Abstract
A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this article, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10%. We then provide effective offline search mechanisms that identify the noisy channels.
- Abad, C. 2001. IP checksum covert channels and selected hash collision. Tech. rep., University of California.Google Scholar
- Ahsan, K. 2000. Covert channel analysis and data hiding in TCP/IP. M.S. thesis, University of Toronto.Google Scholar
- Ahsan, K. and Kundur, D. 2002. Practical data hiding in TCP/IP. In Proceedings of the Workshop on Multimedia Security (MMSEC’02), 63--70.Google Scholar
- Balakrishnan, H., Stemm, M., Seshan, S., and Katz, R. H. 1997. Analyzing stability in wide-area network performance. In Proceedings of the ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS’97), 2--12. Google ScholarDigital Library
- Bauer, M. 2003. New covert channels in HTTP: Adding unwitting web browsers to anonymity sets. In Proceedings of the ACM Workshop on Privacy in the Electronic Society (WPES’03), 72--78. Google ScholarDigital Library
- Berrou, C., Glavieux, A., and Thitimajshima, P. 1993. Near Shannon limit error-correcting coding and decoding: Turbo codes. In Proceedings of the IEEE International Conference on Communications (ICC’93), 2, 1064--1070.Google Scholar
- Best, R. E. 2003. Phase-Locked Loops: Design, Simulation and Applications, 5th Ed. McGraw-Hill Professional.Google Scholar
- Bishop, M. 2002. Computer Security: Art and Science. Addison Wesley Professional.Google ScholarDigital Library
- Cabuk, S., Brodley, C. E., and Shields, C. 2004. IP covert timing channels: Design and detection. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04), 178--187. Google ScholarDigital Library
- Castro, S. 2003. CCTT: Covert channel tunneling tool. Tech. rep., The Gray-World Team.Google Scholar
- Cilibrasi, R. and Vitanyi, P. M. B. 2005. Clustering by compression. IEEE Trans. Inf. Theory 51, 4, 1523--1545. Google ScholarDigital Library
- Cilibrasi, R., Vitanyi, P. M. B., and Wolf, R. D. 2004. Algorithmic clustering of music based on string compression. Comput. Music J. 28, 4, 49--67. Google ScholarDigital Library
- Claffy, K. C., Polyzos, G. C., and Braun, H.-W. 1993. Application of sampling methodologies to network traffic characterization. In Proceedings on Communications Architectures, Protocols and Applications (SIGCOMM’93), 194--203. Google ScholarDigital Library
- Common Criteria. 1998. Common criteria for information technology security evaluation, version 2.0 Ed. ISO/IEC Standard 15408.Google Scholar
- Cox, D. R. and Lewis, P. A. W. 1966. The Statistical Analysis of Series of Events. Chapman and Hall.Google Scholar
- Daemon9. 1997. Loki2 (the implementation). Phrack 51, 6.Google Scholar
- Daemon9. 1996. Project Loki. Phrack 49, 6.Google Scholar
- Denning, D. E. 1976. A lattice model of secure information flow. Comm. ACM 19, 5, 236--243. Google ScholarDigital Library
- Department of Defense. 1985. Trusted computer system evaluation criteria, 5200.28-STD Washington: Government Publishing Office.Google Scholar
- Dogu, T. M. and Ephremides, A. 2000. Covert information transmission through the use of standard collision resolution algorithms. In Proceedings of the 3rd International Workshop on Information Hiding (IH’00), 419--433. Google ScholarDigital Library
- Giffin, J., Greenstadt, R., Litwack, P., and Tibbetts, R. 2002. Covert messaging through TCP timestamps. In Proceedings of the Workshop on Privacy Enhancing Technologies (PET’02), 2482, 194--208. Google ScholarDigital Library
- Giles, J. and Hajek, B. 2003. An information-theoretic and game-theoretic study of timing channels. IEEE Trans. Inf. Theory 48, 9, 2455--2477. Google ScholarDigital Library
