Covert Channels Evaluation Framework Code
Network steganography / covert channels evaluation tool
Status: Beta
Brought to you by:
s_zander
Menu
▾
▴
Tree [e4889d] default tip / History
Sebastian Zander
s_zander
Read Me
Covert Channels Evaluation Framework (CCHEF) -------------------------------------------- CCHEF is a framework for evaluating covert channels in network protocols. It can be used to test covert channels across real networks using real overt traffic as cover. It can also be used to emulate covert channels with overt traffic from traffic traces to evaluate covert channels with a specific overt traffic mix. CCHEF can be used for multiple purposes: - test existing intrusion detection software, firewalls - evaluate the capacity of covert channels under 'realistic' conditions - develop new methods for eliminating, limiting or detecting covert channels The aim of CCHEF is not to become actually used for circumventing security measures. Thus absolutely no attempts have been made to hide the presence of the CCHEF application used as sender/receiver - it is a normal user space application stored in the file system. For basic installation instructions read the file INSTALL. When there are questions or problems please read the FAQ (doc/FAQ) first and have a look at the CCHEF documentation in the doc directory before contacting the author. Oh, and beware CCHEF is experimental software! WEB SITE Here you can download the complete user and developer documentation and the latest version of the CCHEF sources: https://sourceforge.net/projects/cchef/ DOWNLOAD The software is available as source distribution from: https://sourceforge.net/projects/cchef/ GETTING STARTED Installation of CCHEF is straight-forward (see INSTALL). After a successful installation there should be two executables in <prefix>/bin: cchef and compare. cchef is the actual covert channels evaluation tool. compare can be used to compare the send bits vs. the received bits and compute bit error rates etc. CCHEF is controlled via XML config files. These config files specify the type of covert channel, whether the channel is uni- or bi-directional etc. Some example config files are installed in <prefix>/etc/cchef. IP addresses and file names in the examples must be modified by you before running CCHEF! Example config files are provided for the following scenarios: 1) Produce a list of flows and their common TTL value (TTL value of the majority of packets) based on traffic data from a traffic trace. This list is needed before NoiseTTL can be used to emulate noise in TTL field related channels. (TTL is the Time to Live field in the IP header.) Modify the the basettl.xml file and run CCHEF: hostA>cchef -c basettl.xml This will output a file with flow IDs and most common TTL values in forward and backward direction. This is an example of using CCHEF, but actually not using any covert channels. CCHEF can be used to just perform analysis of traffic data in trace files or captured on live interfaces. For another example see the flowlen.xml config file. 2) Emulate the use of covert channels with overt traffic taken from traffic trace files. In this case there is no actual traffic send across the network. Overt traffic is read from a trace and the covert channel is encoded. CCHEF allows the simulation/emulation of channel noise. After channel noise is applied the covert channel is decoded and bit error statistics are computed. To emulate covert channels with overt traffic from a trace modify the trace-sr.xml config file and run: hostA>cchef -c trace-sr.xml 3) Trace file based emulation can also be performed in two steps using the trace-send.xml and trace-recv config files. Modify both config files. First run: hostA>cchef -c trace-send.xml This will produce a trace file with the covert data encoded in the overt traffic. Then the covert data can be decoded by running: hostA>cchef -c trace-recv.xml Note: the trace file produce in the first step can be used as input for testing covert channel detection tools, intrusion detection systems, firewalls etc. 4) Establish a unidirectional channel from a sender to a receiver and (repeatedly) send a text file. Edit the config files text-send.xml and text-recv.xml so that IP addresses are the IP addresses of the two hosts and all file names point to valid files and directories (in particular it is required to create a send.txt file at the sender. Then start CCHEF: hostA>cchef -c text-send.xml hostB>cchef -c text-recv.xml 5) Estalish a bi-directional channel between two peers over which IP packets are tunneled. Edit the config files tun-peer1.sml and tun-peer2.xml so that IP addresses are the IP addresses of the two peers. Then start CCHEF: hostA>cchef -c tun-peer1.xml hostB>cchef -c tun-peer2.xml Overt traffic between hostA and hostB is required to carry the covert data. The compare application compares two bit files produced by CCHEF. A CCHEF sender will produce the files 'BitsSendPayload' and 'BitsSendTransport'. A CCHEF receiver will produce the files 'BitsRecvPayload' and 'BitsRecvTransport'. The payload files contain the bit streams on payload level, this means the covert bits send by the sender and the covert bits recovered by the receiver. The transport files contain the bit streams that are actually send over the channel at transport level including transport headers, framing bits etc. To compare the send and received bits at transport level run: compare -i BitsSendTransport -o BitsRecvTransport To compare the send and received bits at payload level run: compare -i BitsSendPayload -o BitsRecvPayload -b 16 Here 16 is the number of bytes per transport block. It needs to be set to the same value as specified in the CCHEF config file. Otherwise block loss statistics will be wrong! Man pages for the tools are in the doc subdirectory. LICENSE CCHEF is releases under the terms of the GNU General Public Licence version 2 (GPLv2). Please see the the file COPYING for details. CONTACT If you have problems, questions, ideas or suggestions, please contact me: Sebastian Zander (sebastian.zander@gmx.de)
