We use cookies to give you the best experience possible. By continuing we’ll assume you’re on board with our cookie policy

ICACTA2010-Paper Paper

Words: 2595, Paragraphs: 56, Pages: 9

Paper type: Essay , Subject: Architecture

[Type the company name]

Reference Model Storage Covert channel for Secure Communications

2nd International conference on Advanced Computing Technologies and Applications 2020 (ICACTA 2020)

Dhananjay M Dakhane, Vaibhav Narawade[Pick the date]

Don't use plagiarized sources. Get Your Custom Essay on ICACTA2010-Paper
Just from $13,9/Page

Get Essay

Covert channel is a channel which is not intended for communication. It generally used for transfer of unintended form of information. The primary purpose of any kinds of covert channels is to secret communication and not bandwidth. In this paper, the proposed model is to increase the bandwidth of covert communication sing Sequence Number of TCP header and Identification Field of IP header. The reference Model is proposed for combination of 32 bit sequence Number and 16 bit Identification Number, so that the total bandwidth of storage covert channel for this model is 48 bit per packet.

Reference Model Storage Covert channel for Secure Communications

First Author 1[Dhananjay M Dakhane] and Second Author2[Vaibhav Narawade]

1 RAIT, Nerul, University of Mumbai, India

2 RAIT, Nerul, University of Mumbai, [email protected]

Abstract. Covert channel is a channel which is not intended for communication. It generally used for transfer of unintended form of information. The primary purpose of any kinds of covert channels is to secret communication and not bandwidth. In this paper, the proposed model is to increase the bandwidth of covert communication sing Sequence Number of TCP header and Identification Field of IP header. The reference Model is proposed for combination of 32 bit sequence Number and 16 bit Identification Number, so that the total bandwidth of storage covert channel for this model is 48 bit per packet.

Keywords: Covert channel, IP-ID, TCP Headers, TCP ISN, TCP-SQN,


The communication channel use to transmission of information through legitimate network traffic is an overt channel [16], whereas the covert channels are the hidden channels use for the secret communication. The term covert channels have used in various ways like network steganography, information hiding etc. It describes the process of hiding information in network protocols. First time Lampson defined covert channels as channels, which is not intended for information transfer at all [1]. It has been differ Lampson’s original definition and new definition define by US DoD TCSEC, any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy commonly known as Orange Book [2]. The term information hiding simply had not been invent for computer network, when the first covert channels in network protocols were proposed [3]

Related Work

Rowland initially discovered covert channels in the TCP Initial Sequence Number (ISN) field [2]. The ISN is only transferred when a new connection is established and has a size of 4 bytes. Rowland also developed an enhanced version of the ISN-based covert channel with the goal to hide the sender’s address. Therefore, a bounce server is introduced. The bounce server is used by the sender to send messages to the receiver. Therefore, the senders send a spoofed TCP packet to the bounce server. The packet contains the receiver’s source address and thus, lets the bounce server respond to the receiver that receives a packet which does not contain the sender’s address. The bounce server will increment the ISN that is transferred as acknowledgement number to the receiver that has to decrement the acknowledgement number to get the original ISN value. This Model developed an enhanced ISN-based passive covert channel by indirectly initiating a TCP connection to transfer hidden information [4]. Instead, a covert channel sender waits for a regular TCP connection and modifies an ISN generated track by an ISN modification layer in the Linux kernel [5]. Another approach is to use TCP and UDP port numbers to send hidden messages [6]. J Giffin used TCP timestamps to embed covert payload [7] (timestamps are an optional header component of the protocol). This author applied a minimal delay to create a covert timing channel in this way. In storage based covert channels certain fields of header in the packet is used throughout the stream. All of the packets of the corresponding stream contain covert data; this is the key feature of the storage based covert channels. Previous work done by Joanna Rutkowska and Steven J Murdoch gave the two schemes for embedding the covert channels in TCP/IP. Joanna Rutkowska designed the scheme called “NUSHU”[4], and Steven Murdoch designed the scheme for covert channels called “Lathra”[5]. “NUSHU” encrypts the data before actually embedding it into TCP ISN field [4]. This results in normal distribution unlike that is generated by Linux and so will be detected by other TCP tests. “NUSHU” also exhibits characteristics of its own which may be exploited. The encryption operated by DES, it encrypt the combination of four different entities (Source port + Destination port + Source IP address + Destination IP address) with a shared key, then XORing the first 32 bits of the resulting key stream with the hidden data. When collisions occur, the ISNs can be XORed to remove the key stream; the result is XOR of two plaintexts. If these plaintexts are the same, as in the case when the data is not being sent, the result would be zero. In other cases redundancy in encoding would be apparent [4]. So in certain cases this protocol fails. While “Lathra” [5] designed by Steven j Murdoch and Stephen Lewis works perfectly in those cases. In both of the above covert embedding schemes headers of the TCP/IP layer are modified, thus leaves some scope for warden in the network to detect these channels. To be totally undetectable while embedding the covert data in the packet we should not modify anything in the headers whether it is TCP header or IP header. In such a way it becomes difficult for warden to distinguish between overt data packet and covert data packet.

