In order to protect user privacy or guarantee free access to the Internet, the network covert channel has become a hot research topic. It refers to an information channel in which the messages are covertly transmitted under the network environment. In recent years, many new construction schemes of network covert channels are proposed. But at the same time, network covert channel has also received the attention of censors, leading to many attacks. The network covert channel refers to an information channel in which the messages are covertly transmitted under the network environment. Many users exploit the network covert channel to protect privacy or guarantee free access to the Internet. Previous construction schemes of the network covert channel are based on information steganography, which can be divided into CTCs and CSCs. In recent years, there are some covert channels constructed by changing the transmission network architecture. On the other side, some research work promises that the characteristics of emerging network may better fit the construction of the network covert channel. In addition, the covert channel can also be constructed by changing the transmission network architecture. The proxy and anonymity communication technology implement this construction scheme. In this paper, we divide the key technologies for constructing network covert channels into two aspects: communication content level (based on information steganography) and transmission network level (based on proxy and anonymity communication technology). We give an comprehensively summary about covert channels at each level. We also introduce work for the three new types of network covert channels (covert channels based on streaming media, covert channels based on blockchain, and covert channels based on IPv6). In addition, we present the attacks against the network covert channel, including elimination, limitation, and detection. Finally, the challenge and future research trend in this field are discussed.
1. Introduction
With the rapid development of information technology, Internet has penetrated into every aspect of people’s lives. However, when people enjoy the convenience brought by the network, there have been many issues of information leakage and user privacy breaches [1]. For example, there have emerged malicious attacks which aimed at stealing confidential government data, such as GhostNet [2], ShadowNet [3], and Axiom [4]. On the other hand, repressive governments have deployed increasingly sophisticated technology to block the disfavored Internet content [5]. So, many users cannot access Internet freely.
The network covert channel can covertly transmit secret messages. It can hide covert traffic in a large amount of overt communication traffic. Many researches show that the use of network covert channel can protect user privacy and guarantee users’ right to free access to Internet [6–8]. The secure transmission of secret messages in the communication process refers to two aspects: one is the communication content security [9] and the other is the communication connection security [6, 10, 11]. Network covert channel can effectively improve the security of these two aspects.
In terms of communication content security, encryption technology is widely used to protect the communication content of both sides, such as SSL (secure sockets layer), digital signature, and other technologies. The Google transparency report “HTTPS Encryption in Chrome” (available under https://transparencyreport.google.com/https/overview) states that, in October 2019, 95% of Chrome webpages enabled encryption. In addition, according to Netmarketshare (a website for Market Share Statistics for Internet Technologies, available under https://netmarketshare.com/report.aspx?id=https), the percentage of encrypted web traffic in October 2019 has exceeded 90%.
However, with the continuous development of the encrypted traffic analysis technology, even in the case of encryption, certain activities of users can still be discovered [12, 13]. So, the privacy of users cannot be well protected. On the other hand, the increasing computing power and attacks on encryption algorithm also make it possible to crack encrypted traffic [14, 15]. The covert channel can prevent the encrypted traffic from being discovered due to its covert transmission characteristics. In this environment, if the attacker does not know the covert channel construction method, he cannot perform the attacks on encrypted traffic, even if he has a strong ability to analyze and crack encrypted traffic [7]. So, the network covert channel enhanced the communication content security.
In terms of communication connection security, the meta-data (message source IP address, destination IP address, etc.) and communication mode (interval of packets, etc.) cannot be hidden by encryption [10]. The communication participants may expose identity information to the network eavesdroppers [16]. Further, they can infer the sender and receiver of the message and find the ongoing communication connection, leading to significant risk of privacy leaks and being blocked.
But, the network covert channel is an unconventional communication method, and the eavesdroppers cannot determine whether the user is actually performing covert communication and thus cannot find both sides of communication. So, the identity concealment of both parties can be protected [17]. On the other hand, because the traffic of the covert channel is mixed in a large amount of overt traffic, even if the eavesdroppers use some methods to obtain the identity of both parties, it is difficult for them to determine whether the two parties are sending or receiving messages, that is, the communication behavior is unobservable [18]. So, the covert channel can provide a strong guarantee for the security of communication connection.