- Girling, C. G. 1987. Covert channels in LANs. IEEE Trans. Softw. Eng. SE-13, 2, 89--101. Google ScholarDigital Library
- GNU. 2003. GNU zip utility. http://www.gzip.org.Google Scholar
- Gusella, R. 1991. Characterizing the variability of arrival processes with indexes of dispersion. IEEE J. Select. Areas Comm. 9, 2, 203--211.Google ScholarDigital Library
- Handel, T. and Sandford, M. 1996. Hiding data in the OSI network model. In Proceedings of the 1st International Workshop on Information Hiding (IH’96). Springer-Verlag, 23--38. Google ScholarDigital Library
- Handley, M. and Paxson, V. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proceedings of the 10th USENIX Security Symposium (SECURITY’01), 9. Google ScholarDigital Library
- Hauser, V. 1999. Placing backdoors through firewalls. Tech. rep., The Hacker’s Choice.Google Scholar
- Helouet, L., Jard, C., and Zeitoun, M. 2003. Covert channels detection in protocols using scenarios. In Proceedings of Workshop on Security Protocols Verification (SPV’03), 21--25.Google Scholar
- Henry, P. A. 2000. Covert channels provided hackers the opportunity and the means for the current distributed denial of service attacks. Tech. rep., CyberGuard Corporation.Google Scholar
- Hu, W. M. 1992. Reducing timing channels with fuzzy time. J. Comput. Secur. 1, 3--4, 233--254.Google ScholarCross Ref
- Karger, P. A. and Wray, J. C. 1991. Storage channels in disk arm optimization. In Proceedings of the IEEE Computer Society Symposium of Research in Security and Privacy (SP’91), 52--61.Google Scholar
- Kemmerer, R. A. 1983. Shared resource matrix methodology: An approach to identifying storage and timing channels. ACM Trans. Comput. Syst. 1, 2, 256--277. Google ScholarDigital Library
- Kemmerer, R. A. and Porras, P. A. 1991. Covert flow trees: A visual approach to analyzing covert storage channels. IEEE Trans. Softw. Eng. 17, 11, 1166--1185. Google ScholarDigital Library
- Keogh, E., Lonardi, S., and Ratanamahatana, C. A. 2004. Towards parameter-free data mining. In Proceedings of the ACM International Conference on Knowledge Discovery and Data Mining (KDDM’04), 206--215. Google ScholarDigital Library
- Li, M., Chen, X., Li, X., Ma, B., and Vitanyi, P. 2003. The similarity metric. In Proceedings of the 14th ACM-SIAM Symposium on Discrete Algorithms (SIAM’03). Society for Industrial and Applied Mathematics, 863--872. Google ScholarDigital Library
- Li, M. and Lampson, W. 1997. An Introduction to Kolmogorov Complexity and Its Application 2nd Ed. Springer. Google ScholarDigital Library
- Li, S. and Ephremides, A. 2004. A network layer covert channel in ad-hoc wireless networks. In Proceedings of the 1st IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (SECON’04), 88--96.Google Scholar
- Loewenstem, D., Hirsh, H., Yianilos, P., and Noordewier, M. 1995. DNA sequence classification using compression-based induction. Tech. rep., DIMACS. Google ScholarDigital Library
- Millen, J. 1999. 20 years of covert channel modeling and analysis. In Proceedings of the IEEE Symposium on Security and Privacy (SP’99). 113--114.Google ScholarCross Ref
- Moon, T. K. 2005. Error Correction Coding: Mathematical Methods and Algorithms. Wiley-Interscience. Google ScholarDigital Library
- Moskowitz, I. S. 1991. Variable noise effects upon a simple timing channel. In Proceedings of the IEEE Symposium on Security and Privacy (SP’91). 362--372. Google ScholarDigital Library
- Moskowitz, I. S. and Kang, M. H. 1994. Covert channels - Here to stay? In Proceedings of the 9th Annual Conference on Computer Assurance (COMPASS’94). National Institute of Standards and Technology, 235--244.Google Scholar
