[go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Hidden and under control

A survey and outlook on covert channel-internal control protocols

  • Published:
annals of telecommunications - annales des télécommunications Aims and scope Submit manuscript

Abstract

Network covert channels are policy-breaking and stealthy communication channels in computer networks. These channels can be used to bypass Internet censorship, to exfiltrate data without raising attention, to allow a safe and stealthy communication for members of political oppositions and for spies, to hide the communication of military units at the battlefield from the enemy, and to provide stealthy communication for today’s malware, especially for botnets. To enhance network covert channels, researchers started to add protocol headers, so-called micro-protocols, to hidden payload in covert channels. Such protocol headers enable fundamental features such as reliability, dynamic routing, proxy capabilities, simultaneous connections, or session management for network covert channels—features which enrich future botnet communications to become more adaptive and more stealthy than nowadays. In this survey, we provide the first overview and categorization of existing micro-protocols. We compare micro-protocol features and present currently uncovered research directions for these protocols. Afterwards, we discuss the significance and the existing means for micro-protocol engineering. Based on our findings, we propose further research directions for micro-protocols. These features include to introduce multi-layer protocol stacks, peer auto-configuration, and peer group communication based on micro-protocols, as well as to develop protocol translation in order to achieve inter-connectivity for currently separated overlay networks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. The size difference of the acknowledgment and sequence numbers is known but was not modified so far.

  2. With ICMP rate limiting, e.g., provided by modern CISCO devices and Linux, the number of ICMP messages of the same type per time slot can be limited [11].

  3. In [44], we speak of a storage channel, but as the channel utilizes the order of network objects, it can also be categorized as a timing channel.

  4. While the HyH protocol generally supports VoIP streaming, it does not hide the streaming content itself.

References

  1. Ahsan K, Kundur D (2002) Practical data hiding in TCP/IP. In: Proceedings of workshop on multimedia security at ACM multimedia ’02. French Riviera

  2. Antunes J, Neves N, Verissimo P (2011) Reverse engineering of protocols from network traces. In: Proceedings of 18th working conference on reverse engineering (WCRE), pp 169–178

  3. ASHRAE SSPC 135 (2013) Building automation and control networks (BACnet) (website). http://www.bacnet.org/

  4. Backs P, Wendzel S, Keller J (2012) Dynamic routing in covert channel overlays based on control protocols. In: Proceedings of International workshop on information security, theory and practice (ISTP-2012), IEEE pp. 32–39.

  5. Berk V, Giani A, Cybenko G (2005) Detection of covert channel encoding in network packet delays. Tech. rep., Department of Computer Science—Dartmouth College

  6. Caballero J, Song D (2013) Automatic protocol reverse-engineering: message format extraction and field semantics inference. Comput Netw 57(2): 451–474

    Article  Google Scholar 

  7. Das A (2012) Steganography: secret data hiding in multimedia, signal conditioning, signals and communication technology, vol 180. Springer, pp 275–295

  8. Deering S, Hinden R (1998) Internet protocol, version 6 (IPv6) specification (RFC 2460). http://www.ietf.org/rfc/rfc2460.txt

  9. deGraaf R, Aycock J, Jacobson MJ (2005) Improved port knocking with strong authentication. In: Proceedings of 21st annual computer security applications conference, ACSAC ’05. IEEE Computer Society, pp 451–462

  10. Dietrich CJ, Rossow C, Pohlmann N (2013) CoCoSpot: clustering and recognizing botnet command and control channels using traffic analysis. Comput Netw 57(2): 475–486

    Article  Google Scholar 

  11. Fall KR, Stevens WR (2011) TCP/IP illustrated: the protocols, vol 1, 2nd edn. Addison-Wesley Professional Computing Series. Addison-Wesley

  12. Fisk G, Fisk M, Papadopoulos C, Neil J (2003) Eliminating steganography in Internet traffic with active wardens. In: Revised papers from the 5th international workshop on information hiding, IH ’02. Springer, London, pp 18–35

