ISU Electrical and Computer Engineering Archives

Hiding out in plaintext : covert messaging with bitwsie summations

Perkins, Michael C. (2005) Hiding out in plaintext : covert messaging with bitwsie summations. Masters thesis, Iowa State University.

Full text available as:

PDF - Requires Adobe Acrobat Reader or other PDF viewer.


Network-based information hiding is possible in even the most adverse conditions such as when an active warden reduces packets into a canonical form and enforces protocol specification. Covert channels in the TCP/IP protocol suite are surveyed from the network layer up to the application layer which is given special emphasis. Active wardens are discussed in detail, as those network devices attempt to thwart covert communications. Application layer hiding techniques are gaining popularity and can be viewed as a response to active wardens. However, even the best application layer techniques tend to be confined to a particular protocol. We define the theoretical foundations for a new scheme in which bitwise summations of application layer messages convey covert bits. A set of large HTTP queries is taken from Internet Traffic Archive for analysis. Two bitwise summation methods, an ad-hoc and a blind (cryptographic), are compared using the Web repository. The viability of both methods is established, though the cryptographic findings are more conclusive. Following the test results, a client/server model is outlined that utilizes either the ad-hoc or the blind method for covert communication. Development of a functioning prototype based on that model is described as well. The client, called tcphalm for hide application layer messages, can communicate without the requirement of superuser privileges by gathering socket messages through system call interposition. The server, tcphalmd, only supports the HTTP protocol but is demonstrative enough so that other application protocols can easily be incorporated into the code. Finally, future work is discussed which includes steps concerned network administrators can take to combat application layer hiding techniques. However, because hiding techniques can be adapted to handle such countermeasures, the covert messaging arms race will likely continue well into the future. For now, information hiding methods that employ bitwise summations enjoy a sizeable advantage over active wardens.

EPrint Type:Thesis (Masters)
Additional Information:The basic idea of this thesis is to capture ordinary TCP/IP application layer messages such as web requests and replay them later to message covertly. The captured messages are arranged according to a sum of all their bits. The simplest case would be where messages with a sum below some threshold sum value are used to send a 0 and messages above the threshold a 1. In order to increase the likelihood that sums exist that equal both 0 and 1, messages can be encrypted prior to sum computation.
Uncontrolled Keywords:information hiding covert channels steganography subliminal channels application layer encryption message digest hash cryptographic system call interposition active warden TCP/IP
Subjects:Computer Engineering > INFORMATION SYSTEMS SECURITY & NETWORKING > Information Assurance
Computer Engineering > INFORMATION SYSTEMS SECURITY & NETWORKING > Computer Networking and Security
ID Code:154
Identification Number:Identification Number UNSPECIFIED
Deposited By:Michael Perkins
Deposited On:22 April 2005

Archive Staff Only: edit this record