Project

My Covert Channel Research (2008-now)

0 new
3
Recommendations
0 new
1
Followers
0 new
10
1 new
182

Project log

In current research, reversible network-level covert channels are receiving more and more attention. The restoration of the original data leaves little evidence for detection, especially if the implementation is plausibly deniable. Recently, such a channel based on one-time password hash chains has been published. The covert channel uses repeated computational intensive operations to restore a modified hash and to extract covert information transferred within. In this paper, we present an approach that observes the influence of repeated MD5, SHA2-384, SHA3-256 and SHA3-512 hash-operations on packet runtimes. Besides these hash algorithms, we also investigate whether the alphabet that the Covert Sender and the Covert Receiver agreed upon, has an influence on our detection approach. For each algorithm, we carry out three experiments with different alphabets: one without a covert channel, one with a covert channel altering all hashes, and finally, one with a covert channel altering every second hash. We further repeat each experiment ten times and define a threshold for packet runtimes without modified hashes. Also, we investigate the detectability of computational intensive reversible covert channels for all our scenarios and evaluate the detection rate depending on the number of observed packets. In addition, we describe countermeasures and limitations of our detection method and, finally, discuss application scenarios for existing network environments.
The detection and elimination of covert channels are performed by a network node, known as a warden. Especially if faced with adaptive covert communication parties, a regular warden equipped with a static set of normalization rules is ineffective compared to a dynamic warden. However, dynamic wardens rely on periodically changing rule sets and have their own limitations, since they do not consider traffic specifics. We propose a novel adaptive warden strategy, capable of selecting active normalization rules by taking into account the characteristics of the observed network traffic. Our goal is to disturb the covert channel and provoke the covert peers to expose themselves more by increasing the number of packets required to perform a successful covert data transfer. Our evaluation revealed that the adaptive warden has better efficiency and effectiveness when compared to the dynamic warden because of its adaptive selection of normalization rules.
Original paper: https://doi.org/10.1016/j.future.2018.12.047 Network covert channels are hidden communication channels in computer networks. They influence several factors of the cybersecurity economy. For instance, by improving the stealthiness of botnet communications, they aid and preserve the value of darknet botnet sales. Covert channels can also be used to secretly exfiltrate confidential data out of organizations, potentially resulting in loss of market/research advantage. Considering the above, efforts are needed to develop effective countermeasures against such threats. Thus in this paper, based on the introduced novel warden taxonomy, we present and evaluate a new concept of a dynamic warden. Its main novelty lies in the modification of the warden's behavior over time, making it difficult for the adaptive covert communication parties to infer its strategy and perform a successful hidden data exchange. Obtained experimental results indicate the effectiveness of the proposed approach.
Steganography embraces several hiding techniques which spawn across multiple domains. However, the related terminology is not unified among the different domains, such as digital media steganography, text steganography, cyber-physical systems steganography, network steganography (network covert channels), local covert channels, and out-of-band covert channels. To cope with this, a prime attempt has been done in 2015, with the introduction of the so-called hiding patterns, which allow to describe hiding techniques in a more abstract manner. Despite significant enhancements, the main limitation of such a taxonomy is that it only considers the case of network steganography. Therefore, this paper reviews both the terminology and the taxonomy of hiding patterns as to make them more general. Specifically, hiding patterns are split into those that describe the embedding and the representation of hidden data within the cover object. As a first research action, we focus on embedding hiding patterns and we show how they can be applied to multiple domains of steganography instead of being limited to the network scenario. Additionally, we exemplify representation patterns using network steganography. Our pattern collection is available under https://patterns.ztt.hs-worms.de.
I updated the list of my covert channel tools on Github:

Message Queuing Telemetry Transport (MQTT) is a publish-subscribe protocol which is currently popular in Internet of Things (IoT) applications. Recently its 5.0 version has been introduced and ensuring that it is capable of providing services in a secure manner is of great importance. It must be noted that holistic security analysis should also evaluate protocol’s susceptibility to network covert channels. That is why in this paper we present a systematic overview of potential data hiding techniques that can be applied to MQTT 5.0. We are especially focusing on network covert channels that, in order to exchange secrets, exploit characteristic features of this MQTT version. Finally, we develop proof-of-concept implementations of the chosen data hiding techniques and conduct their performance evaluation in order to assess their feasibility in practical setups.
