Channel Analysis and Detection, Technical Report (Napier University Edinburgh, 2006)

    Google Scholar 

  102. [102]

    M. Van Horenbeeck, Deception on the network: thinking differently about covert channels, In proceedings of; Australian Information Warfare and Security Conference, Perth, Western Australia, December 4–5, 2006, 174–184

  103. [103]

    S. Castro, Gray World Team: Cooking Channels, hakin9 Magazine, May 2006, 50–57

    Google Scholar 

  104. [104]

    R. Duncan, J. E. Martina, Steganographic Message Broadcasting using Web Protocols, In proceedings of: Simposio Brasilerio de Seguranca (SBSeg 2010), Fortaleza, Brasil, 2010

    Google Scholar 

  105. [105]

    Z. Kwecka, Application Layer Covert Channel Analysis and Detection, Technical Report (Napier University Edinburgh, 2006)

    Google Scholar 

  106. [106]

    J. Blascoa, J. C. Hernandez-Castrob, J. M. de Fuentes, B. Ramosa, A framework for avoiding steganography usage over http, J. Network Computer Appl. 35(1), 491–501, 2012

    Article  Google Scholar 

  107. [107]

    D. Alman, http Tunnels Though Proxies (SANS Institute, 2003)

    Google Scholar 

  108. [108]

    X. Zou, Q. Li, S.-H. Sun, X. Niu, In: R. Khosla, R. J. Howlett, L. C. Jain (Eds.), The Research on Information Hiding Based on Command Sequence of FTP Protocol, proceedings of: the 9th International Conference on Knowledge-Based Intelligent Information and Engineering Systems (KES 2005), Melbourne, Australia, September 14–16, 2005, LNCS vol. 3683, 1079–1085

  109. [109]

    savannah.nongnu.org, NSTX, 2002, Available at http://savannah.nongnu.org/projects/nstx/

    Google Scholar 

  110. [110]

    L. Nussbaum, P. Neyron, O. Richard, On Robust Covert Channels Inside DNS, In proceedings of: 24th IFIP TC 11 International Information Security Conference (SEC 2009), Pafos, Cyprus, May 182-20, 2009, 51–62

  111. [111]

    T. Pietraszek, 2004, DNSCat, Available at: http://tadek.pietraszek.org/projects/DNScat/

    Google Scholar 

  112. [112]

    D. Kaminsky, OzymanDNS, 2004, Available at: http://dankaminsky.com/2004/07/29/51/

    Google Scholar 

  113. [113]

    Anonymous, DNS Covert Channels and Bouncing Techniques, 2005, Available at: http://seclists.org/fulldisclosure/2005/Jul/att-452/p63_dns_worm_covert_channel.txt

  114. [114]

    O. Dembour, C. Collignon, DNS2TCP, 2008, Available at: http://hsc.fr/ressources/outils/dns2tcp/

    Google Scholar 

  115. [115]

    Kryo, iodine, 2010, Available at: http://code.kryo.se/iodine/

  116. [116]

    L. Y. Bai, Y. Huang, G. Hou, B. Xiao, In: J. -S. Pan, X. Niu, H.-C. Huang, L. C. Jain (Eds.), Covert Channels Based on Jitter Field of the RTCP Header, Proceedings of the Fourth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, IEEE Computer Society, 2008, 1388–1391

  117. [117]

    Y. Lizhi, H. Yongfeng, Y. Jian, L. Y. Bai, A Novel Covert Timing Channel Based on RTP/RTCP, Chinese J. Electron. 21(4), 711–714, 2012

    Google Scholar 

  118. [118]

    W. Mazurczyk, Lost Audio Packets Steganography: The First Practical Evaluation, Journal of Security and Communication Networks 5(12), 1394–1403, 2012

    Article  Google Scholar 

  119. [119]

    W. Mazurczyk, K. Szczypiorski, Covert Channels in SIP for VoIP Signalling, Communications in Computer and Information Science 12, 65–72, 2008

    Article  Google Scholar 

  120. [120]

    N. Lucena, J. Pease, P. Yadollahpour, S. J. Chapin, Syntax and Semantics-Preserving Application-Layer Protocol Steganography, In proceedings of: 6th Information Hiding Workshop, Toronto, Canada, May 23–25, 2004, LNCS vol. 3200, 164–179

  121. [121]

    R. A. Kemmerer, Shared Resource Matrix Methodology: an Approach to Identifying Storage and Timing Channels, ACM T. Comput. Syst. (TOCS) 1(3), 256–277, 1983

    Article  Google Scholar 

  122. [122]

    R. A. Kemmerer, A Practical Approach to Identifying Storage and Timing Channels: Twenty Years Later, in proceedings of: Annual Computer Security Applications Conference (ACSAC), Dec. 2002, 109–118

    Google Scholar 

  123. [123]

    A. L. Donaldson, J. McHugh, K. A. Nyberg, Covert Channels in Trusted LANs, in proceedings of: 11th NBS/NCSC National Computer Security Conference, October 1988, 226–232

    Google Scholar 

  124. [124]

    R. A. Kemmerer, P. Porras, Covert Flow Trees: A Visual Approach to Analysing Covert Storage Channels, IEEE Trans. Software Eng. SE-17(11), 1166–1185, 1991

    Article  Google Scholar 

  125. [125]

    A. Giani, V. Berk, G. Cybenko, Covert channel detection using process query systems, in proceedings of: FLoCon 2005

    Google Scholar 

  126. [126]

    G. R. Malan, D. Watson, F. Jahanian, P. Howell, Transport and application protocol scrubbing, in proceedings of: the IEEE INFOCOM 2002 Conference, 1381–1390, Tel-Aviv, Israel, 2000

    Google Scholar 

  127. [127]

    S. Gianvecchio, H. Wang, Detecting Covert Timing Channels: An Entropy-Based Approach, in proceedings of: ACM CCS 2007, Alexandria, USA, October 28–31, 2007

    Google Scholar 

  128. [128]

    T. Sohn, J. Seo, J. Moon, In; P. Perner, S. Qing, D. Gollmann, J. Zhou (eds.), A study on the covert channel detection of TCP/IP header using support vector machine, Information and Communications Security, LNCS vol. 2836, 313–324 (Springer-Verlag, 2003)

    Google Scholar 

  129. [129]

    M. Handley, V. Paxson, Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In proceedings of: the 10th USENIX Security Symposium, Washington, DC, August 13–17, 2001

  130. [130]

    A. B. Jeng, M. D. Abrams, On Network Covert Channel Analysis, in proceedings of: 3rd Aerospace Computer Security Conference, Orlando, FL, USA, December 7–11, 1987

  131. [131]

    H. Wei-Ming, Reducing Timing Channels with Fuzzy Time, in proceedings of: IEEE Computer Society Symposium Research in Security and Privacy, Oakland, CA, USA, May, 1991, 8–20

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Aleksandra Mileva.

About this article

Verify currency and authenticity via CrossMark

Cite this article

Mileva, A., Panajotov, B. Covert channels in TCP/IP protocol stack - extended version-. centr.eur.j.comp.sci. 4, 45–66 (2014). https://doi.org/10.2478/s13537-014-0205-6

Download citation

Keywords

  • network steganography
  • data hiding
  • Internet layer
  • transport layer
  • application layer