Daryl Johnson

Behavior-Based covert channel in cyberspace

Many covert channels take advantages of weaknesses, flaws, or unused data fields in network protocols. In this paper, a behavior-based covert channel, that takes advantages of behavior of an application, is presented along with a formal definition in the framework of finite state machines. The behavior-based covert channel is application specific and lies at the application layer of the network OSI model, which makes the detection of this type of covert channel much more dicult. A detailed sample implementation demonstrates an example of this type of covert channel in the form of a simple online two-person game.The potential of this type of covert channel is also discussed.

A HTTP cookie covert channel

This paper presents a new covert channel based on Google Analytic web cookies in HTTP protocol. The new covert channel is difficult to disrupt and is capable of reasonably high bandwidths. The Google Analytic framework is used by over half of the most popular web sites currently on the Internet; its ubiquitousness across the web implies a great impact of this covert.

A Covert Channel in RTP Protocol

A new covert channel over the RTP protocol is designed and implemented by modifying the timestamp value in the RTP header. Due to the high frequency of RTP packets, the covert channel has a high bit-rate, theoretically up to 350 bps. The broad use of RTP for multimedia applications such as VoIP, provides abundant opportunities to such a covert channel to exist. By using the RTP header, many of the challenges present for covert channels using the RTP payload are avoided. A reference implementation of this covert channel is presented. Bit-rates of up to 325 bps were observed. The channel is very difficult to detect due to expected variations in the timestamp field and the flexible nature of RTP.

ICMP Covert Channel Resiliency

The ICMP protocol has been widely used and accepted as a covert channel. While the ICMP protocol is very simple to use, modern security approaches such as Firewalls, deep-packet inspection and intrusion detection systems threaten the use of ICMP for a reliable means for a covert channel. This study explores the modern usefulness of ICMP with typical security measures in place. Existing ICMP covert channel solutions are examined for compliance with standard RFCs and resiliency with modern security approaches.

Covert Channel Using Man-in-the-Middle over HTTPS

The goal of this covert channel is to prove the feasibility of using encrypted HTTPS traffic to carry a covert channel. The encryption key is not needed because the original HTTPS payload is not decrypted. The covert message will be appended to the HTTPS data field. The receiver will extract the covert channel and restore the original HTTPS traffic for forwarding. Only legitimate HTTPS connections will be used as the overt channel. A Man-in-the-Middle (MITM) attack at the sending and receiving ends will give access to modify the traffic streams. The HTTPS return traffic from the server can carry a covert channel. Without the original HTTPS traffic for comparison or the original encryption keys, this covert channel is undetectable.

Producing and evaluating crowdsourced computer security attack trees

We describe the recent developments of an open-source project called RATCHET that can be used by groups of users to collectively construct attack trees. We present the RATCHET framework as well as a model for testing and evaluation of the produced attack trees. RATCHET has been tested in classroom settings with positive results and this paper presents the plans for expanding its outreach to the community at large and building attack trees through crowdsourcing. This paper gives an overview of RATCHET and an introduction to its use.

Client-initiated HTTP covert channels using relays

This paper proposes a new covert channel utilizing open web relays. While the channel described is very straightforward, the addition of a trusted relay dramatically increases the anonymity and efficacy of this channel. Indirect, relayed communications disguise the actual endpoints of the communication making analysis, detection, and prevention more difficult.

Exploring a high-capacity covert channel on the Android operating system

As the use and prevalence of mobile technology increases so too does the importance of effective security for these devices. In particular, sensitive user information must be protected, which includes protecting against any covert channels that would allow such information to be compromised. This paper will examine a new covert channel capable of circumventing existing application-level protections on the Android operating system (OS). The authors will also show that this channel is capable of achieving significantly higher throughput than similar, previously discovered channels, which necessitates the implementation of additional security protections and controls at the operating system level.