Covert channels enable stealthy communications over innocent appearing carriers. They are increasingly applied in the network context. However, little work is available that exploits cryptographic primitives in the networking context to establish such covert communications. We present a covert channel between two devices where one device authenticates itself with Lamport’s one-time passwords based on a cryptographic hash function. Our channel enables plausible deniability jointly with reversibility and is applicable in different contexts, such as traditional TCP/IP networks, CPS/IoT communication, blockchain-driven systems and local inter-process communications that apply hash chains. We also present countermeasures to detect the presence of such a covert channel, which are non-trivial because hash values are random-looking binary strings, so that deviations are not likely to be detected. We report on experimental results with MD5 and SHA-3 hash functions for two covert channel variants running in a localhost setup. In particular, we evaluate the channels’ time performance, conduct statistical tests using the NIST suite and run a test for matching hash values between legitimate and covert environments to determine our channels’ stealthiness.
Full-text: http://www.wendzel.de/dr.org/files/Papers/thesis_with_cover.pdf Network information hiding is the research discipline that deals with the concealment of network transmissions or their characteristics. It serves as an umbrella for multiple research domains, namely network covert channel research, network steganography research, and traffic obfuscation research. The focus of this thesis lies primarily on network steganography and network covert channel research. This thesis was motivated by the fact that network information hiding requires a better scientific foundation. When the author started to work on this thesis, scientific re-inventions of hiding techniques were common (similar or equal techniques were published under different names by different scientific sub-communities). This is, at least partially, rooted in the non-unified terminology of the domain, and in the sheer fact that the ever-increasing number of publications in the domain is hardly knowable. Moreover, experimental results and descriptions for hiding techniques are hardly comparable as there is no unified standard for describing them. This is a contrast to other scientific domains, such as Chemistry, were (de facto) standards for experimental descriptions are common. Another problem is that experimental results are not replicated while other scientific domains have shown that replication studies are a necessity to ensure the quality of scientific results. Finally, there is an imbalance between known hiding techniques and their countermeasures: not enough countermeasures are known to combat all known hiding techniques. To address these issues, this thesis motivates and proposes methodological adjustments in network information hiding and lays the foundation for an improved fundamental terminology and taxonomy. Moreover, hiding techniques are surveyed and summarized in the form of abstract descriptions, called hiding patterns, which form an extensible taxonomy. These hiding patterns are then used as a tool to evaluate the novelty of research contributions in a scientific peer-review process. Afterwards, this thesis addresses the problem of inconsistent descriptions of hiding techniques by proposing a unified description method for the same, including hiding patterns as a core component of every description. This thesis also introduces the WoDiCoF testbed as a framework to perform replication studies. Afterwards, the concept of countermeasure variation is introduced to address the problem of not having countermeasures available for certain hiding patterns. Finally, the proposed pattern-based taxonomy is enhanced to demonstrate the extensibility of the taxonomy and to integrate payload-based hiding techniques which were not foreseen in the earlier version of the taxonomy.
We present a covert channel between two network devices where one authenticates itself with Lamport's one-time passwords based on a cryptographic hash function. Our channel enables plausible deniability. We also present countermeasures to detect the presence of such a covert channel, which are non-trivial because hash values are randomly looking binary strings, so that deviations are not likely to be detected.