  13. Giani A, Berk VH, Cybenko GV (2006) Data exfiltration and covert channels. In: Proceedings of SPIE 6201, sensors, and command, control, communications, and intelligence (c3i) technologies for homeland security and homeland defense V, vol 6201. SPIE, pp 620,103–620,103–11

  14. Girling CG (1987) Covert channels in LAN’s. IEEE Trans Softw Eng 13: 292–296

    Article  Google Scholar 

  15. Gu G, Perdisci R, et al (2008) BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: van Oorschot PC (ed) USENIX security symposium. USENIX Association, pp 139–154

  16. Handel TG, Sandford MT II (1996) Hiding data in the OSI network model. In: Proceedings of 1st international workshop on information hiding.Springer, London, pp 23–38

  17. Handley M, Paxson V, Kreibich C (2001) Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics. In: 10th USENIX Security symposium, vol 10, pp 115–131

  18. Harangozó J (1977) An approach to describing a data link level protocol with a formal language. In: Proceedings of 5th Data communication symposium, pp 4–37–4–49

  19. Harangozó J (1978) Protocol definition with formal grammars. In: Proceedings of Computer network protocols symposium, pp F6–1–F6–10

  20. Houmansadr A, Borisov N (2011) CoCo: coding-based covert timing channels for network flows. In: Proceedings of 13th international conference on information hiding, IH’11. Springer, pp 314–328

  21. Houmansadr A, Brubaker C, Shmatikov V (2013) The parrot is dead: observing unobservable network communications. In: Proceedings of 34th IEEE symposium on security and privacy. Oakland, (in press)

  22. Jacobson V(1990) Compressing TCP/IP headers for low-speed serial links (RFC 1144). http://www.rfc-editor.org/rfc/rfc1144.txt

  23. Jankowski B, Mazurczyk W, Szczypiorski K (2013) PadSteg: introducing inter-protocol steganography. Telecommun Syst Model Anal Des Manag 52(2): 1101–1111

    Google Scholar 

  24. Lampson BW (1973) A note on the confinement problem. Commun ACM 16(10): 613–615

    Article  Google Scholar 

  25. Leder F, Martini P (2009) NGBPA: next generation botnet protocol analysis. In: Emerging challenges for security, privacy and trust. Springer, pp 307–317

  26. Lewandowski G, Lucena NCS (2007) Analyzing network-aware active wardens in IPv6. In: Camenisch J, Collberg C, Johnson N, Sallee P (eds) Information hiding, LNCS, vol 4437. Springer, Berlin, pp 58–77

    Google Scholar 

  27. Lucena N, Lewandowski G, Chapin S (2006) Covert channels in IPv6. In: Danezis G, Martin D (eds) Privacy enhancing technologies, LNCS, vol 3856. Springer, Berlin, Heidelberg, pp 147–166

    Chapter  Google Scholar 

  28. Lucena NB, Pease J, Yadollahpour P, Chapin SJ (2005) Syntax and semantics-preserving application-layer protocol steganography. In: Fridrich J (ed) Information hiding, LNCS, vol 3200. Springer, Berlin, pp 164–179

    Google Scholar 

  29. Luo X, Chan E, Chang R (2007) Cloak: a ten-fold way for reliable covert communications. In: Computer security - ESORICS 2007, LNCS, vol 4734. Springer, pp 283–298

  30. Luo X, Chan E, Chang R (2008) TCP covert timing channels: design and detection. In: Proceedings of international conference on dependable systems and networks (DSN 2008), pp 420–429

  31. Mazurczyk W, Kotulski Z (2006) New security and control protocol for VoIP based on steganography and digital watermarking. Annales UMCS, Informatica, AI 5: 417–426

    Google Scholar 

  32. Millen J (1999) 20 years of covert channel modeling and analysis. In: Proceedings of 1999 IEEE symposium on security and privacy, pp 113–114

  33. Murdoch SJ (2007) Covert channel vulnerabilities in anonymity systems. Ph.D. thesis, University of Cambridge (Computer Laboratory

  34. Nounou N, Yemini Y (1985) Development tools for communication protocols. Tech. rep., Computer Science Department, Columbia University, New York

