twr
University of St Andrews

by David Llamas
Kruptos Research Project: Covert Channels and Steganography in Computer Networks
Kruptos means "hidden", "secret" in ancient greek, which are concepts closely related to this research.
A covert channel is a communication channel that allows two cooperating processes to transfer information in a manner that violates the system's security policy. It is thus a way of communicating which is not part of the original design of the system. The use of the covert channels and steganography in public computer networks can prove an effective means of information hiding and secret communication. With the widespread adoption of the Internet the TCP/IP suite of protocols have become pervasive, and therefore an attractive target for the use of these techniques. Opportunities for the creation of covert channels exist at all layers in the TCP/IP protocol stack.
Information hiding techniques can be used by criminals and terrorists to communicate over covert channels within digital networks and can be used to overcome firewalls and most other forms of network intrusion detection and prevention systems. In fact, most systems can detect hidden data in the payload, but struggle to cope with data hidden, for instance, in the IP and TCP packet headers, as no discernable patterns from which hidden data can be analyzed and detected are produced. This work is clearly relevant to governments, defence departments and intelligence agencies, as well as to all organisations that can be affected by academic or industrial espionage.
![]() ![]()
|
Network Traffic Oscilloscope & Covert Channels in Computer Network Protocols Detector
![]()
A Potential Covert Channel Manipulation Detector based on the IPv4 header ID field analysis has been developed in C# on Microsoft .NET Framework using Visual Studio IDE, which includes the following features:
![]()
In order to conduct this work, a research about how the IPv4 header ID field is implemented in the major operating systems in the market has been carried out. These are the results from the network traffic oscilloscope developed for Kruptos:
What it can be seen from this is that the major implementations in the market follow the legal framework of the protocol, which is that the sender must choose the identifier to be unique for this source for the time the datagram (or any fragment of it) could be alive in the internet, but in a different way that is suggested by RFC 791, which is that the sending protocol module should keep a table of unique Identifiers to manage the exclusivity of that identifier. Instead of that, current implementations sequence the number.
|
Distributed-System Monitor for Covert Channels Analysis at Planetary-Scale
It consists of software components that work separately and concurrently. A distributed-system monitor is divided into a number of layers. Each layer makes use of the services provided by the lower layers and extends the available facilities to the upper layer. The layers are briefly introduced:
![]()
The distributed-system monitor consists of multiple components from each of the layers listed above. There is a many-to-many relationship between successive layers. A single collector may gather data from multiple observers. Many analysis layers may use data gathered by a single collector. Several collectors may be acting with a single observer, etc. Interpretation, Console/Control and Management layers can also be automated but they are often done by humans. For this reason the distributed-system monitor here is designed taking into account layers from the Observation to the Presentation, which includes a console for managing the whole system. The components of the distributed-system monitor are able to operate at any location on the Internet:
All components of the distributed-system monitor have been developed in Java and Python using NetBeans IDE and deployed at PlanetLab, an open platform for developing, deploying and accessing planetary-scale services.
|
School of Computer Science
The School of Computer Science at the University of St Andrews (rated 5A, outstanding international research) is a centre of excellence for computer science teaching and research with staff and students from Scotland and all parts of the world.
![]()
It has international reputation in the areas of fundamentals of computer science, networks and distributed systems, artificial intelligence and software systems engineering.
The School of Computer Science at the University of St Andrews is 2nd in UK and 1st in Scotland
![]() Reference: The Guardian
The School is a member of the Scottish Informatics and Computer Science Alliance (SICSA) whose aim is to promote and improve computer science research in Scotland.
|
University of St Andrews
Founded between 1410 and 1413, the University of St Andrews is the oldest university in Scotland and the third oldest in the UK. It is situated in the small town of St Andrews, in Fife (Scotland, UK) and is one of the most prestigious universities in the UK. It is often seen as an alternative to England's universities of Oxford and Cambridge.
The University of St Andrews is 3rd in UK and has the highest completion rate in Scotland
![]() Reference: The Guardian
The University of St Andrews is Scotland's top rated research institution and one of the leading research-intensive universities in the world (94% of St Andrews' research activity is internationally recognised and 60% is world leading or internationally excellent).
|
The Town of St Andrews
St Andrews (Scottish Gaelic: Cill Rìmhinn) is a small town of around 18,000 people situated on its own bay beside the North Sea on the east coast of Scotland about 50 miles north of Edinburgh, Scotland's capital city. The medieval layout of the town centre remains intact: beautiful old stone buildings, quaint narrow lanes and broad, tree-lined streets contribute to the unique, safe and tranquil atmosphere of St Andrews.
St Andrews has acquired the name "home of golf" for two reasons. First, the Royal and Ancient Golf Club, founded in 1754, exercises legislative authority over the game worldwide except in the U.S. and Mexico. Second, the beautiful links (acquired by the town in 1894) is the most frequent venue for The Open Championship, the oldest of golf's four major championships.
![]()
About the middle of the tenth century, Saint Andrew became the patron saint of Scotland, and his feast day is on November 30th. The Saltire (or "St. Andrew's Cross") is the national flag of Scotland.
|