The understanding of the inner workings of a research community is essential to evaluate the impact of an author as well as to decide where and how to publish results. One of the key metrics is the number of citations that a publication receives. In parallel, information security is now a key and strategic area, partially fueled by the advent of the Internet of Things (IoT) and the need of pursuing cybercriminals by using digital forensics techniques. Therefore, this paper analyzes several factors influencing the number of citations in the domain of information security, such as differences between journal and conference publications, or the impact of the number of pages and the length of the abstract. To obtain quantitative results, we investigated papers of six sub-disciplines, i.e., anonymity and privacy, cryptography, information hiding, IoT and Cyber-Physical System security, digital forensics and incident response, and network security. For each sub-domain, we used metadata of 5,000 publications collected from IEEE-Xplore. Results indicate some clear behaviors, for instance, papers tend to receive more citations when their abstract is longer and the number of references positively influences the performance of the work.
Recently, new methods were discovered to secretly store information in network protocol caches by exploiting functionalities of ARP and SNMP. Such a covert storage cache is referred to as a "Dead Drop". In our present research, we demonstrate that hidden information can also be stored on systems with an active NTP service. We present one method based upon ephemeral associations and one method based upon the most recently used (MRU) list and measure their storage duration and capacity. Our approach improves over the previous approach with ARP as it allows to transport hidden information across the internet and thus outside of local area networks. The preliminary results for both Dead Drops indicate that more than 100 entries with secret data can persist for several hours. Finally, we discuss the detectability and countermeasures of the proposed methods as well as their limitations.
Covert channels nested within network traffic are important tools for allowing malware to act unnoticed or to stealthily exchange and exfiltrate information. Thus, understanding how to detect or mitigate their utilization is of paramount importance, especially to counteract the rise of increasingly sophisticated threats. In this perspective, the literature proposed various approaches, including distributed wardens, which can be used to collect traffic in different portions of the network and compare the samples to check for discrepancies revealing hidden communications. However, the use of some form of reversibility, i.e., being able to restore the exploited network carrier to its original form before the injection, can challenge such a detection scheme. Therefore, in this work we introduce and evaluate the performances of different techniques used to endow network covert channels with reversibility. Results indicate the feasibility of achieving reversibility but the used protocol plays a major role.
I created a few online class on Network Information Hiding, including a chapter on Hiding Patterns, and uploaded it to Github (partially work in progress). https://github.com/cdpxe/Network-Covert-Channels-A-University-level-Course/

Dieses Kapitel führt in die Netzwerksteganografie und verdeckte Kanäle ein. Betrachtet werden dabei die grundlegende Terminologie sowie die bekannten Versteckmuster und selektierte Gegenmaßnahmen.
Network covert channels are a part of the information hiding research area that deals with the secret transfer of information over communication networks. Covert channels can be utilized, for instance, for data leakage and stealthy malware communications. While data hiding in communication networks has been studied within the last years for several major communication protocols, currently no work is available that investigates covert channels for the publish-subscriber model. To fill this gap, we present the first comprehensive study of covert channels in a protocol utilizing the publish-subscriber model, i.e., the Message Queuing Telemetry Transport (MQTT) protocol which is widely deployed in Internet of Things (IoT) environments. In particular, we describe seven direct and six indirect covert channels and we evaluate and categorize them using the network information hiding patterns approach. Finally, in order to prove that MQTT-based covert channels are practically feasible and effective, we implement the chosen data hiding scheme and perform its experimental evaluation.
Detection methods are available for several known covert channels. However, a type of covert channel that received little attention within the last decade is the "message ordering" channel. Such a covert channel changes the order of PDUs (protocol data units, i.e. packets) transferred over the network to encode hidden information. The advantage of these channels is that they cannot be blocked easily as they do not modify header content but instead mimic typical network behavior such as TCP segments that arrive in a different order than they were sent. Contribution: In this paper, we show a protocol-independent approach to detect message ordering channels. Our approach is based on a modified compressibility score. We analyze the detectabil-ity of message ordering channels and whether several types of message ordering channels differ in their detectability. Results: Our results show that the detection of message ordering channels depends on their number of utilized PDUs. First, we performed a rough threshold selection by hand, which we later optimized using the C4.5 decision tree classifier. We were able to detect message ordering covert channels with an accuracy and F 1 score of ≥ 99.5% and a false-positive rate < 1% and < 0.1% if they use sequences of 3 or 4 PDUs, respectively. Simpler channels that only manipulate a sequence of two PDUs were detectable with an accuracy and F 1 score of 94.5% and were linked to a false-positive rate of 5.19%. We thus consider our approach suitable for real-world detection scenarios with channels utilizing 3 or 4 PDUs while the detection of channels utilizing 2 PDUs should be improved further.
