Steganographic techniques for network communication.
Foeldi, Andrei ; Moldoveanu, Florica ; Soceanu, Alexandru 等
1. INTRODUCTION
Trying to solve the problem of unauthorized creation and
distribution of digital copies for copyrighted material, steganography
received an increased interest as a way of marking digital materials
helping with the enforcement of the copyright laws. Another use of
steganography was signalled in a newspaper reporting on the capture of
the members belonging to a terrorist cell who seemed to use apparently
inoffensive pictures as a mean of transport for secret information.
(Millen, 1999)
The current paper deals with means of data concealment inside
normal communication channels. The different ways of information
insertion inside TCP/IP channels will be discussed as well as ways to
detect and / or destroy such hidden information.
2. TAXONOMY
A data covert channel may exist in the following two situations
(Wang & Lee 2005):
* The sending party is able to make changes in the visible space of
the receiving party.
* The sending party is able to change when an object is modified
relative to the observation made by the receiving party.
The data channels created according to modifications in the data
channel as stipulated in the previous paragraph are called:
* spatial channels,
* temporal channels.
A spatial channel uses the structure of the transmitted data. The
goal is the identification of unused or redundant parts in the normal
information being transmitted, data that can be replaced with the secret
bits in order to create the hidden channel. It is important to alter the
original stream without distorting the normal data being transmitted.
A temporal channel modulates the secret information to be
transmitted through a usage pattern of the network resources available.
The receiving party must know the codification for each pattern used in
order to extract the secret message being sent. Another type of temporal
channel called a numbering channel uses the counting of network events
in order to transmit information.
It is possible to use a combination of the two types of channels
described. Such a channel is called hybrid channel and employs the use
of both spatial and temporal changes on the data being transmitted.
3. CURRENT MECHANISMS
Current methods modify the unused bits along the OSI stack in order
to create the covert data channels (Murdoch & Lewis, 2005). The most
used bits are those from the network and transport layers of the OSI
model. It is common to use a combination of different covert data
channels for a secret transmission, the detection and destruction of
only one channel allows the continuation of the secret transmission
through the rest of the covert channels.
3.1 Parameters of a covert channel
For defining a covert channel and for enabling the comparison of
two different covert channels the following parameters are used:
* Invisibility. This parameter can be evaluated using expert
knowledge in the field. It measures how difficult is for a network
expert to detect the anomalies that indicate a secret communication
taking place. An invisible channel is better; no correlation with the
actual data being sent can be detected.
* Indistinguishability. It measures the impossibility of separating
the secret data from the data it is piggybacking. This parameter is
important because it also means that an attempt at detecting and
removing the secret channel would have as a consequence the alteration
of the original data.
* Bit Rate. It measures the utility of a secret data channel, by
expressing the number of bits it can transport. The indication can be in
bits per second as it is common for the bit rate parameters. It is
sometimes useful to measure this parameter in bits per transport unit
used or as secret bits per number of original bits used for
piggybacking.
3.2 Methods for creating secret communication channels
Secret communication can take place at each of the OSI layers. This
presentation of the possible methods does not intend to be exhaustive.
It is an indication of how different redundancies of the protocols used
nowadays can be exploited to embed hidden information. (Fisk et al.,
2003)
At the physical layer the redundancy of control and synchronisation
signals permit the insertion of supplementary bits that are not part of
the normal communication but can be correctly decoded and interpreted at
the receiving station.
For serial lines such a transmission could exploit the use if the
CTS--Clear-To-Send and RTS--Request-To-Send signals. These signals are
not typically used. An implementation by the author, using a
microcontroller application, achieved similar rates for the secret
transmission as with a normal transmission taking place over the RX and
TX signals. (Foldi, 1999)
One other way of creating secret communication at this layer is the
manipulation of the electrical signals. A logical 1 will be correctly
interpreted if tensions of 5V or 6V are used. But for the secret
communication channel a logical 1 with 5V may mean a secret 0 bit and a
logical 1 with 6V may mean a secret bit 1 being transmitted.
A secret communication created at this layer has the inconvenience
that it can take place only between directly connected stations. Any
signal repeater or device that deals with amplifying and forwarding the
electric signals further in the network will destroy the secret data
embedded. A channel created at this layer typically implies some sort of
hardware manipulation.
At the data layer the manipulation of the retransmission delay with
a minimal value and a maximal value allow the encoding of a secret
logical 0 or 1 bit. This channel that employs the modification of the
collision detection system can be disturbed by others users that send
packets in the network. A solution is that one of the parties involved
in the secret communication to jam the communication of the other users.
This solution has the inconvenience of minimizing the invisibility
parameter for this channel.
The manipulation of the frame length can also allow the inclusion
of secret data. The receiving party decodes the frames and forwards the
useful data up the network stack, simultaneously striping the hidden
bytes from frames and reconstructing the secret communication. A channel
created at this layer can be achieved only by using software
manipulations, firmware manipulation of the network devices involved in
the communication may also be necessary, depending on the channel
properties.
