Visible to the public Covert Channels

SoS Newsletter- Advanced Book Block

Covert Channels

A covert channel is a simple, effective mechanism for sending and receiving data between machines without alerting any firewalls or intrusion detectors on the network. In cybersecurity science, they have value both as a means for defense and attack. The work cited here, presented or published between January and October of 2014, looks at covert channels in radar and other signal processors., timing, IPv6, DNS and attacks within the Cloud.

  • Shi, H.; Tennant, A, "Covert Communication Using A Directly Modulated Array Transmitter," Antennas and Propagation (EuCAP), 2014 8th European Conference on, pp.352, 354, 6-11 April 2014. doi: 10.1109/EuCAP.2014.6901764 A Direct Antenna Modulation (DAM) scheme is configured on a 2-element array with 2-bit phase control. Such a transmitter is shown to generate constellations with two different orders simultaneously towards different transmitting angles. A possible covert communication scenario is presented in which a constellation with 16 desired signals can be generated at the intended direction, while at a second direction one with reduced number of distinct signal points is purposely generated to prevent accurate demodulation by eavesdropper. In addition, system can be configured to actively lead low-level constellation towards up to two independent pre-known eavesdropping angles.
    Keywords: Antenna arrays; Arrays; Constellation diagram; Transmitting antennas; Direct Antenna Modulation (DAM); constellation; phased array(ID#:14-2768)
  • Shrestha, P.L.; Hempel, M.; Sharif, H., "Towards a Unified Model For The Analysis Of Timing-Based Covert Channels," Communications (ICC), 2014 IEEE International Conference on, pp.816,820, 10-14 June 2014. doi: 10.1109/ICC.2014.6883420 Covert channels are a network security risk growing both in sophistication and utilization, and thus posing an increasing threat. They leverage benign and overt network activities, such as the modulation of packet inter-arrival time, to covertly transmit information without detection by current network security approaches such as firewalls. This makes them a grave security concern. Thus, researching methods for detecting and disrupting such covert communication is of utmost importance. Understanding and developing analytical models is an essential requirement of covert channel analysis. Unfortunately, due to the enormous range of covert channel algorithms available it becomes very inefficient to analyze them on a case-by-case basis. Hence, a unified model that can represent a wide variety of covert channels is required, but is not yet available. In other publications, individual models to analyze the capacity of interrupt-related covert channels have been discussed. In our work, we present a unique model to unify these approaches. This model has been analyzed and we have presented the results and verification of our approach using MATLAB simulations.
    Keywords: firewalls; telecommunication channels; Matlab simulations; analytical models; covert communication; firewalls; interrupt-related covert channels; network security risk; packet inter-arrival time modulation; timing-based covert channel analysis; Analytical models; Delays; Jitter; Mathematical model; Receivers; Security; Capacity; Covert Communication; Intemipt-Related Covert Channel; Mathematical Modeling; Model Analysis; Network Security; Packet Rate Timing Channels (ID#:14-2769)
  • Rezaei, F.; Hempel, M.; Shrestha, P.L.; Sharif, H., "Achieving Robustness And Capacity Gains In Covert Timing Channels," Communications (ICC), 2014 IEEE International Conference on, pp.969,974, 10-14 June 2014. doi: 10.1109/ICC.2014.6883445 In this paper, we introduce a covert timing channel (CTC) algorithm and compare it to one of the most prevailing CTC algorithms, originally proposed by Cabuk et al. CTC is a form of covert channels - methods that exploit network activities to transmit secret data over packet-based networks - by modifying packet timing. This algorithm is a seminal work, one of the most widely cited CTCs, and the foundation for many CTC research activities. In order to overcome some of the disadvantages of this algorithm we introduce a covert timing channel technique that leverages timeout thresholds. The proposed algorithm is compared to the original algorithm in terms of channel capacity, impact on overt traffic, bit error rates, and latency. Based on our simulation results the proposed algorithm outperforms the work from Cabuk et al., especially in terms of its higher covert data transmission rate with lower latency and fewer bit errors. In our work we also address the desynchronization problem found in Cabuk et al.'s algorithm in our simulation results and show that even in the case of the synchronization-corrected Cabuk et al. algorithm our proposed method provides better results in terms of capacity and latency.