Network covert channels enable stealthy communications for malware and data exfiltration. For this reason, developing effective countermeasures for these threats is important for the protection of individuals and organizations. However, due to the large number of available covert channel techniques, it is considered impractical to develop countermeasures for \textit{all} existing covert channels. In recent years, researchers started to develop countermeasures that (instead of only countering one particular hiding technique) can be applied to a whole family of similar hiding techniques. These families are referred to as \textit{hiding patterns}. Considering above, the main contribution of this paper is to introduce the concept of \textit{countermeasure variation}. Countermeasure variation is a slight modification of a given countermeasure that was designed to detect covert channels of one specific hiding pattern so that the countermeasure can also detect covert channels that are representing \textit{other} hiding patterns. We exemplify countermeasure variation using the compressibility score, the $\epsilon$-similarity and the regularity metric originally presented by Cabuk et al. All three methods are used to detect covert channels that utilize the Inter-packet Times pattern and we show that countermeasure variation allows the application of these countermeasures to detect covert channels of the Size Modulation pattern, too.
Network covert channels enable various secret data exchange scenarios among two or more secret parties via a communication network. The diversity of the existing network covert channel techniques has rapidly increased due to research during the last couple of years and most of them share the same characteristics, i.e., they require a direct communication between the participating partners. However, it is sometimes simply not possible or it can raise suspicions to communicate directly. That is why, in this paper we introduce a new concept we call dead drop'', i.e., a covert network storage which does not depend on the direct network traffic exchange between covert communication sides. Instead, the covert sender stores secret information in the ARP (Address Resolution Protocol) cache of an unaware host that is not involved in the hidden data exchange. Thus, the ARP cache is used as a covert network storage and the accumulated information can then be extracted by the covert receiver using SNMP (Simple Network Management Protocol).
The use of network covert channels to improve privacy or support security threats has been widely discussed in the literature. As today, the totality of works mainly focuses on how to not disrupt the overt traffic flow and the performance of the covert channels in terms of undetectability and capacity. To not void the stealthiness of the channel, an important feature is the ability of restoring the carrier embedding the secret information into its original form. However, the development of such techniques mainly targets the domain of digital media steganography. Therefore, this paper applies the concept of reversible data hiding to storage network covert channels. To prove the effectiveness of our idea, a prototypical implementation of a channel exploiting IPv4 flows is presented along with its performance evaluation. CCS CONCEPTS • Security and privacy → Network security; Distributed systems security; Information flow control; Pseudonymity, anonymity and untraceability.
Network covert channels are hidden communication channels in computer networks. They influence several factors of the cybersecurity economy. For instance, by improving the stealthiness of botnet communications, they aid and preserve the value of darknet botnet sales. Covert channels can also be used to secretly exfiltrate confidential data out of organizations, potentially resulting in loss of market/research advantage. Considering the above, efforts are needed to develop effective countermeasures against such threats. Thus in this paper, based on the introduced novel warden taxonomy, we present and evaluate a new concept of a dynamic warden. Its main novelty lies in the modification of the warden’s behavior over time, making it difficult for the adaptive covert communication parties to infer its strategy and perform a successful hidden data exchange. Obtained experimental results indicate the effectiveness of the proposed approach.
In this paper we describe the implementation and detection of a novel approach for a TCP retransmission-based covert channel. We implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based network channels, namely the ε-similarity and the compressibility. The ε-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approachs so that they can also be applied to the detection of retransmission-based covert channels. Our initial results indicate that the ε-similarity can be considered a promising detection method for retansmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.
