Modern malware increasingly deploys network covert channels to prevent detection or bypass firewalls. Unfortunately, the early discovery of protocol fields and functional behaviors of traffic that can be abused to conceal information is very challenging. In this perspective, fuzz testing could help to face the tight relationship between the used hiding scheme and the targeted protocol trait. Even if fuzzing is a well-established practice to reveal implementation issues, bugs, or unhandled behaviors, it has never been considered to assess the "susceptilibility"of protocols to covert communications. Therefore, this paper explores the use of basic fuzzing techniques to quantify how ubiquitous HTTP conversations can be manipulated by an attacker to create a network covert channel. To this aim, we developed an ad-hoc random fuzzer, which mutates a reference HTTP request to simulate the presence of various cloaking attempts. To evaluate the feasibility of our idea, we conducted a thorough test campaign considering three different covert channels hidden in traffic exchanged with 1,000 real Web destinations. Results indicate that fuzzing should be considered a valid technique to investigate how HTTP can be altered to cloak data.
Investigating HTTP Covert Channels Through Fuzz Testing
Zuppelli M.;Caviglione L.
2024
Abstract
Modern malware increasingly deploys network covert channels to prevent detection or bypass firewalls. Unfortunately, the early discovery of protocol fields and functional behaviors of traffic that can be abused to conceal information is very challenging. In this perspective, fuzz testing could help to face the tight relationship between the used hiding scheme and the targeted protocol trait. Even if fuzzing is a well-established practice to reveal implementation issues, bugs, or unhandled behaviors, it has never been considered to assess the "susceptilibility"of protocols to covert communications. Therefore, this paper explores the use of basic fuzzing techniques to quantify how ubiquitous HTTP conversations can be manipulated by an attacker to create a network covert channel. To this aim, we developed an ad-hoc random fuzzer, which mutates a reference HTTP request to simulate the presence of various cloaking attempts. To evaluate the feasibility of our idea, we conducted a thorough test campaign considering three different covert channels hidden in traffic exchanged with 1,000 real Web destinations. Results indicate that fuzzing should be considered a valid technique to investigate how HTTP can be altered to cloak data.| File | Dimensione | Formato | |
|---|---|---|---|
|
3664476.3664493-2.pdf
accesso aperto
Descrizione: Published version
Tipologia:
Versione Editoriale (PDF)
Licenza:
Creative commons
Dimensione
672.76 kB
Formato
Adobe PDF
|
672.76 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
