ArticlePDF Available

Abstract and Figures

Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized into only four different patterns (i.e., most techniques we surveyed are similar). We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: whereas many current countermeasures were developed for specific channels, a pattern-oriented approach allows application of one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.
Content may be subject to copyright.
A preview of the PDF is not available
... As an innovation over the prior methods, we provide the first systematic analysis of the protocols in 5G New Radio with respect to the possibility of using covert channels. As another novelty over the prior method, we perform this systematic analysis with the help of hiding patterns [4] to find as many potential covert channels as possible. To the best our knowledge, this is the first study that has applied hiding pattern analysis to 5G New Radio protocols. ...
... In order to catch the similarities among the many approaches for network steganography that have appeared in the literature (ranging from using different header fields to different protocols on different layers of the protocol stack), hiding patterns have been introduced [4]. These patterns can also be used to systematically check protocols for weaknesses, which we further explain in Section 3 and conduct in Section 4. ...
... Then, one of the protocols that offered the best characteristics for a covert channel was selected for further analysis of the hiding pattern collection [22] by checking, for each pattern, if its application on a field of the chosen protocol might result in a feasible covert channel. The taxonomy of Wendzel et al. [4] defines patterns in order to categorize covert channel techniques. Originally, the taxonomy was limited to network covert channels. ...
Article
Full-text available
Mobile communication is ubiquitous in everyday life. The fifth generation of mobile networks (5G) introduced 5G New Radio as a radio access technology that meets current bandwidth, quality, and application requirements. Network steganographic channels that hide secret message transfers in an innocent carrier communication are a particular threat in mobile communications as these channels are often used for malware, ransomware, and data leakage. We systematically analyze the protocol stack of the 5G–air interface for its susceptibility to network steganography, addressing both storage and timing channels. To ensure large coverage, we apply hiding patterns that collect the essential ideas used to create steganographic channels. Based on the results of this analysis, we design and implement a network covert storage channel, exploiting reserved bits in the header of the Packet Data Convergence Protocol (PDCP). the covert sender and receiver are located in a 5G base station and mobile device, respectively. Furthermore, we sketch a timing channel based on a recent overshadowing attack. We evaluate our steganographic storage channel both in simulation and real-world experiments with respect to steganographic bandwidth, robustness, and stealthiness. Moreover, we discuss countermeasures. Our implementation demonstrates the feasibility of a covert channel in 5G New Radio and the possibility of achieving large steganographic bandwidth for broadband transmissions. We also demonstrate that the detection of the channel by a network analyzer is possible, limiting its scope to application scenarios where operators are unaware or ignorant of this threat.
... In recent years, covert channel methods [12,13] have gained increasing attention as a means to enhance privacy and security. These methods enable the hiding of messages within regular communication channels. ...
Article
Full-text available
Covert channel methods are techniques for improving privacy and security in network communications. These methods consist of embedding secret data within normal network channels, making it more difficult for unauthorized parties to detect such data. This paper presents a new approach for creating covert channels using the Message Queuing Telemetry Transport (MQTT) protocol, widely used in the context of the Internet of Things (IoT). The proposed method exploits storage channels by altering the field length of MQTT messages. Our solution leverages well-known one-way mathematical functions to ensure that data remain hidden from third parties observing the MQTT stream. In this way, we ensure that not only the content of the communication is preserved but also that the communication itself takes place. We conducted a security analysis to show that our solution offers the above-mentioned property even against severe threats, such as an adversary being able to observe all the messages exchanged in the network (even in the clear). Finally, we conducted an overhead analysis of our solution both in terms of the time required to perform the required operations and of the bytes to send. Our study shows that our solution adds no significant time overhead, and the additional overhead in terms of transmitted bytes remains within acceptable limits.
... There are covert channels for Ethernet [35], IPv4 [36], IPv6 [37], [38], TCP [39] and UDP [40] as well as in different application protocols like DNS [41] and VoIP [42]. The covert channels are categorized as storage or timing channels, which differ in the type of transmitting the covert information [43]. The detection of these different channels spreading over all OSI layers is complex and demands for specialized detection techniques. ...
... A plethora of methods have been proposed to establish covert channels. These methods are categorized through so-called hiding patterns [16]. One of these hiding patterns is used in our paper and called value modulation (also: state/value modulation). ...
Conference Paper
Full-text available
A steganographic network storage channel that uses a carrier with a stream of numeric data must consider the possibility that the carrier data is processed before the covert receiver can extract the secret data. A sensor data stream, which we take as an example scenario, may be scaled by multiplication, shifted into a different range by addition, or two streams might be merged by adding their values. This raises the question if the storage channel can be made robust against such carrier modifications. On the other hand, if the pieces of secret data are numeric as well, adding and merging two streams each comprising covert data might be exploited to form a homomorphic covert channel. We investigate both problems as they are related and give positive and negative results. In particular, we present the first homomorphic storage covert channel. Moreover, we show that such type of covert channel is not restricted to sensor data streams, but that very different scenarios are possible.
Article
A covert network channel is a communication channel in which the message is secretly transmitted to the recipient. Sometimes, covert network channels are vulnerable to multiple attacks. Therefore, the message must be properly secure. In most cases, the covert channel is used to ensure data protection and allow users to freely access the Internet. In this paper, several recent studies are reviewed on covert network channels and examine the existing works from 2015 to 2024. This review article also discusses the undetectability and reliability of different types of covert network channels. Furthermore, a detailed description of the covert network channel's ability to hide in containers is provided. Existing research on covert network channels explains a few techniques for detecting attacks in secret data communication. However, several machine learning and deep learning techniques have been discussed in this article. Additionally, this article describes the accuracy of detection through an overview of current technologies. In addition, various countermeasures to prevent attacks in covert channels are also discussed in detail. However, in this case, the bandwidth limitations, data set limitations, and covert channel capacity are clearly defined, which will help future researchers build covert network channels and detect attacks. Finally, this work considers the challenges faced by covert network channels and the future scope of application.