    Keywords: channel capacity; wireless channels; CTC algorithms; bit error rates; capacity gains; channel capacity; covert timing channel algorithm; desynchronization problem; overt traffic; packet timing; packet-based networks; secret data ;timeout thresholds; Algorithm design and analysis; Bit error rate; Channel capacity; Delays; Jitter; Receivers; Capacity; Covert Communication; Covert Timing Channel; Hidden Information; Latency; Network Security (ID#:14-2770)
  • Mavani, M.; Ragha, L., "Covert Channel In Ipv6 Destination Option Extension Header," Circuits, Systems, Communication and Information Technology Applications (CSCITA), 2014 International Conference on, pp.219,224, 4-5 April 2014. doi: 10.1109/CSCITA.2014.6839262 IPv6 is next generation Internet protocol whose market is going to increase as IPv4 addresses are exhausted and more mobile devices are attached to Internet. The experience with IPv6 protocol is less as its deployment is slow. So there are many unknown threats possible in IPv6 networks. One such threat addressed in this paper is covert communication in the network. Covert channel is way of communicating classified information. In network it is done by network protocol's control fields. Destination option Extension header of IPv6 is used to pass secret information which is shown experimentally in real test network set up. For creation of attack packets Scapy-Python based API is used. Covert channel due to unknown option and nonzero padding in PadN option is shown. Their detection is also proposed and detector logic is implemented using shell scripting and C programming.
    Keywords: IP networks; application program interfaces; computer network security; protocols; C programming; IPv4 addresses ;IPv6 destination option extension header; IPv6 networks; PadN option; Scapy-Python based API attack packets; covert channel; covert communication; detector logic; extension header; mobile devices; network protocol control fields; next generation Internet protocol; nonzero padding; shell scripting; test network set up; Detectors; IP networks; Information technology; Internet; Operating systems; Protocols; Security; Extension Header; IPv6; Scapy; covert channel (ID#:14-2771)
  • Binsalleeh, H.; Kara, AM.; Youssef, A; Debbabi, M., "Characterization of Covert Channels in DNS," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on, pp.1,5, March 30 2014-April 2 2014. doi: 10.1109/NTMS.2014.6814008 Malware families utilize different protocols to establish their covert communication networks. It is also the case that sometimes they utilize protocols which are least expected to be used for transferring data, e.g., Domain Name System (DNS). Even though the DNS protocol is designed to be a translation service between domain names and IP addresses, it leaves some open doors to establish covert channels in DNS, which is widely known as DNS tunneling. In this paper, we characterize the malicious payload distribution channels in DNS. Our proposed solution characterizes these channels based on the DNS query and response messages patterns. We performed an extensive analysis of malware datasets for one year. Our experiments indicate that our system can successfully determine different patterns of the DNS traffic of malware families.
    Keywords: cryptographic protocols; invasive software; DNS protocol; DNS traffic; DNS tunneling; IP addresses; communication networks; covert channel characterization; domain name system; malicious payload distribution channels; malware datasets; malware families; message patterns; translation service; Command and control systems; Malware; Payloads; Protocols; Servers ;Tunneling (ID#:14-2772)
  • Shrestha, P.L.; Hempel, M.; Sharif, H.; Chen, H.-H., "An Event-Based Unified System Model to Characterize and Evaluate Timing Covert Channels," Systems Journal, IEEE, vol. PP, no.99, pp. 1, 10, July 2014. doi: 10.1109/JSYST.2014.2328665 Covert channels are communication channels to transmit information utilizing existing system resources without being detected by network security elements, such as firewalls. Thus, they can be utilized to leak confidential governmental, military, and corporate information. Malicious users, like terrorists, can use covert channels to exchange information without being detected by cyber-intelligence services. Therefore, covert channels can be a grave security concern, and it is important to detect, eliminate, and disrupt covert communications. Active network wardens can attempt to eliminate such channels by traffic modification, but such an implementation will also hamper innocuous traffic, which is not always acceptable. Owing to a large number of covert channel algorithms, it is not possible to deal with them on a case-by-case basis. Therefore, it necessitates a unified system model that can represent them. In this paper, we present an event-based model to represent timing covert channels. Based on our model, we calculate the capacity of various covert channels and evaluate their essential features, such as the impact of network jitter noise and packet losses. We also used simulations to obtain these parameters to verify its accuracy and applicability.
