Edinburgh Napier University

  The specification of Internet protocol stack was developed to be as universal as possible, providing various optional features to the network programmers. Consequently the existent implementations of this specification use different methods to implement the same functionality. This created situation where optional fields and variables are often transmitted only to be ignored or discarded at the receiving end. It is considered that transmission of these fields significantly reduces the bandwidth available to data transfers, however the redesign of the network protocols from various reasons is considered impossible at the present time, and this downfall of Internet protocol stack is silently accepted. Since the optional fields discussed are of no real value anymore, they are often left unmonitored. This in turn allows for implementation of covert channels.

Techniques of information hiding in covert channels have been known some time now. By definition it involves hiding information in the medium, which is not usually used for any form of information transfer. For an instance the purpose of the envelope in the standard mail communication is to enclose the message and provide space for addressing. However, even if the messages were under strict surveillance, information hidden under the stamp on the envelope could go unnoticed to the examiner. This is how covert channels operate. They use resources often perceived as safe, and unable to carry data, to hide covert payload.

This dissertation investigated Internet protocol stack and identified Application Layer as the level most vulnerable to covert channel operations. Out of the commonly used protocols, SMTP, DNS and HTTP have been recognized as those, which may carry hidden payload in and out secure perimeters. Thus, HTTP, the protocol which is often wrongly perceived as text based information transfer protocol, due to its innocently sounding name was further investigated. Since there is no tool available on the market for HTTP monitoring, a set of test tools have been developed in this project using C# programming language, which is starting to become a new networking industry standard for application deployment. The analysis of the current trends in covert channel detection and the statistic collected on the current implementations of the protocol lead to design and implementation of suitable HTTP covert channel detection system. The system is capable of detecting most of the covert channel implementations, which do not mimic the operation of HTTP browser driven by a user. However, the experiments also proved that for a successful system to operate it must fully understand HTTP protocol, recognise signatures of different HTTP implementations and be capable of anomaly analysis.