Research Output

Covert channel analysis and data hiding in tcp/ip.

  Data hiding methods can be used by intruders to communicate over open data channels (Rowland 1996; deVivo, deVivo et al. 1999), and can be used to overcome
firewalls, and most other forms of network intrusion detection systems. In fact, most detection systems can detect hidden data in the payload, but struggle to cope with data
hidden in the IP and TCP packet headers, or in the session layer protocol.
This Honours Project proposes a novel architecture for data hiding, and presents methods which can be used to detect the hidden data and prevent the use of covert channels for its transmission. It also presents the method used in creating a system for Microsoft Windows platforms.
The scenario consists of one user that from his computer connects to a web server. In fact, the connection is done to a Reverse Proxy Server (RPS) and this is the one in
charge of connecting with the Web Server, collect the information requested and returns it to the user. For the user, this action takes place in a transparent manner as if
he had connected directly to the Web Server. It has to be highlighted that the RPS does not need to be configured in advanced by the user. Because of that, the RPS
becomes a strategic middleware piece of software able to analyze and manipulate the traffic between one user and a server in the Internet in a discrete mode.
This ability has been used in this project to send covert messages in the outgoing packets that leave from the RPS going to the user. Whilst the user is navigating can
observe, through a separate window provided by an application denominated Covert Viewer, the incoming covert message. In this Honours Project it has also been
developed a network packet sniffer so the user can observe how the message is transmitted by the network packets through a technique that will be explained further
later on. In the RPS side, we have basically two applications: the Data Hiding Intelligent Agent (DHIA) and the RPS itself. As has been explained above, the mission of the RPS it is to capture the requests of the user, transmit them to the
relevant server, collect the answer from the server and sent it back to the user. The DHIA is in charge of manipulating the outgoing packets to send the covert message.
The technique used by this component is inserting in the identification field of the IP header (version 4) the ASCII value of the character that wants to be sent. As explained further on, the TCP/IP Protocol Suite has some weaknesses on its design that facilitates the manipulation of its characteristics. The DHIA allows the configuration, through a XML File, of sending covert messages to specific IP addresses that have requested a specific port.
This Honours Project has based the design and the implementation of the RPS and DHIA in the Microsoft Windows platform, which has increased the complexity of
the development. Usually the development of tools for this kind of projects are done in Unix platforms as the source code of the operating system is available and can be
manipulated for this purpose. In this case, we had to work with techniques that allow the interception of a subset of functions from the Kernel mode.

  • Type:


  • Date:

    30 April 2004

  • Publication Status:


  • Library of Congress:

    QA75 Electronic computers. Computer science

  • Dewey Decimal Classification:

    005.8 Data security


Llamas, D. Covert channel analysis and data hiding in tcp/ip. (Thesis). Edinburgh Napier University. Retrieved from


Network intrusion detection systems; firewalls; TCP/IP; session layer protocol; data hiding; novel architecture; covert channels; Reverse Proxy Server; Web server; packet sniffer; Data Hiding Intelligent Agent; NDIS Hooking Filter Driver;

Available Documents