    Keywords: Capacity; covert channel; delay jitter; interrupt-related channel; packet loss; security; timing channel (ID#:14-2773)
  • Wu, Z.; Xu, Z.; Wang, H., "Whispers in the Hyper-Space: High-Bandwidth and Reliable Covert Channel Attacks Inside the Cloud," Networking, IEEE/ACM Transactions on, vol. PP, no.99, pp.1, 1, February 2014. doi: 10.1109/TNET.2014.2304439 Privacy and information security in general are major concerns that impede enterprise adaptation of shared or public cloud computing. Specifically, the concern of virtual machine (VM) physical co-residency stems from the threat that hostile tenants can leverage various forms of side channels (such as cache covert channels) to exfiltrate sensitive information of victims on the same physical system. However, on virtualized x86 systems, covert channel attacks have not yet proven to be practical, and thus the threat is widely considered a "potential risk." In this paper, we present a novel covert channel attack that is capable of high-bandwidth and reliable data transmission in the cloud. We first study the application of existing cache channel techniques in a virtualized environment and uncover their major insufficiency and difficulties. We then overcome these obstacles by: 1) redesigning a pure timing-based data transmission scheme, and 2) exploiting the memory bus as a high-bandwidth covert channel medium. We further design and implement a robust communication protocol and demonstrate realistic covert channel attacks on various virtualized x86 systems. Our experimental results show that covert channels do pose serious threats to information security in the cloud. Finally, we discuss our insights on covert channel mitigation in virtualized environments.
    Keywords: Cloud; covert channel; network security (ID#:14-2774)
  • Kadhe, S.; Jaggi, S.; Bakshi, M.; Sprintson, A, "Reliable, Deniable, And Hidable Communication Over Multipath Networks," Information Theory (ISIT), 2014 IEEE International Symposium on , vol., no., pp.611,615, June 29 2014-July 4 2014. doi: 10.1109/ISIT.2014.6874905 We consider the scenario wherein a transmitter Alice wants to (potentially) communicate to the intended receiver Bob over a multipath network, i.e., a network consisting of multiple parallel links, in the presence of a passive eavesdropper Willie, who observes an unknown subset of links. A primary goal of our communication protocol is to make the communication "deniable", i.e., Willie should not be able to reliably estimate whether or not Alice is transmitting any covert information to Bob. Moreover, if Alice is indeed actively communicating, her covert messages should be information-theoretically "hidable" in the sense that Willie's observations should not leak any information about Alice's (potential) message to Bob - our notion of hidability is slightly stronger than the notion of information-theoretic strong secrecy well-studied in the literature. We demonstrate that deniability does not imply either hidability or (weak or strong) information-theoretic secrecy; nor does information-theoretic secrecy imply deniability. We present matching inner and outer bounds on the capacity for deniable and hidable communication over multipath networks.
    Keywords: encoding; protocols; radio receivers; radio transmitters; telecommunication links telecommunication network reliability; telecommunication security; communication hidability; communication protocol; information theoretic secrecy; multipath networks; multiple parallel links; passive eavesdropper; telecommunication network reliability; Artificial neural networks; Cryptography; Encoding; Reliability theory (ID#:14-2775)
  • Hong Zhao, "Covert channels in 802.11e wireless networks," Wireless Telecommunications Symposium (WTS), 2014 , vol., no., pp.1,5, 9-11 April 2014. doi: 10.1109/WTS.2014.6834991 WLANs (Wireless Local Area Networks) have been widely used in business, school and public areas. The newly deployed 802.11e protocol provides QoS in WLANs. However there are some vulnerability in it. This paper analyzed the 802.11e protocol for QoS support in WLANs and two new covert channels are proposed. These proposed covert channels provide signalling method in order to have reliable communication. The proposed covert channels have no impact on normal traffic pattern, thus it cannot be detected by monitoring traffic pattern.
    Keywords: protocols; quality of service; wireless LAN;802.11e wireless networks; QoS support; WLAN; Wireless Local Area Networks; covert channels; signalling method; traffic pattern monitoring; Communication system security; IEEE 802.11e Standard; Protocols; Quality of service; Wireless LAN; Wireless communication;802.11e WLAN; Network Steganography; information hiding (ID#:14-2776)
  • Bash, B.A; Goeckel, D.; Towsley, D., "LPD Communication When The Warden Does Not Know When," Information Theory (ISIT), 2014 IEEE International Symposium on, pp.606, 610, June 29 2014-July 4 2014. doi: 10.1109/ISIT.2014.6874904 Unlike standard security methods (e.g. encryption), low probability of detection (LPD) communication does not merely protect the information contained in a transmission from unauthorized access, but prevents the detection of a transmission in the first place. In this work we study the impact of secretly pre-arranging the time of communication. We prove that if Alice has AWGN channels to Bob and the warden, and if she and Bob can choose a single n symbol period slot out of T(n) such slots, keeping the selection secret from the warden (and, thus, forcing him to monitor all T(n) slots), then Alice can reliably transmit O(min{n log T(n),n}) bits to Bob while keeping the warden's detector ineffective. The result indicates that only an additional log T(n) secret bits need to be exchanged between Alice and Bpob prior to communication to produce a multiplicative gain of log T(n) in the amount of transmitted covert information.