The use of covert channels strengthens the content security of encrypted traffic and fills the shortcomings that encryption cannot protect the security of communication connection. So, the demand to construct network covert channels is increasing, and many technologies are proposed. The most common technology is to use information steganography to build a network covert channel [17]. The information steganography can hide secret messages in the temporal behavior of the traffic or the storage fields in the network protocol, which composes CTCs (covert timing channels) and CSCs (covert storage channels) accordingly [7]. Besides the information steganography, many covert channels perform covert transmission by changing the transmission network architecture. There are two typical representatives: proxy technology [19, 20] and anonymous communication technology [11]. The proxy can be divided into two categories: end-to-end proxy (such as HTTP proxy [21]) and end to middle proxy (such as Telex [22]). In addition, anonymous communication technology can also conduct a new covert transmission path. There are many mature anonymous communication systems such as Tor [23], I2P [24], and Loopix [11].
On the other side, some research work promises that the characteristics of emerging networks may better fit the construction of the network covert channel. With the development of emerging networks, many network covert channels in the new network environment (streaming media network, blockchain network, and IPv6) have been proposed. The covert channels based on streaming media network hide secret messages in audio and video traffic and use popular streaming media applications as the carrier. There are three typical covert channels: Facet [25], CovertCast [26], and DeltaShaper [27]. The blockchain network has the characteristics of participant-anonymity, flooding propagation, and tampering resistance [28]. The covert channels based on blockchain network can utilize participant-anonymity and flooding propagation to increase the concealment of communicating parties. The tampering resistance can also be used to guarantee the robustness of covert channel. In this context, the models of covert channels based on blockchain network are proposed [10, 28] and three covert channels (Zombiecoin [10], Botchain [29], and Chainchannels [30]) have been actually deployed in blockchain network. The IPv6 network is also a compelling platform for constructing covert channels. The IPv6 header and its extensions have many reserved fields or other fields which can embed information, thus leading to many possible covert channels [31].
However, because the network covert channel is a good method to cope with repressive government, it has also received the attention of censors [32]. Compared with ordinary eavesdroppers, the national-level censors have a global traffic view and have a stronger ability to analyze traffic. More and more attacks against the covert channel have appeared, which has an impact on channel concealment, robustness, and transmission efficiency [33–35].
Although there are many studies on covert channels, there is no comprehensive survey for the construction technologies they use and corresponding attacks. In addition, there is also less research on the covert channels in the new network environment. Compared with the already published studies, the main contributions of this paper are as follows:(1)Previous studies only considered the network covert channel based on information steganography, but not the covert channel based on the changing network architecture. According to different principles of covert channel construction technologies, we divide covert channels into two levels: communication content and transmission network, which can comprehensively include existing covert channels. And, we conduct a comprehensive analysis on the covert channels under each construction technology.(2)The characteristics of the new network create many convenient conditions for the construction of network covert channels. However, they are not considered in other reviews. We present the covert channels in the new network environments including streaming media, blockchain, and IPv6, which makes up for deficiencies in existing work. It would highly facilitate for the researchers to understand the research status and provide research ideas for the subsequent design of covert channels in those new network environments.(3)We emphasize the challenging problems facing the construction of covert channels: the IP blocking or other blocking technology reduces the channel availability; the use of ML and DL technology makes the covert channel easier to expose. We discuss how to improve the ability to resist those problems, such as using adversarial examples, constructing reversible network, covert channel.
In order to improve the readability, we list the abbreviations used in our article in Table 1.
Abbreviation
Full name
SSL
Secure sockets layer
Tor
The second-generation onion router
DPI
Deep packet inspection
I2P
Invisible internet project
ML
Machine learning
DL
Deep learning
CTCs
Covert timing channels
CSCs
Covert storage channels
URL
Uniform resource locator
E2M
End-to-middle
C&C
Command and control
IPDs
Internet packet delays
BER
Bit error rate
PDU
Protocol data unit
ICMP
Internet control message protocol
ECDH
Elliptic curve Diffie-Hellman
TCP ISNs
TCP initial sequence numbers
PPTP
Point-to-point tunneling protocol
L2TP
Layer two-tunneling protocol
VTP
VLAN trunking protocol
IPSec
IP security
DHT
Distributed hash table
ESP
Encapsulating security payload
SDN
Software defined network
IoT
Internet of things
ICS
Industrial control systems
DGA
Domain generation algorithm