By Alex Dyatlov
Authorizations of data transit between interconnected networks
Authorizations of data transit between interconnected networks are defined and
set up into Network Access Control Systems (NACS).
Regardless of different NACS configurations, it is possible, at the present time, via several evasion methods, to use authorized streams to transit arbitrary data whose traffic is not allowed or thought of, thus building what is often presented as a "covert channel".
A lot of covert channels and tunneling approaches are available as papers or exploitation tools at the present time. Some are hidden into lower layers of the OSI model whereas other are hidden into the higher one.
As the HTTP protocol is one of the most widely used protocol at the present time, one can consider that designing tunneling and covert channel tools over it is something researchers as much as network administrators should think about.
Various design aspects can be taken into consideration when implementing an HTTP Client/Server covert channel tool : What kind of server model can be implemented (Httpd-like, Proxy-like, CGI-Like) - How can the tool be designed to add confusion from a traffic watcher point of view (Server proxy chain, Intermediaries distributed servers, Almost-real proxy server and legitimate third-party models) - What kind of functionality can be implemented into the covert channel (Single application client and Single application client proxy modes, Server proxy mode, Client reverse connection proxy mode and Proprietary user defined protocol mode).
Then, when the HTTP covert channel client/server tool is modelized, designers can think about how their design could be applied in a real world environment : What kind of HTTP method can be used (With or Without Message body, be using the CONNECT method or not ?) - What kind of HTTP legitimate servers can be used to transit the arbitrary data stream through the NACS (HTTP and reverse proxies, other applications).
Designing covert channel tools also implies to consider their security underlying aspects : Server and client authentication and authorization, data stream ciphering and integrity, protection against replay. Another special consideration should be taken during the development stage itself to get a clean source code which (as much as possible) is exempt of bad parts.
Since the corner stone of covert channel methods relies on their intrinsic stealthness, a particular attention can be paid on using specific covering and steganographic techniques to confuse an eventual observer.
Hiding data into HTTP requests and responses (HTTP headers and body) with steganographic methods, adding random and/or specifically crafted confusing traffic, designing confusing servers which are not what they seem to be.
All of these methods drastically increase the stealthness of covert channels.
The Gray-World "Exploitation of data streams authorized by a network access control system for arbitrary data transfers : tunneling and covert channels over the HTTP protocol" paper presents these concepts to researchers and NACS administrators to explain that each time an administrator thinks he only allows the HTTP protocol to get in and out of his internal network, he also allows arbitrary data transfers through his secured perimeter.
^macro[showdigestcomments;^uri;Computer Crime Research Center: two years in fighting cybercrime!]