    Keywords: AWGN channels; computational complexity; probability; telecommunication network reliability; telecommunication security; AWGN channels; LPD communication; ow probability-of-detection; symbol period slot; transmission detection protection; unauthorized access; AWGN channels; Detectors; Random variables; Reliability; Vectors; Yttrium (ID#:14-2777)
  • Naseer, N.; Keum-Shik Hong; Bhutta, M.R.; Khan, M.J., "Improving Classification Accuracy Of Covert Yes/No Response Decoding Using Support Vector Machines: An fNIRS Study," Robotics and Emerging Allied Technologies in Engineering (iCREATE), 2014 International Conference on , vol., no., pp.6,9, 22-24 April 2014. doi: 10.1109/iCREATE.2014.6828329 One of the aims of brain-computer interface (BCI) is to restore the means of communication for people suffering severe motor impairment, anarthria, or persisting in a vegetative state. Yes/no decoding with the help of an imaging technology such as functional near-infrared spectroscopy (fNIRS) can make this goal a reality. fNIRS is a relatively new non-invasive optical imaging modality offering the advantages of low cost, safety, portability and ease of use. Recently, an fNIRS based online covert yes/no decision decoding framework was presented [Naseer and Hong (2013) online binary decision decoding using functional near infrared spectroscopy for development of a braincomputer interface]. Herein we propose a method to improve support vector machine classification accuracies for decoding covert yes/no responses by using signal slope values of oxygenated and deoxygenated hemoglobin as features calculated for a confined temporal window within the total task period.
    Keywords: brain-computer interfaces; infrared spectra; medical signal processing; signal classification; support vector machines; BCI; brain-computer interface; classification accuracy; covert yes-no response decoding framework; deoxygenated hemoglobin; fNIRS; functional near-infrared spectroscopy; noninvasive optical imaging modality; oxygenated hemoglobin; signal slope values; support vector machines; temporal window; Accuracy;B rain-computer interfaces; Decoding; Detectors; Optical imaging; Spectroscopy; Support vector machines; Binary decision decoding; Brain-computer interface; Functional near-infrared spectroscopy; Support vector machines; Yes/no decoding (ID#:14-2778)
  • Beato, F.; De Cristofaro, E.; Rasmussen, K.B., "Undetectable Communication: The Online Social Networks Case," Privacy, Security and Trust (PST), 2014 Twelfth Annual International Conference, pp.19,26, 23-24 July 2014. doi: 10.1109/PST.2014.6890919 Online Social Networks (OSNs) provide users with an easy way to share content, communicate, and update others about their activities. They also play an increasingly fundamental role in coordinating and amplifying grassroots movements, as demonstrated by recent uprisings in, e.g., Egypt, Tunisia, and Turkey. At the same time, OSNs have become primary targets of tracking, profiling, as well as censorship and surveillance. In this paper, we explore the notion of undetectable communication in OSNs and introduce formal definitions, alongside system and adversarial models that complement better understood notions of anonymity and confidentiality. We present a novel scheme for secure covert information sharing that, to the best of our knowledge, is the first to achieve undetectable communication in OSNs. We demonstrate, via an open-source prototype, that additional costs are tolerably low.
    Keywords: data privacy; security of data; social networking (online);OSNs; anonymity notion; confidentiality notion; covert information sharing security; online social networks; open-source prototype; undetectable communication; Entropy; Facebook; Indexes; Internet; Security; Servers (ID#:14-2779)
  • Lakhani, H.; Zaffar, F., "Covert Channels in Online Rogue-Like Games," Communications (ICC), 2014 IEEE International Conference on, pp.761, 767, 10-14 June 2014. doi: 10.1109/ICC.2014.6883411 Covert channels allow two parties to exchange secret data in the presence of adversaries without disclosing the fact that there is any secret data in their communications. We propose and implement EEDGE, an improved method for steganography in mazes that builds upon the work done by Lee et al; and has a significantly higher embedding capacity. We apply EEDGE to the setting of online rogue-like games, which have randomly generated mazes as the levels for players; and show that this can be used to successfully create an efficient, error-free, high bit-rate covert channel.
