Covert channels are not new in computing systems, and have been studied since their first definition four decades ago. New platforms invoke thorough investigations to assess their security. Now is the time for Android platform to analyze its security model, in particular the two key principles: process-isolation and the permissions system. Aside from all sorts of malware, one threat proved intractable by current protection solutions, that is, collusion attacks involving two applications communicating over covert channels. Still no universal solution can countermeasure this sort of attack unless the covert channels are known. This paper is an attempt to reveal a new covert channel, not only being specific to smartphones, but also exploiting an unusual resource as a vehicle to carry covert information: sensors data. Accelerometers generate signals that reflect user motions, and malware applications can apparently only read their data. However, if the vibration motor on the device is used properly, programmatically produced vibration patterns can encode stolen data and hence an application can cause discernible effects on acceleration data to be received and decoded by another application. Our evaluations confirmed a real threat where strings of tens of characters could be transmitted errorless if the throughput is reduced to around 2.5–5 bps. The proposed covert channel is very stealthy as no unusual permissions are required and there is no explicit communication between the colluding applications.
Within a multilevel secure (MLS) system, trusted subjects are granted privileges to perform operations that are not possible by ordinary subjects controlled by mandatory access control (MAC) policy enforcement mechanisms. These subjects are trusted not to conduct malicious activity or degrade system security. We present a formal definition for trusted subject behaviors, which depends upon a representation of information flow and control dependencies generated during a program execution. We describe a security Domain Model (DM) designed in the Alloy specification language for conducting static analysis of programs to identify illicit information flows, access control flaws and covert channel vulnerabilities. The DM is compiled from a representation of a target program, written in an intermediate Implementation Modeling Language (IML), and a specification of the security policy written in Alloy. The Alloy Analyzer tool is used to perform static analysis of the DM to detect potential security policy violations in the target program. In particular, since the operating system upon which the trusted subject runs has limited ability to control its actions, static analysis of trusted subject operations can contribute to the security of the system.
Investigating network covert channels in smartphones has become increasingly
important as smartphones have recently replaced the role of traditional
computers. Smartphones are subject to traditional computer network covert
channel techniques. Smartphones also introduce new sets of covert channel
techniques as they add more capabilities and multiple network connections. This
work presents a new network covert channel in smartphones. The research studies
the ability to leak information from the smartphones applications by reaching
the cellular voice stream, and it examines the ability to employ the cellular
voice channel to be a potential medium of information leakage through carrying
modulated speech-like data covertly. To validate the theory, an Android
software audio modem has been developed and it was able to leak data
successfully through the cellular voice channel stream by carrying modulated
data with a throughput of 13 bps with 0.018% BER. Moreover, Android security
policies are investigated and broken in order to implement a user-mode rootkit
that opens the voice channels by stealthily answering an incoming voice call.
Multiple scenarios are conducted to verify the effectiveness of the proposed
covert channel. This study identifies a new potential smartphone covert
A network covert channel is created that operates by modulating the time
between web resource accesses, with an 'average web user' read-time used as a
reference. While the covert channel may be classified as timing based, it does
not operate by changing deterministic protocol attributes such as inter-packet
delay, as do most timing based network covert channels. Instead, our channel
communicates by modulating transaction level read-time, which in the web
browsing case has significant non-deterministic components. The channel is thus
immune to methods typically used to detect timing based network covert
Computer network is unpredictable due to information warfare and is prone to
various attacks. Such attacks on network compromise the most important
attribute, the privacy. Most of such attacks are devised using special
communication channel called "Covert Channel". The word "Covert" stands for
hidden or non-transparent. Network Covert Channel is a concealed communication
path within legitimate network communication that clearly violates security
policies laid down. The non-transparency in covert channel is also referred to
as trapdoor. A trapdoor is unintended design within legitimate communication
whose motto is to leak information. Subliminal channel, a variant of covert
channel works similarly except that the trapdoor is set in a cryptographic
algorithm. A composition of covert channel with subliminal channel is the
"Hybrid Covert Channel". Hybrid covert channel is homogenous or heterogeneous
mixture of two or more variants of covert channels either active at same
instance or at different instances of time. Detecting such malicious channel
activity plays a vital role in removing threat to the legitimate network. In
this paper, we present a study of multi-trapdoor covert channels and introduce
design of a new detection engine for hybrid covert channel in transport layer
visualized in TCP and SSL.; Comment: 8 pages...