- Murdoch, S. J. and Lewis, S. 2005. Embedding covert channels into TCP/IP. In Proceedings of the Workshop on Information Hiding (IH’05), 3727, 247--261. Google ScholarDigital Library
- NCSC. 1993. A guide to understanding covert channel analysis of trusted systems. Tech. Rep. Library No. S--240,572, National Computer Security Centre.Google Scholar
- Paxson, V. and Floyd, S. 1995. Wide area traffic: The failure of Poisson modeling. IEEE/ACM Trans. Netw. 3, 3, 226--244. Google ScholarDigital Library
- Rosenberg, C., Guillemin, F., and Mazumdar, R. 1995. New approach for traffic characterization in ATM networks. In Proceedings of the IEEE International Conference on Communications (ICC’95), 142, 87--90.Google Scholar
- Rowland, C. 1997. Covert channels in the TCP/IP protocol suite. Tech. rep., First Monday.Google Scholar
- Rutkowska, J. 2004. The implementation of passive covert channels in the Linux kernel. Tech. rep., Chaos Communication Congress.Google Scholar
- Schaefer, M., Gold, B. B., Linde, R., and Scheid, J. 1977. Program confinement in KVM/370. In Proceedings of the ACM Annual Conference (ACM’77), 404--410. Google ScholarDigital Library
- Sculley, D. and Brodley, C. E. 2006. Compression and machine learning: A new perspective on feature space vectors. In Proceedings of the Data Compression Conference (DCC’06). IEEE Computer Society, 332--332. Google ScholarDigital Library
- Simmons, G. J. 1984. The prisoner’s problem and the subliminal channel. In Advances in Cryptography, 51--67.Google Scholar
- Smith, J. C. 2000. Covert shells. Tech. rep., SANS Institute Information Security Reading Room.Google Scholar
- Sohn, T., Moon, J., Lee, S., Lee, D. H., and Lim, J. 2003a. Covert channel detection in the ICMP payload using support vector machine. In Proceedings of the International Conference on Information and Communications Security (ICS’03), 828--835.Google Scholar
- Sohn, T., Seo, J.-T., and Moon, J. 2003b. A study on the covert channel detection of TCP/IP header using support vector machine. In Proceedings of the International Conference on Information and Communications Security (ICS’03), 313--324.Google Scholar
- United Nations. 1948. Universal declaration of human rights. 217A, 3.Google Scholar
- WAND Research Group. 2001. NZIX-II trace archive. University of Waikato Computer Science Department. http://pma.nlanr.net/Traces/long/nzix2.html.Google Scholar
- Wehner, S. 2004. Analyzing network traffic and worms using compression. Tech. rep., Centrum Wiskunde and Informatica.Google Scholar
- Wray, J. C. 1991. An analysis of covert timing channels. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy (SP’91), 2--7.Google ScholarCross Ref
Index Terms
- IP Covert Channel Detection
Recommendations
A Survey and Taxonomy Aimed at the Detection and Measurement of Covert Channels
IH&MMSec '16: Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia SecurityNew viewpoints of covert channels are presented in this work. First, the origin of covert channels is traced back to acc ess control and a new class of covert channel, air-gap covert channels, is presented. Second, we study the design of covert channels ...
IP covert timing channels: design and detection
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityA network covert channel is a mechanism that can be used to leak information across a network in violation of a security policy and in a manner that can be difficult to detect. In this paper, we describe our implementation of a covert network timing ...
Out-of-Band Covert Channels—A Survey
A novel class of covert channel, out-of-band covert channels, is presented by extending Simmons’ prisoners’ problem. This new class of covert channel is established by surveying the existing covert channel, device-pairing, and side-channel research. ...
Comments