Covert Threat Model

The threat model for covert communication can be understood by simple scenario shown in Figure 1.1. In this model, Alice is covert sender who is connected to the Bob and exchanging some covert information by using our propose covert model (TCP or ID reference model). It is an active covert channel so both the covert users, i.e. Alice and Bob having corresponding application level processes running at the application layer. This generates a legitimate TCP traffic. In our proposed covert model, Alice use its covert kernel module, to exploits the TCP traffic generated by the application level process. Similarly on the receiving side, Bob who is the covert receiver extracts the covert information using similar mechanism.

Fig. 1. Proposed Covert Threat Model

3.1 Features of TCP SQN Reference Model


In this model packets generated by the Linux kernel 3.2, the semantics of TCP ISN generation specified in the RFC1948 are followed. So the TCP SQN used by the packets containing covert data, cover the same space as the overt data packets. That’s why the normal SQN distribution for covert data packets is observed.


Previous approaches by Rowland, Rutkowska and S. Murdoch uses new connection for each unit of covert data. While this model uses a single persistent connection for communicating the whole data so bandwidth of this covert scheme is extremely high compared to “NUSHU” [4] and “Lathra” [5].


In the case of packet loss, Kernel itself performs packet retransmission, as in our proposed model all of the tasks of

packet transmission are done by the kernel itself. This enhances the reliability of the covert channel for delivery of the covert data.

Propose Model

When two parties need to transfer the data using TCP, the sender machine will create a new TCP connection. As sender machine initiate the connection, it generate the first sequence numbers i.e. TCP ISN. The sequence number has dual role. If SYN flag is set, then it is initial sequence number (ISN). When SYN flag is clear, then the sequence number is the accumulated sequence number of the first data segment of the current session. The TCP ISN must be chosen such that the sequence numbers of new incarnations of a TCP connection do not overlap with the sequence numbers of earlier incarnations of a TCP connection [5]. Storage covert channels using TCP SQN field as a reference, to be undetectable it is necessary that ISN’s generated by these channels should cover the same space as the ones generated by the system without modification. Previous research shows that whenever the semantics of the packet are disturbed, it becomes detectable by the warden present in the network. As we are using TCP SQN field as the storage channel for our covert data; it is most important that ISN numbers generated by our protocol should look like normal ISN distribution. To achieve this we use ISN generated by the Operating system’s kernel itself and do not generate any random numbers for ISNs. This will ensure us that whatever ISN number we are using, will look like any other ISN generated by the same system[8]. In this way we will automatically follow all the specified structures and semantics used by the kernel. Now to convey the covert data we use the TCP payload; this will contain the key, using this key we can extract the covert data from kernel generated TCP SQN number. Basically this key is the sequence of our covert data bits in the TCP SQN filed[9]. This key can be distinguished throughout the payload and each byte of the key are placed at different positions in the TCP payload. We call these positions as a data pointer. These data pointers contain the symbols from the symbol-table, which is usually used in the covert communication. This symbol table contains unique symbols for positions in the sequence. So actually sender will append the TCP payload and not the header in order to send covert data. Hence without disturbing any header or packet semantics covert data can be embedded into the packet.

4.1 Sequence Number Reference Model

TCP Sequence number (SQN) field is used to maintain persistent TCP session between two ends. During the initial handshake between two systems, Initial sequence number (ISN) generated by the sender system and it carried forward by both communicating systems. The length of this field is 32-bit long. So it is obvious choice for covert communication by any attackers. This is because the highest possible bandwidth can be achieved to exchange the covert message. The NUSHU is developed for ISN field to embed covert message in encoded ISN [9]. While in our proposed covert reference model, covert message is a reference pointer to the Sequence Number field [10]. In our propose TCP SQN Reference Model the loadable kernel module (LKM) will embed the covert data into the TCP payload. However the covert data in the TCP payload would not be the actual covert bytes that we want to send. The reference positions which indirectly pointing to individual bits of kernel generated TCP sequence number will be in the TCP payload. Figure no. 2 shows the TCP SQN Reference model architecture. To allow us to determine whether the successful covert communication will take place using SQN Referencing model; we have implemented sample proof-of-concept test. We created client and server that would communicate over TCP. These applications are written in java and tested on Ubuntu 12.10. With the help of APIs provided in java we used the sockets of the system.

Fig:2: Sequence number Reference Model

The TCP Sequence Number field is considered in order to select the reference bit positions and embed these positions in the corresponding payload. The covert bandwidth of this model is 8-bit, 16-bit and 32-bit per packet depending on the model use for communication. The maximum covert bandwidth per packet is 32 bit and minimum is 1 bit per packet. This proposed model is developed 32-bit per packet.

