Stefano Bistarelli, Andrea Imparato, Francesco Santini
{"title":"基于 TCP 的隐蔽信道,具有完整性检查和重传功能","authors":"Stefano Bistarelli, Andrea Imparato, Francesco Santini","doi":"10.1007/s10207-024-00879-z","DOIUrl":null,"url":null,"abstract":"<p>We propose a covert channel and its implementation in Windows OS. This storage channel uses the <i>Initial Sequence Number</i> of TCP to hide four characters of text and the <i>identification</i> field to “sign” the message and thus understand if it has been altered during the transmission. The secret is sent in the first SYN segment to open a connection, and an ACK-RST response acknowledges the receipt. Designed error-correction codes make the protocol more robust and able to handle (IP) packet drops and transmission errors. In this paper, we provide a detailed discussion of the implementation and an evaluation of the stealthiness of the proposed channel: we inspect the generated traffic with two IDSs and RITA, a tool performing statistical analysis to detect malware beaconing.</p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"57 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-08-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A TCP-based covert channel with integrity check and retransmission\",\"authors\":\"Stefano Bistarelli, Andrea Imparato, Francesco Santini\",\"doi\":\"10.1007/s10207-024-00879-z\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<p>We propose a covert channel and its implementation in Windows OS. This storage channel uses the <i>Initial Sequence Number</i> of TCP to hide four characters of text and the <i>identification</i> field to “sign” the message and thus understand if it has been altered during the transmission. The secret is sent in the first SYN segment to open a connection, and an ACK-RST response acknowledges the receipt. Designed error-correction codes make the protocol more robust and able to handle (IP) packet drops and transmission errors. In this paper, we provide a detailed discussion of the implementation and an evaluation of the stealthiness of the proposed channel: we inspect the generated traffic with two IDSs and RITA, a tool performing statistical analysis to detect malware beaconing.</p>\",\"PeriodicalId\":50316,\"journal\":{\"name\":\"International Journal of Information Security\",\"volume\":\"57 1\",\"pages\":\"\"},\"PeriodicalIF\":2.4000,\"publicationDate\":\"2024-08-12\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Information Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1007/s10207-024-00879-z\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00879-z","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
摘要
我们提出了一种隐蔽信道及其在 Windows 操作系统中的实现方法。该存储信道利用 TCP 的初始序列号隐藏四个字符的文本和标识字段来 "签署 "信息,从而了解信息是否在传输过程中被篡改。密文在打开连接的第一个 SYN 段中发送,ACK-RST 响应确认收到密文。设计的纠错码使协议更加稳健,能够处理(IP)数据包丢失和传输错误。在本文中,我们详细讨论了实现方法,并评估了所建议信道的隐蔽性:我们使用两个 IDS 和 RITA(一种用于检测恶意软件信标的统计分析工具)检查了生成的流量。
A TCP-based covert channel with integrity check and retransmission
We propose a covert channel and its implementation in Windows OS. This storage channel uses the Initial Sequence Number of TCP to hide four characters of text and the identification field to “sign” the message and thus understand if it has been altered during the transmission. The secret is sent in the first SYN segment to open a connection, and an ACK-RST response acknowledges the receipt. Designed error-correction codes make the protocol more robust and able to handle (IP) packet drops and transmission errors. In this paper, we provide a detailed discussion of the implementation and an evaluation of the stealthiness of the proposed channel: we inspect the generated traffic with two IDSs and RITA, a tool performing statistical analysis to detect malware beaconing.
期刊介绍:
The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation.
Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