Network covert channels enable stealthy communications for malware and data exfiltration. For this reason, the development of effective countermeasures for covert channels is significant for the protection of individuals and organizations. However, due to the number of available covert channel hiding techniques, it can be considered impractical to develop countermeasures for all existing covert channels. In recent years, researchers started to develop countermeasures that (instead of only countering one particular hiding technique) can be applied to a whole family of similar hiding techniques. These families are referred to as hiding patterns. In this paper, we extend this idea by introducing the concept of countermeasure variation, i.e., the modification of countermeasures that were designed to detect one specific hiding pattern so that the countermeasures can also detect other hiding patterns. We exemplify countermeasure variation using the compressibility score originally presented by Cabuk et al. The compressibility score is used to detect covert channels of the ‘inter-packet times’ pattern and we show that countermeasure variation allows the application of the compressibility score to detect covert channels of the ‘size modulation’ pattern.
In network information hiding, hiding patterns are used to describe hiding methods and their taxonomy. In this paper, we analyze the current state of hiding patterns and we further improve their taxonomy. In order to more thoroughly characterize and understand data hiding methods applied to communication networks we propose to distinguish between sender-side and receiver-side patterns. Additionally, we show how information hiding patterns can be utilized to conveniently describe the realization of the distributed network covert channels.
The understanding of the inner workings of a research community is essential for the success of an author's academic publications. One of the key metrics for the evaluation of researchers is the number of citations that their publications receive. To understand citation behavior of an academic community, existing publication's citations can be studied. In this paper, we analyze whether several factors influence the number of citations in the domain of covert channels/steganography (CC/St). In particular, we study the significant differences on average yearly citations received by journal, conference and workshop publications. We also analyze the influence of tier-levels, number of references, number of pages, type of contribution, and number of authors on the average yearly citations. Our study is based on the meta-data of 1,531 publications on CC/St and 8,391 publications on other topics of information security extracted from IEEEXplore as well as on 110 publications' meta-data from Google Scholar.
With the increasing number of steganography-capable malware and the increasing trend of stealthy data exfiltrations, network covert channels are becoming a crucial security threat -- also for critical infrastructures (CIs): network covert channels enable the stealthy remote-control of malware nested in a CI and allow to exfiltrate sensitive data, such as sensor values, firmware or configuration parameters. We present WoDiCoF, a distributed testbed, accessible for the international research community to perform a unified evaluation of detection algorithms for network covert channels. In comparison to existing works, our testbed is designed for upcoming big-data scenarios, in which huge traffic recordings must be analyzed for covert channels. It is the first testbed to allow the testing of parallel detection algorithms. To evaluate WoDiCoF, we took a detection algorithm published in ACM CCS/TISSEC, verified several of the original results and enhanced the understanding of its performance by considering previously unconsidered parameters. By parallelizing the algorithm, we could moreover achieve a speed-up of 2.89 with three nodes. Full-text: http://www.jucs.org/jucs_24_5/wodicof_a_testbed_for
Compared to cryptography, steganography is a less discussed domain. However, there is a recent trend of exploiting various information hiding techniques to empower malware, for instance to bypass security frameworks of mobile devices or to exfiltrate sensitive data. This is mostly due to the need to counteract increasingly sophisticated security mechanisms, such as code analysis, runtime countermeasures, or real-time traffic inspection tools. In this perspective, this paper presents malware exploiting information hiding in a broad sense, i.e., it does not focus on classical covert channels, but also discusses other camouflage techniques. Differently from other works, this paper solely focuses on real-world threats observed in the 2011 - 2017 timeframe. The observation indicates a growing number of malware equipped with some form of data hiding capabilities and a lack of effective and universal countermeasures.
Cyber-physical Systems (CPS) have raised serious security concerns and thus have been subjected to intensive security research lately. Recent publications have shown that there is a potential to transfer hidden information through CPS environments. In comparison to these existing studies, we demonstrate that CPS cannot only be used to covertly transfer secret data but also to store secret data. Using an analogy to the biological concept of animal scatter hoarding behavior we exemplify CPS secret data storage using automated buildings.