Covert channels can be utilized to secretly deliver information from high
privileged processes to low privileged processes in the context of a
high-assurance computing system. In this case study, we investigate the
possibility of covert channel establishment via software caches in the context
of a framework for component-based operating systems. While component-based
operating systems offer security through the encapsulation of system service
processes, complete isolation of these processes is not reasonably feasible.
This limitation is practically demonstrated with our concept of a specific
covert timing channel based on file system caching. The stability of the covert
channel is evaluated and a methodology to disrupt the covert channel
transmission is presented. While these kinds of attacks are not limited to
high-assurance computing systems, our study practically demonstrates that even
security-focused computing systems with a minimal trusted computing base are
vulnerable for such kinds of attacks and careful design decisions are necessary
for secure operating system architectures.; Comment: 12 pages, based upon the master's thesis of Schmidt
Network covert channels are used to hide communication inside network
protocols. Within the last decades, various techniques for covert channels
arose. We surveyed and analyzed 109 techniques developed between 1987 and 2013
and show that these techniques can be reduced to only 11 different patterns.
Moreover, the majority (69.7%) of techniques can be categorized in only four
different patterns, i.e. most of the techniques we surveyed are very similar.
We represent the patterns in a hierarchical catalog using a pattern language.
Our pattern catalog will serve as a base for future covert channel novelty
evaluation. Furthermore, we apply the concept of pattern variations to network
covert channels. With pattern variations, the context of a pattern can change.
For example, a channel developed for IPv4 can automatically be adapted to other
network protocols. We also propose the pattern-based covert channel
optimizations pattern hopping and pattern combination. Finally, we lay the
foundation for pattern-based countermeasures: While many current
countermeasures were developed for specific channels, a pattern-oriented
approach allows to apply one countermeasure to multiple channels. Hence, future
countermeasure development can focus on patterns...
A network covert channel is created that uses resource names such as
addresses to convey information, and that approximates typical user behavior in
order to blend in with its environment. The channel correlates available
resource names with a user defined code-space, and transmits its covert message
by selectively accessing resources associated with the message codes. In this
paper we focus on an implementation of the channel using the Hypertext Transfer
Protocol (HTTP) with Uniform Resource Locators (URLs) as the message names,
though the system can be used in conjunction with a variety of protocols. The
covert channel does not modify expected protocol structure as might be detected
by simple inspection, and our HTTP implementation emulates transaction level
web user behavior in order to avoid detection by statistical or behavioral
analysis.; Comment: 9 pages
Fonte: Rochester Instituto de TecnologiaPublicador: Rochester Instituto de Tecnologia
Relevância na Pesquisa
This paper presents a covert communication channel
that exists in virtually all forms of packet switching data networks.
On the one hand, this covert channel, if used properly, can
potentially enhance the overall security of data communications
over networks. On the other hand, the covert channel can also
potentially become a back door to access a destination computer,
and hence becomes a security hazard to the computer. A simple
protocol is specified for communications on the covert channel.
A modified TFTP application is also presented to demonstrate
how to use the covert channel to convey secret messages or to
enhance the integrity of data communications. The application
also illustrates a back door that leaks client’s data files without
user notification. A sliding entropy method is also introduced to
detect some cases of covert channels.; "A Covert channel in packet switching data networks," Proceedings of The Second Upstate New York Workshop on Communications and Networking. Held in Rochester, New York: November 2005.
The ICMP protocol has been widely used and accepted as a
covert channel. While the ICMP protocol is very simple to use, modern
security approaches such as firewalls, deep-packet inspection and intrusion
detection systems threaten the use of ICMP for a reliable means for
a covert channel. This study explores the modern usefulness of ICMP
with typical security measures in place. Existing ICMP covert channel
solutions are examined for compliance with standard RFCs and resiliency
with modern security approaches.
A new covert channel over the RTP protocol is designed and implemented by
modifying the timestamp value in the RTP header. Due to the high frequency
of RTP packets, the covert channel has a high bit-rate, theoretically up to
350 bps. The broad use of RTP for multimedia applications such as VoIP,
provides abundant opportunities to such a covert channel to exist. By using
the RTP header, many of the challenges present for covert channels using the
RTP payload are avoided. A reference implementation of this covert channel
is presented. Bit-rates of up to 325 bps were observed. The channel is very
difficult to detect due to expected variations in the timestamp field and the
flexible nature of RTP.