IP Identification Model

The 16 bit identification (ID) field in IP is used to uniquely identify the fragments of a particular datagram. Fragments of a particular datagram are assembled if they have the same source, destination, protocol, and identifier. The identifier is being chosen to be unique for same source, destination pair and protocol for the time the datagram (or any fragment of it) could be alive in the internet. The IP identifier (ID) fields have 65,536 different values. It is important for an operating system to have some sort of a mechanism in order to control the identification (ID) numbers correctly.

Fig: 3 Reference Model for IP Identification

The important stage is to insert these covert reference pointers into the TCP payload so that covert communication remains undetectable. In this module, the position of covert reference pointer in the TCP payload is fixed for TCP Sequence number as well as for IP Identification. However it is possible to choose random covert reference positions, but it will take an overhead of handshaking every time, whenever the corresponding covert reference positions in the TCP payload are changes. In the proposed model, it is consider pre-defined TCP payload positions, where these covert pointers will be placed. The checksum for TCP and IP need to re-calculate as payload has been altered.

Experimental Results

The test of this proposed model is taken in LAN (100+ ) machines in a Network.

5.1 Covert channel Cover Correctness Test

This test is conducted with proposed covert reference model. All test conducted for Covert text message and Covert Image message. This test verifies the covert message received at covert receiver. The JAVA application verifies the accuracy of the covert message received at covert receiver. For all test covert message size is text 1024 bytes and image of 473831 bytes.

Covert Message Size 1024 Byte 473831 Bytes

Packets Required 32 & 6414809 & 29615

TCP Data 233606 Bytes 108034049 Bytes

Bandwidth 32 bits / packet 32 bits / packet

Covert Message Received 100.00% 100.00%

Packet Loss 0.00% 0.00%

The same experiments was carried out for the combinations of TCP Sequence number + 16 bit IP Identification Number, in the same environment,

Covert Message Size 1024 Byte 473831 Bytes

Packets Required 229872

TCP Data 233606 Bytes 108034049 Bytes

Bandwidth 32 bits / packet 32 bits / packet

Covert Message Received 100.00% 100.00%

Packet Loss 0.00% 0.00%

The above results shows the accuracy of the proposed model, the covert message received 100% at the receiving end with 0% packet loss.


In the propose model we are using all ISNs generated by the system itself so it is impossible to differentiate between ISN number with covert data and ISN without covert Data. It also states that correct implementation of this model can create totally undetectable channel, however the bandwidth of such channels is enhance ie 48 bit/packets . It is important to note that, we are using the single persistent connection for the entire session and all of the communication takes place through this single connection.


1. US Dodd, (1985). Trusted Computer System Evaluation Criteria.

2. Rowland, Craig (1996). Covert Channels in the TCP/IP Protocol Suite.

5/rowland3. S. Zander, G. Armitage, P. Branch (2007). A Survey of Covert Channels and Counter measures in Computer

Network 4. Protocols. (Accepted for publication in IEEE Communications Surveys and Tutorials).4. Joanna Rutkowska, (January 2004). The implementation of passive covert channels in the Linux kernel. Speech

held at the 21st ChaosCommunication Congress, Berlin and Germany.

5. S. J. Murdoch, S. Lewis. (June 2005). Embedding Covert Channels into TCP/IP. In Proceedings of 7th Information Hiding Workshop.6. T. Borland (January 2013). Guide to encrypted dynamic covert channels.

7. J. Giffin, R. Greenstadt, P. Litwack, and R. Tibbetts (2003). Covert messaging through TCP time stamps. In

Proc. 2nd International Conference on Privacy Enhancing Technologies, pages 194{208}.

8. Pierre Allix, (2007). Covert channels analysis in TCP/IP networks

9. Xiaochao Zi, Lihong Yao, Li Pan, and Jianhua Li. Implementing a passive network covert timing channel. In

Elsevier Computer and Security 2010, January 2010

10. K. Borders and A. Prakash. Quantifying information leaks in outbound web traffic. In Proc. 30th IEEE Symposium on Security and Privacy, pages 129–140, 2009.

About the author

This sample paper is crafted by Elizabeth. She studies Communications at Northwestern University. All the content of this paper is just her opinion on ICACTA2010-Paper and can be used only as a possible source of ideas and arguments.

Check out other papers written by Elizabeth:

How to cite this page

Choose cite format:

ICACTA2010-Paper. (2019, Dec 20). Retrieved from https://paperap.com/icacta2010-paper-best-essay/

Is Your Deadline Too Short?
Let Professionals Help You

Get Help

Our customer support team is available Monday-Friday 9am-5pm EST. If you contact us after hours, we'll get back to you in 24 hours or less.

By clicking "Send Message", you agree to our terms of service and privacy policy. We'll occasionally send you account related and promo emails.
No results found for “ image
Try Our service

Hi, I am Colleen from Paperap.

Hi there, would you like to get such a paper? How about receiving a customized one? Click to learn more https://goo.gl/CYf83b