  35. Nussbaum L, Richard O (2009) On robust covert channels inside DNS. In: 24th IFIP international security conference, IFIP advances in information and communication technology, vol 297, pp 51–62

  36. Ray B, Mishra S (2008) A protocol for building secure and reliable covert channel. In: Proceedings of 6th annual conference on privacy, security and trust (PST 2008). IEEE, pp 246–253

  37. Rowland CH (1997) Covert channels in the TCP/IP protocol suite. First Monday 2(5). http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/528/449

  38. Rutkowska J(2004) The implementation of passive covert channels in the linux kernel. http://www.infosecwriters.com/text_resources/pdf/passive_covert_channels_linux.pdf

  39. Shankar U (2002) Active mapping: resisting NIDS evasion without altering traffic. Tech. Rep. UCB//CSD-2-03-1246, Computer Science Division (EECS) (University of California Berkeley)

  40. Singh A, Nordström O, et al (2006) Stateless model for the prevention of malicious communication channels. Int J Comput Appl 28: 285–297

    Google Scholar 

  41. Stødle D (2009) Ping tunnel—for those times when everything else is blocked. http://www.cs.uit.no/~daniels/PingTunnel/

  42. Swinnen A, Strackx R, Philippaerts P, Piessens F (2012) ProtoLeaks: a reliable and protocol-independent network covert channel. In: Information systems security, LNCS, vol 7671. Springer, pp 119–133

  43. Trabelsi Z, Jawhar I (2010) Covert file transfer protocol based on the IP record route option. J Inf Assur Secur (JIAS) 5(1)

  44. Wendzel S (2008) Protocol channels as a new design alternative of covert channels. CoRR abs/0809.1949

  45. Wendzel S (2012) The problem of traffic normalization within a covert channel’s network environment learning phase. In: Proceedings, GI Sicherheit 2012, LNI, vol 195, pp 149–161

  46. Wendzel S (2013) Novel approaches for network covert storage channels. Ph.D. thesis, University of Hagen

  47. Wendzel S, Keller J (2011) Low-attention forwarding for mobile network covert channels. In: Proceedings 12th conference on communications and multimedia security, LNCS, vol 7025. Springer, pp 122–133

  48. Wendzel S, Keller J (2012) Systematic engineering of control protocols for covert channels. In: Proceedings 13th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security (CMS 2012), LNCS, vol 7394. Springer, pp 131–144

  49. Winter P, Pulls T, Fuss J (2013) ScrambleSuit: a polymorphic network protocol to circumvent censorship. In: Proceedings of workshop on privacy in the electronic society. ACM

  50. Wolf M (1989) Covert channels in LAN protocols. In: Berson T, Beth T (eds) Local area network security, LNCS, vol 396. Springer, Berlin, pp 89–101

    Chapter  Google Scholar 

  51. Wondracek G, Comparetti PM, Kruegel C, Kirda E (2008) Automatic network protocol analysis. In: Proceedings of the 15th annual network and distributed system security symposium (NDSS’08)

  52. Yarochkin FV, Dai SY, et al (2008) Towards adaptive covert communication system. In: Proceedings of 14th IEEE pacific rim international symposium on dependable computing (PRDC 2008). IEEE Computer Society, pp 153–159

  53. Zander S (2010) Performance of selected noisy covert channels and their countermeasures in IP networks. Ph.D. thesis, Centre for Advanced Internet Architectures, Swinburne University of Technology

  54. Zander S, Armitage G, Branch P (2007) Covert channels and countermeasures in computer network protocols. IEEE Comm Mag 45(12): 136–142

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fraunhofer FKIE, Bonn, Germany

    Steffen Wendzel

  2. Faculty of Mathematics and Computer Science, FernUniversität in Hagen, Hagen, Germany

    Jörg Keller

Authors
  1. Steffen Wendzel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jörg Keller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steffen Wendzel.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wendzel, S., Keller, J. Hidden and under control. Ann. Telecommun. 69, 417–430 (2014). https://doi.org/10.1007/s12243-014-0423-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12243-014-0423-x

Keywords

Search

Navigation