Corinna Heinz
ABSTRACT
Network covert channels embedded within network conversations are becoming widely adopted to enforce privacy of users or bypass censorship attempts as well as by malware to remain unnoticed while exfiltrating data or coordinating an attack. As a consequence, being able to design a network covert channel or anticipate its exploitation is of paramount importance to fully assess the security of the Internet. Since prime requirements for a successful covert channel are its stealthiness and bandwidth, the popularity, availability and performances of the overt traffic flows used as the carrier play a major role. Therefore, in this paper we investigate the use of ubiquitous Transport Layer Security (TLS) to contain hidden information for implementing network covert channels. Specifically, we review seven methods targeting TLS traffic and investigate the performances of three covert channels through an experimental measurement campaign. Obtained results indicate the feasibility of using TLS traffic as the carrier and also allow to derive some general indications for the development of countermeasures.
- V. Berk, A. Giani, and G. Cybenko. 2005. Detection of covert channel encoding in network packet delays. Technical report TR536, TU Dartmouth 19 (2005).Google Scholar
- K. Cabaj, L. Caviglione, W. Mazurczyk, S. Wendzel, A. Woodward, and S. Zander. 2018. The new threats of information hiding: The road ahead. IT Professional 20, 3 (2018), 31--39.Google ScholarDigital Library
- Alessandro Carrega, Luca Caviglione, Matteo Repetto, and Marco Zuppelli. 2020. Programmable Data Gathering for Detecting Stegomalware. In 2020 6th IEEE Conference on Network Softwarization (NetSoft). IEEE, 422--429.Google Scholar
- L. Caviglione. 2009. Can satellites face trends? The case of Web 2.0. In 2009 International Workshop on Satellite and Space Communications. IEEE, 446--450.Google ScholarCross Ref
- L. Caviglione, M. Gaggero, E. Cambiaso, and M. Aiello. 2017. Measuring the energy consumption of cyber security. IEEE Comm. Magazine 55, 7 (2017), 58--63.Google ScholarDigital Library
- E. Crockett, C. Paquin, and D. Stebila. 2019. Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. IACR Cryptol. ePrint Arch. 2019 (2019), 858.Google Scholar
- T. Dierks and E. Rescorla. 2008. RFC 5246-the transport layer security (TLS) protocol version 1.2. The Internet Engineering Task Force (IETF) (2008).Google Scholar
- D. Eastlake et al. 2011. Transport layer security (TLS) extensions: Extension definitions. Technical Report. RFC 6066, January.Google Scholar
- W. Frączek, W. Mazurczyk, and K. Szczypiorski. 2012. Hiding information in a stream control transmission protocol. Computer Comm. 35, 2 (2012), 159--169.Google ScholarDigital Library
- R. Holz, J. Amann, O. Mehani, M. Wachs, and M. Kaafar. 2015. TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication. arXiv preprint arXiv:1511.00341 (2015).Google Scholar
- A. Iacovazzi and Y. Elovici. 2016. Network flow watermarking: A survey. IEEE Communications Surveys & Tutorials 19, 1 (2016), 512--530.Google ScholarDigital Library
- J. Kaur, S. Wendzel, O. Eissa, J. Tonejc, and M. Meier. 2016. Covert channel-internal control protocols: attacks and defense. Security and Communication Networks 9, 15 (2016), 2986--2997.Google ScholarDigital Library
- B. W. Lampson. 1973. A Note on the Confinement Problem. Commun. ACM 16, 10 (Oct. 1973), 613--615.Google ScholarDigital Library
- W. Mazurczyk. 2013. VoIP Steganography and Its Detection---A Survey. ACM Comput. Surv. 46, 2, Article 20 (Dec. 2013), 21 pages.Google Scholar
- W. Mazurczyk and L. Caviglione. 2014. Steganography in modern smartphones and mitigation techniques. IEEE Comm. Surveys & Tutorials 17, 1 (2014), 334--357.Google ScholarDigital Library
- W. Mazurczyk and L. Caviglione. 2015. Information Hiding as a Challenge for Malware Detection. IEEE Security & Privacy 2 (2015), 89--93.Google ScholarDigital Library
- J. Merrill and D. Johnson. 2015. Covert channels in SSL session negotiation headers. In Proc. of the Conference on Security and Management. 70--72.Google Scholar
- R. Rios, J. Onieva, and J. Lopez. 2013. Covert Communications through Network Configuration Messages. Computers & Security 39 (11 2013), 34--46.Google Scholar
- J. Saenger, W. Mazurczyk, J. Keller, and L. Caviglione. 2020. VoIP network covert channels to enhance privacy and information sharing. Future Generation Computer Systems 111 (2020), 96--106.Google ScholarCross Ref
- S. Schmidt, W. Mazurczyk, R. Kulesza, J. Keller, and L. Caviglione. 2018. Exploiting IP telephony with silence suppression for hidden data transfers. Computers & Security 79 (2018), 17--32.Google ScholarDigital Library
- A. Velinov, A. Mileva, S. Wendzel, and W. Mazurczyk. 2019. Covert Channels in the MQTT-Based Internet of Things. IEEE Access 7 (2019), 161899--161915.Google ScholarCross Ref
- C. Wang, Y. Yuan, and L. Huang. 2016. Base communication model of IP covert timing channels. Frontiers Comput. Sci. 10, 6 (2016), 1130--1141.Google ScholarDigital Library
Index Terms
Covert Channels in Transport Layer Security
Recommendations
IPv6 Covert Channels in the Wild
CECC 2019: Proceedings of the Third Central European Cybersecurity ConferenceThe increasing diffusion of malware endowed with steganographic techniques requires to carefully identify and evaluate a new set of threats. The creation of a covert channel to hide a communication within network traffic is one of the most relevant, as ...
IP Covert Channel Detection
A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival ...
Out-of-Band Covert Channels—A Survey
A novel class of covert channel, out-of-band covert channels, is presented by extending Simmons’ prisoners’ problem. This new class of covert channel is established by surveying the existing covert channel, device-pairing, and side-channel research. ...
Comments