Many covert channels take advantages of weaknesses, flaws, or unused data
fields in network protocols. In this paper, a behavior-based covert channel, that
takes advantages of behavior of an application, is presented along with a formal
definition in the framework of finite state machines. The behavior-based covert
channel is application specific and lies at the application layer of the network
OSI model, which makes the detection of this type of covert channel much
more difficult. A detailed sample implementation demonstrates an example of
this type of covert channel in the form of a simple online two-person game. The
potential of this type of covert channel is also discussed.
This paper presents a new covert channel based on Google
Analytic web cookies in HTTP protocol. The new covert
channel is difficult to disrupt and is capable of reasonably
high bandwidths. The Google Analytic framework is used
by over half of the most popular web sites currently on the
Internet; its ubiquitousness across the web implies a great
impact of this covert channel.
In this thesis, we designed and implemented a new covert channel over the RTP protocol. The covert channel modifies the timestamp value in the RTP header to send its secret messages. The high frequency of RTP packets allows for a high bitrate covert channel, theoretically up to 350 bps. The broad use of RTP for multimedia applications, including VoIP, provides plentiful opportunities to use this channel. By using the RTP header, many of the challenges present for covert channels using the RTP payload are avoided.
Using the reference implementation of this covert channel, bitrates of up to 325 bps were observed. Speed decreases on less reliable networks, though message delivery was flawless with up to 1% RTP packet loss. The channel is very difficult to detect due to expected variations in the timestamp field and the flexible nature of RTP.
Abstract – Covert communication is a rapidly expanding field of research with significant impact on the security theater. These communication methods, or “covert channels”, can be applied in a number of ways, including as a mechanism for an attacker to leak data from a monitored system or network. This paper sets out to contribute to this field by introducing a new covert channel which operates over transport layer protocols. The mechanism is flexible, covert, and has the potential to operate at relatively high bandwidth. In addition, this paper proposes a number of encoding schemes which can be used in conjunction with this channel to improve its bandwidth and covertness.
Abstract—Covert channels are used as a means of secretly transferring information when there is a need to hide the fact that communication is taking place. With the vast amount of traffic on the internet, network protocols have become a common vehicle for covert channels, typically hiding information in the header fields of packets. Domain name service (DNS) packets contain a 32-bit time to live (TTL) fields for each response record. This is the number of seconds the entry is valid for before caching servers remove the entry. There is no prescribed value for this field making it an ideal covert carrier.
Covert channels have the unique quality of masking evidence that a communication has ever occurred between two parties. For spies and terrorist cells, this quality can be the difference between life and death. However, even the detection of communications in a botnet could be troublesome for its creators. To evade detection and prevent insights into the size and members of a botnet, covert channels can be used. A botnet should rely on covert channels built on ubiquitous protocols to blend in with legitimate traffic. In this paper, we propose a covert channel built on the BitTorrent peer-to-peer protocol. In a simple application, this covert channel can be used to discretely and covertly send messages between two parties. However, this covert channel can also be used to stealthily distribute commands or the location of a command and control server for use in a botnet.
Port knocking traditionally has been a technique used from external connections to convey information to or request services from an internal private network . UPnP as a standard allows for devices and services to open ports on network devices in order to enable functionality . By combining these two techniques it is possible to port knock internally, opening ports for an intended viewer on an external network device. This paper proposes a covert channel using this technique to exfiltrate data or broadcast messages from a system behind a UPnP device to any Internet connected system.
Covert Channels can be used for enabling hidden communication mechanisms that can facilitate secret message transfer. This paper presents a new covert channel based on the HTML source of a webpage. The new covert channel while featuring high bandwidth also demonstrates high imperceptibility as it doesn’t involve any modifications to the source or the visibility of the webpage and is independent of timing of page requests. The availability of page source for a webpage on the Internet makes this covert channel easy to implement and effective.
This paper presents a new behavior based covert channel utilizing the database update mechanism of anti-virus software. It is highly covert due to unattended, frequent, automatic signature database update operations performed by the software. The design of the covert channel is described; its properties are discussed and demonstrated by a reference implementation. This paper uses these points to strengthen the inclusion of behavior-based covert channels within standard covert channel taxonomy.