In TCP/IP networks the unused bits from the IP and TCP header may
be used. In this way a secret communication channel can be created at
the network and transport layer. In the IP layer there are three unused
bits.
A communication channel using the three bits has bad performance
from the point of view of the three parameters defined in chapter 3.1.
Because the majority of the implementations available set these bits to
0, their manipulation for the secret transmission is easily observable.
Using a simple traffic analyser a detailed observation of the secret
transmission is possible. With regard to the indistinguishability, the
typical behaviour of the network equipment is to reset these bits to
default values destroying the secret channel.
Without traffic between the sending and the receiving station, the
channel has poor performance from the point of view of its bit rate.
Artificially creating traffic between the communication parties may
raise suspicions for a network administrator, thus minimizing the
invisibility parameter.
Until the implementation of the RFC 3168 dealing with congestion,
the TCP header had 6 unused bits. These bits could be used together with
the ones from the network layer in order to create a bigger capacity
secret channel.
Other implementations available use the manipulation of the
fragmentation mechanism or the manipulation of the MTU--Maximum Transfer
Unit--to transmit secret information.
At the session layer a simple implementation for a covert channel
which uses the access to a file system can be imagined. Coding a logical
1 may be represented by the access to a file "a" and a logical
0 as the access to a file "b". Theoretically a bit rate of up
to 110 KB/s is possible for typical nowadays networks supposing that the
session is established and a typical read operation is done with a 100
bytes TCP packet. The channel has a good performance also from the point
of view of the other two parameters since the file accesses cannot be
distinguished from normal accesses.
The creation of secret communication channels at the presentation
and application layer implies the use of mechanisms for hiding
information in the data exchanged by the applications. This overlaps
with the area of (multi) media marking which is not a subject of this
paper.
In the next chapter, two new mechanisms are presented. These enable
the creation of covert channels that cannot be detected with the common
tools of a network administrator.
4. PROPOSED SOLUTIONS
One way of keeping a communication secret is to not raise
suspicions. A way to achieve this is by the manipulation of control
structures from the network protocols leaving the normal communication
intact.
4.1 Covert channel using the Time To Live field
This field is used by the TCP/IP stack to indicate how many hops a
packet should survive in a network. By carefully absolving a secret
communication setup procedure which involves the creation of a TCP
connection between two communicating parties a secret communication can
be implemented by embedding one secret byte in the TTL field.
Implementations by the author showed that in typical stable
networks the TTL value remains constant after the setup process. A
congested network would need frequent resynchronisation steps which
would dramatically reduce the bit rate of this channel.
4.2 Covert channel using the Checksum field
The TCP checksum field is used to ensure the correct transmission
of the data. By reverse engineering the checksum computation it is
possible to pass such data to the TCP/IP stack so that the checksum
contains two desired bytes.
The values for the performance of this channel are presented in
Table 1. The table presents ideal values, real values measured in the
lab and real values measured over a public ADSL--Asymmetric Digital
Subscriber Line. Similar values as those presented in Table 1 are
observed for the TTL Channel with respect to the fact that only one byte
per packet is used for the secret communication.
5. CONCLUSION
The creativity of the implementers is the only limit in discovering
new ways for embedding secret information inside a normal network
communication. The security of a targeted system depends only of the
expertise level of the network administrators, of their capacity to
detect anomalies in the network traffic and the possibility to enforce
policies that can disturb or disable such secret transmissions.
6. REFERENCES
Fisk, G.; Fisk, M.; Papadopoulos, C.; Neil, J. (2003). Eliminating
steganography in internet traffic with active wardens, Information
Hiding, pp. 18-35, Springer Verlag, ISBN 978-3-540-00421-9, Berlin
Foldi, A. (1999). Design and implementation of a remotely
controlled alarm system, Scientific Workshop of the UPB, Bucharest, May
1999.
Millen, J. (1999). 20 Years of Covert Channel Modeling and
Analysis, Proceeding of the IEEE Symposium on Security and Privacy,
ISBN: 0-7695-0176-1, pp. 113-114, Oakland, May 1999, IEEE, California
Murdoch S.; Lewis S. (2005). Embedding Covert Channels into TCP/IP,
Proceedings of the 7th Information Hiding Workshop, Barcelona, June
2005, Springer V.
Wang, Z.; Lee, R. (2005). New Constructive Approach to Covert
Channel Capacity Estimation, Proceedings of the 8th Information Security
Conference (ISC'05) pp.498-505, Heidelberg, September 2005,
Springer Verlag, Berlin.
Tab. 1. Bit rate measured for the checksum covert channel.
ideal real lab real 60%
10Mbit 5 KB/s 5 KB/s 2,2 KB/s
100Mbit 50 KB/s 48 KB/s 20,2 KB/s
DSL6000 3 KB/s * 1,1 KB/s
DSL16000 8 KB/s * 3,5 KB/s