    Keywords: computer games; electronic data interchange; steganography; EEDGE; covert channels; error free channel; high bit rate covert channel; online rogue like games; secret data exchange; steganography; Bit rate; Games; Image edge detection ;Information systems; Lattices; Receivers; Security (ID#:14-2780)
  • Dainotti, A; King, A; Claffy, K.; Papale, F.; Pescape, A, "Analysis of a "/0" Stealth Scan from a Botnet," Networking, IEEE/ACM Transactions on, vol. PP, no. 99, pp.1, 1, Jan 2014. doi: 10.1109/TNET.2013.2297678 Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial-of-service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February 2011. This 12-day scan originated from approximately 3 million distinct IP addresses and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers. Its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This paper offers a detailed dissection of the botnet's scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.
    Keywords: Animation; Geology; IP networks; Internet; Ports (Computers); Servers; Telescopes; Botnet; Internet background radiation; Internet telephony; Network Telescope; VoIP; communication system security; darknet; network probing; scanning (ID#:14-2781)
  • Suzhi Bi; Ying Jun Zhang, "Using Covert Topological Information for Defense Against Malicious Attacks on DC State Estimation," Selected Areas in Communications, IEEE Journal on, vol.32, no.7, pp.1471, 1485, July 2014. doi: 10.1109/JSAC.2014.2332051 Accurate state estimation is of paramount importance to maintain the power system operating in a secure and efficient state. The recently identified coordinated data injection attacks to meter measurements can bypass the current security system and introduce errors to the state estimates. The conventional wisdom to mitigate such attacks is by securing meter measurements to evade malicious injections. In this paper, we provide a novel alternative to defend against false data injection attacks using covert power network topological information. By keeping the exact reactance of a set of transmission lines from attackers, no false data injection attack can be launched to compromise any set of state variables. We first investigate from the attackers' perspective the necessary condition to perform an injection attack. Based on the arguments, we characterize the optimal protection problem, which protects the state variables with minimum cost, as a well-studied Steiner tree problem in a graph. In addition, we also propose a mixed defending strategy that jointly considers the use of covert topological information and secure meter measurements when either method alone is costly or unable to achieve the protection objective. A mixed-integer linear programming formulation is introduced to obtain the optimal mixed defending strategy. To tackle the NP-hardness of the problem, a tree-pruning-based heuristic is further presented to produce an approximate solution in polynomial time. The advantageous performance of the proposed defending mechanisms is verified in IEEE standard power system test cases.
    Keywords: integer programming; linear programming; power system security; power system state estimation; power transmission faults; power transmission lines; power transmission protection; smart meters; smart power grids; trees (mathematics);DC state estimation; NP-hardness problem; Steiner tree problem; coordinated data injection attacks identification; covert power network topological information; current security system; false data injection attack; graph theory; malicious attacks; mixed-integer linear programming; necessary condition; optimal mixed defending strategy; optimal protection problem; polynomial time; power system state estimation; secure meter measurements; state variables; transmission lines; tree-pruning-based heuristic; Phase measurement; Power measurement; Power transmission lines; State estimation; Transmission line measurements; Voltage measurement; False-data injection attack; graph algorithms; power system state estimation; smart grid security (ID#:14-2782)
  • Pak Hou Che; Bakshi, M.; Chung Chan; Jaggi, S., "Reliable, Deniable And Hidable Communication," Information Theory and Applications Workshop (ITA), 2014, pp.1, 10, 9-14 Feb. 2014. doi: 10.1109/ITA.2014.6804271 Alice wishes to potentially communicate covertly with Bob over a Binary Symmetric Channel while Willie the wiretapper listens in over a channel that is noisier than Bob's. We show that Alice can send her messages reliably to Bob while ensuring that even whether or not she is actively communicating is (a) deniable to Willie, and (b) optionally, her message is also hidable from Willie. We consider two different variants of the problem depending on the Alice's "default" behavior, i.e., her transmission statistics when she has no covert message to send: 1) When Alice has no covert message, she stays "silent", i.e., her transmission is 0; 2) When has no covert message, she transmits "innocently", i.e., her transmission is drawn uniformly from an innocent random codebook; We prove that the best rate at which Alice can communicate both deniably and hid ably in model 1 is O(1/n). On the other hand, in model 2, Alice can communicate at a constant rate.
    Keywords: binary codes; channel coding; random codes; reliability; Alice default behavior; binary symmetric channel; random codebook; transmission statistics; wiretapper; Decoding; Encoding; Error probability; Measurement; Noise Reliability; Throughput (ID#:14-2783)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.