Eliminating Steganography in Internet Traffic with Active Wardens
Lecture Notes in Computer Science
Active wardens have been an area of postulation in the community for nearly two decades, but to date there have been no published implementations that can be used to stop steganography as it transits networks. In this paper we examine the techniques and challenges of a high-bandwidth, unattended, real-time, active warden in the context of a network firewall. In particular, we concentrate on structured carriers with objectively defined semantics, such as the TCP/IP protocol suite rather than on
... he subjective, or unstructured carriers such as images that dominate the information hiding literature. We introduce the concept of Minimal Requisite Fidelity (MRF) as a measure of the degree of signal fidelity that is both acceptable to end users and destructive to covert communications. For unstructured carriers, which lack objective semantics, wardens can use techniques such as adding noise to block subliminal information. However, these techniques can break the overt communications of structured carriers which have strict semantics. We therefore use a specification-based approach to determine MRF. We use MRF to reason about opportunities for embedding covert or subliminal information in network protocols and develop both software to exploit these channels, as well as an active warden implementation that stops them. For unstructured carriers, MRF is limited by human perception, but for structured carriers, well known semantics give us high assurance that a warden can completely eliminate certain subliminal or covert channels. Network security is one of the most pressing and difficult problems facing modern private organizations and governments. In addition to the daily barrage of unwanted traffic from network scans, viruses, worms, exploit tools, and other unauthorized attempts to gain access, sites must be concerned with malicious insiders using digital carriers to secretly disperse information through the very perimeter that is supposed to be protecting the network. The ubiquitous use of protocols and file structures laden with loose semantics and unused or marginally-significant bits that can be freely used for covert communication channels only furthers those challenges. This paper focuses on the pragmatic challenges of implementing an active warden as a part of a network firewall. In particular, we concentrate on structured carriers such as the TCP/IP protocol suite rather than on the subjective, or unstructured carriers, such as images, that dominate the information hiding literature. We call a carrier structured if there is a well-defined, objective semantics defining the overt information content of the carrier.