tioned simple features. The conﬁgurable delay parameter d
provides administrators a way to adjust the efﬁciency of
the active warden to their requirements. Since only protocol
switching packets are affected by the active warden, most of
a network’s trafﬁc is not affected, i.e., download rates and
upload rates will not decrease notably.
In this paper, we present the ﬁrst active warden designed
to counter both types of protocol switching covert channels:
PC as well as PHCC. We limit the useful bandwidth of these
covert channels by disturbing the protocol switches through
synthetically introduced delays. Therefore, we implemented
an active warden and veriﬁed its practical usefulness.
Future work will include to ﬁnd solutions for the problem
of network address translation inside a protected network
as well as to ﬁnd solutions for effects of large network
environments where load balancing and redundancy proto-
cols are required; the presented prototype was not designed
for such environments. Additionally, research must be done
to provide an exact bitrate controlling for PHCC using
internal sequence numbers since we do only provide a loose
bandwidth reduction for this channel type.
 B. W. Lampson, “A note on the conﬁnement problem,”
Commun. ACM, vol. 16, no. 10, pp. 613–615, 1973.
 S. J. Murdoch, “Covert channel vulnerabilities in anonymity
systems,” Ph.D. dissertation, University of Cambridge, 2007.
 C. H. Rowland, “Covert channels in the TCP/IP
protocol suite,” First Monday, vol. 2, no. 5, May
1997, retrieved: Mar, 2012. [Online]. Available:
 T. G. Handel and M. T. Sandford, II., “Hiding data in the osi
network model,” in Proc. First Int. Workshop on Information
Hiding. London, UK: Springer-Verlag, 1996, pp. 23–38.
 S. Cabuk, C. E. Brodley, and C. Shields, “IP covert timing
channels: design and detection,” in ACM Conference on Com-
puter and Communications Security, V. Atluri, B. Pﬁtzmann,
and P. D. McDaniel, Eds. ACM, 2004, pp. 178–187.
 M. H. Kang, I. S. Moskowitz, and S. Chincheck, “The pump:
A decade of covert fun,” in ACSAC, 2005, pp. 352–360.
 P. A. Porras and R. A. Kemmerer, “Covert ﬂow trees: A tech-
nique for identifying and analyzing covert storage channels,”
in IEEE Symp. on Security and Privacy, 1991, pp. 36–51.
 R. A. Kemmerer, “Shared resource matrix methodology: an
approach to identifying storage and timing channels,” ACM
Trans. Comput. Syst., vol. 1, no. 3, pp. 256–277, 1983.
 J. McHugh, “An information ﬂow tool for gypsy - an extended
abstract revisited,” in Proc. 17th Annual Computer Security
Applications Conference, 2001, pp. 191–201.
 C. Kr ¨
atzer and J. Dittmann, “Fr¨
uherkennung von verdeckten
alen in VoIP-Kommunikation,” in IT-Fr ¨
ser. BSI-Workshop. BSI, 2006, pp. 209–214, (In German).
 M. Handley, V. Paxson, and C. Kreibich, “Network intru-
sion detection: Evasion, trafﬁc normalization, and end-to-end
protocol semantics,” in 10th USENIX Security Symposium,
vol. 10, 2001, pp. 115–131.
 A. Singh, O. Nordstr ¨
om, A. L. M. dos Santos, and C. Lu,
“Stateless model for the prevention of malicious communi-
cation channels,” Int. Journal of Comp. and Applications,
vol. 28, no. 3, pp. 285–297, 2006.
 G. Gu, R. Perdisci, J. Zhang, and W. Lee, “Botminer: Clus-
tering analysis of network trafﬁc for protocol- and structure-
independent botnet detection,” in USENIX Security Symp.,
2008, pp. 139–154.
 S. Zander, G. Armitage, and P. Branch, “Covert channels
and countermeasures in computer network protocols,” IEEE
Comm. Magazine, vol. 45, no. 12, pp. 136–142, Dec 2007.
 Daemon9, “Loki2 (the implementation),” Phrack Magazine,
vol. 7, no. 5, September 1997, retrieved: Mar, 2012. [Online].
 S. Wendzel and J. Keller, “Low-attention forwarding for
mobile network covert channels,” in 12th IFIP Comm. and
Multim. Security, ser. LNCS, 2011, vol. 7025, pp. 122–133.
 S. Wendzel, “Protocol hopping covert channels,” Hakin9,
vol. 08, no. 03, pp. 20–21, 2008, (in German).
 ——, “Protocol channels as a new design alternative of covert
channels,” CoRR, vol. abs/0809.1949, pp. 1–2, 2008.
 ——, “Analyse der Pr ¨
aventions- und Detektionsmethoden f¨
ale,” Master’s thesis, Augsburg University of
Applied Sciences, June 2011, (in German).
 C.-R. Tsai and V. D. Gligor, “A bandwidth computation model
for covert storage channels and its applications,” in Proc.
IEEE Conf. on Security and Privacy, 1988, pp. 108–121.
 S. Wendzel, “pct,” 2009, retrieved: Mar, 2012. [Online].
 D. Berrange, “Simulating WAN network delay,”
2005, retrieved: Mar, 2012. [Online]. Available:
 J. Morris, “IPTables::IPv4::IPQueue module for Perl,”
2002, retrieved: Mar, 2012. [Online]. Available:
 C. D. Mee and E. D. Daniel, Magnetic Storage Handbook,
2nd ed. McGraw Hill, 1996.
 T. Kohno, A. Broido, and k. claffy, “Remote physical device
ﬁngerprinting,” IEEE Transactions on Dependable and Secure
Computing, no. 2, pp. 93–108, 2005.
 Akamai, “Retail web site performance,” 2006,
retrieved: Mar, 2012. [Online]. Available: http://www.-
akamai.com/dl/reports/Site Abandonment Final Report.pdf
6Copyright (c) IARIA, 2012. ISBN: 978-1-61208-201-1
ICIMP 2012 : The Seventh International Conference on Internet Monitoring and Protection