Article
Full-text available
Covert channels are used for secret transfer of information. Encryption only protects communication from being decoded by unauthorized parties, whereas covert channels aim to hide the very existence of communication. This paper discusses a novel covert file transfer protocol (CFTP) based on the IP record route option. The CFTP protocol is used to secretly transfer text files and short messages between hosts. Firewalls that limit the outgoing traffic to a few allowed application protocols (e.g. FTP) can be circumvented by the CFTP protocol. To demonstrate the practical efficiency of the proposed covert protocol, a user friendly tool based on the client/server technology is implemented. Compared to related research, the main contribution in this work is that it introduces a new generation of covert channels. The proposed protocol is based on a novel session-oriented mechanism that offers TCP-like features embedded inside the IP option field. It provides more sophisticated communication tools that can be used for hiding information as well as synchronizing sessions and controlling the flow of exchanged data between hosts.
Article
Full-text available
Virtual Private Networks (VPNs) are increasingly used to build logically isolated networks. However, existing VPN designs and deployments neglect the problem of traffic analysis and covert channels. Hence, there are many ways to infer information from VPN traffic without decrypting it. Many proposals were made to mitigate network covert channels, but previous works remained largely theoretical or resulted in prohibitively high padding overhead and performance penalties. In this work, we (1) analyse the impact of covert channels in IPsec, (2) present several improved and novel approaches for covert channel mitigation in IPsec, (3) propose and implement a system for dynamic performance trade-offs, and (4) implement our design in the Linux IPsec stack and evaluate its performance for different types of traffic and mitigation policies. At only 24% overhead, our prototype enforces tight information-theoretic bounds on all information leakage.
Article
Full-text available
Covert channels are a form of hidden communication that may violate the integrity of systems. Since their birth in Multi-Level Security systems in the early 70's they have evolved considerably, such that new solutions have appeared for computer networks mainly due to vague protocols specifications. In this paper we concentrate on short-range covert channels and analyze the opportunities of concealing data in various extensively used protocols today. From this analysis we observe several features that can be effectively exploited for subliminal data transmission in the Dynamic Host Configuration Protocol (DHCP). The result is a proof-of-concept implementation, HIDE_DHCP, which integrates three different covert channels each of which accommodate to different stealthiness and capacity requirements. Finally, we provide a theoretical and experimental analysis of this tool in terms of its reliability, capacity, and detectability.
Article
Full-text available
We present here the first work to propose different mechanisms for hiding data in the Extensible Messaging and Presence Protocol (XMPP). This is a very popular instant messaging protocol used by many messaging platforms such as Google Talk, Cisco, LiveJournal and many others. Our paper describes how to send a secret message from one XMPP client to another, without raising the suspicion of any intermediaries. The methods described primarily focus on using the underlying protocol as a means for steganography, unlike other related works that try to hide data in the content of instant messages. In doing so, we provide a more robust means of data hiding and additionally offer some preliminary analysis of its general security, in particular against entropic-based steganalysis.
Conference Paper
Full-text available
We study covert channels between a MitM attacker, and her MitE 'malware', running within the protected network of a victim organisation, and how to prevent or limit such channels. Our focus is on advanced timing channels, that allow communication between the MitM and MitE, even when hosts inside the protected network are restricted to only communicate to other (local and remote) hosts in the protected network. Furthermore, we assume communication is encrypted with fixed packet size (padding). We show that these do not suffice to prevent covert channels between MitM and MitE; furthermore, we show that even if we restrict communication to a constant rate, e.g., one packet everysecond, communication from MitE to MitM is still possible.We present efficient traffic shapers against covert channels between MitM and MitE. Our solutions preserve efficiency and bounded delay (QoS), while limiting covert traffic leakage, in both directions.
Conference Paper
The detection of covert timing channels is of increasing interest in light of recent practice on the exploitation of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. The existing detection schemes are ineffective to detect most of the covert timing channels known to the security community. In this paper, we introduce a new entropy-based approach to detecting various covert timing channels. Our new approach is based on the observation that the creation of a covert timing channel has certain effects on the entropy of the original process, and hence, a change in the entropy of a process provides a critical clue for covert timing channel detection. Exploiting this observation, we investigate the use of entropy and conditional entropy in detecting covert timing channels. Our experimental results show that our entropy-based approach is sensitive to the current covert timing channels, and is capable of detecting them in an accurate manner.
Conference Paper
This paper depicts potentialities of formal HCI pattern specifications with regard to facilitate the semi-automated generation of user interfaces for interactive applications. In a first step existing proven and well accepted techniques in the field of model-based user interface development are highlighted and briefly reviewed. Subsequently it is discussed how we combine model-based and pattern-oriented methods within our user interface modeling and development framework in order to partly enable automated user interface generation. In this context a concrete pattern definition approach is introduced and illustrated with tangible examples from the domain of interactive knowledge sharing applications.
Conference Paper
Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block. In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization's administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization. We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting.
Article
In this paper, we examine general mechanisms that a network covert channel may exploit, and we characterize the essence of network covert channels, which are decided by overt sources. So we present a taxonomy of network covert channels based on entropy of overt sources. We classify overt sources into three categories, as variety entropy, constrant entropy and fixed entropy sources, and name the network covert channels correspondingly. For each category we give the definition, meaning, and countermeasure method. Then we group classical network covert channels emerged in 30 years and representational network covert channels proposed in recent 3 years into our taxonomy framework.