Steffen Wendzel

Pattern-Based Survey and Categorization of Network Covert Channel Techniques

Network covert channels are used to hide communication inside network protocols. Various techniques for covert channels have arisen in the past few decades. We surveyed and analyzed 109 techniques developed between 1987 and 2013 and show that these techniques can be reduced to only 11 different patterns. Moreover, the majority (69.7%) of techniques can be categorized into only four different patterns (i.e., most techniques we surveyed are similar). We represent the patterns in a hierarchical catalog using a pattern language. Our pattern catalog will serve as a base for future covert channel novelty evaluation. Furthermore, we apply the concept of pattern variations to network covert channels. With pattern variations, the context of a pattern can change. For example, a channel developed for IPv4 can automatically be adapted to other network protocols. We also propose the pattern-based covert channel optimizations pattern hopping and pattern combination. Finally, we lay the foundation for pattern-based countermeasures: whereas many current countermeasures were developed for specific channels, a pattern-oriented approach allows application of one countermeasure to multiple channels. Hence, future countermeasure development can focus on patterns, and the development of real-world protection against covert channels is greatly simplified.

Hiding Privacy Leaks in Android Applications Using Low-Attention Raising Covert Channels

Covert channels enable a policy-breaking communication not foreseen by a systems design. Recently, covert channels in Android were presented and it was shown that these channels can be used by malware to leak confidential information (e.g., contacts) between applications and to the Internet. Performance aspects as well as means to counter these covert channels were evaluated. In this paper, we present novel covert channel techniques linked to a minimized footprint to achieve a high covertness. Therefore, we developed a malware that slowly leaks collected private information and sends it synchronously based on four covert channel techniques. We show that some of our covert channels do not require any extra permission and escape well know detection techniques like TaintDroid. Experimental results confirm that the obtained throughput is correlated to the user interaction and show that these new covert channels have a low energy consumption - both aspects contribute to the stealthiness of the channels. Finally, we discuss concepts for novel means capable to counter our covert channels and we also discuss the adaption of network covert channel features to Android-based covert channels.

Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures

Describes Information Hiding in communication networks, and highlights their important issues, challenges, trends, and applications. Highlights development trends and potential future directions of Information Hiding Introduces a new classification and taxonomy for modern data hiding techniques Presents different types of network steganography mechanisms Introduces several example applications of information hiding in communication networks including some recent covert communication techniques in popular Internet services

Hidden and Under Control A Survey and Outlook on Covert Channel-internal Control Protocols

Network covert channels are policy-breaking and stealthy communication channels in computer networks. These channels can be used to bypass Internet censorship, to exfiltrate data without raising attention, to allow a safe and stealthy communication for members of political oppositions and for spies, to hide the communication of military units at the battlefield from the enemy, and to provide stealthy communication for today’s malware, especially for botnets. To enhance network covert channels, researchers started to add protocol headers, so-called micro-protocols, to hidden payload in covert channels. Such protocol headers enable fundamental features such as reliability, dynamic routing, proxy capabilities, simultaneous connections, or session management for network covert channels—features which enrich future botnet communications to become more adaptive and more stealthy than nowadays. In this survey, we provide the first overview and categorization of existing micro-protocols. We compare micro-protocol features and present currently uncovered research directions for these protocols. Afterwards, we discuss the significance and the existing means for micro-protocol engineering. Based on our findings, we propose further research directions for micro-protocols. These features include to introduce multi-layer protocol stacks, peer auto-configuration, and peer group communication based on micro-protocols, as well as to develop protocol translation in order to achieve inter-connectivity for currently separated overlay networks.

Low-attention forwarding for mobile network covert channels

In a real-world network, different hosts involved in covert channel communication run different covert channel software as well as different versions of such software, i.e. these systems use different network protocols for a covert channel. A program that implements a network covert channel for mobile usage thus must be capable of utilizing multiple network protocols to deal with a number of different covert networks and hosts. We present calculation methods for utilizable header areas in network protocols, calculations for channel optimization, an algorithm to minimize a covert channels overhead traffic, as well as implementationrelated solutions for such a mobile environment. By minimizing the channels overhead depending on the set of supported protocols between mobile hosts, we also minimize the attention raised through the channels traffic. We also show how existing covert network channel infrastructure can be modified without replacing all existing infrastructure elements by proposing the handling of backward-compatible software versions.

Systematic engineering of control protocols for covert channels

Within the last years, new techniques for network covert channels arose, such as covert channel overlay networking, protocol switching covert channels, and adaptive covert channels. These techniques have in common that they rely on covert channel-internal control protocols (so called micro protocols) placed within the hidden bits of a covert channels payload. An adaptable approach for the engineering of such micro protocols is not available. This paper introduces a protocol engineering technique for micro protocols. We present a two-layer system comprising six steps to create a micro protocol design. The approach tries to combine different goals: (1) simplicity, (2) ensuring a standard-conform behaviour of the underlying protocol if the micro protocol is used within a binary protocol header, as well as we provide an optimization technique to (3) raise as little attention as possible. We apply a context-free and regular grammar to analyze the micro protocols behavior within the context of the underlying network protocol.

Detecting protocol switching covert channels

Network covert channels enable hidden communication and can be used to break security policies. Within the last years, new techniques for such covert channels arose, including protocol switching covert channels (PSCCs). PSCCs transfer hidden information by sending network packets with different selected network protocols. In this paper we present the first detection methods for PSCCs. We show that the number of packets between network protocol switches and the time between switches can be monitored to detect PSCCs with 98-99% accuracy for bit rates of 4 bits/second or higher.

How to increase the security of smart buildings

Surveying unresolved security problems for automated buildings.

Securing BACnet’s Pitfalls

Building Automation Systems (BAS) are crucial for monitoring and controlling buildings, ranging from small homes to critical infrastructure, such as airports or military facilities. A major concern in this context is the security of BAS communication protocols and devices. The building automation and control networking protocol (BACnet) is integrated into products of more than 800 vendors worldwide. However, BACnet devices are vulnerable to attacks. We present a novel solution for the two most important BACnet layers, i.e. those independent of the data link layer technology, namely the network and the application layer. We provide the first implementation and evaluation of traffic normalization for BAS traffic. Our proof of concept code is based on the open source software Snort.

Covert and side channels in buildings and the prototype of a building-aware active warden

Covert channels and side channels are barely discussed topics in the area of building automation. We define a building in the context of multilevel security (MLS) and show that covert channels and side channels exist in building automation. Additionally, we present a system called the building-aware active warden to eliminate covert/side storage channels in building automation systems (BAS). Active wardens aim to remove malicious (covert) elements in communications and are a well-known means from the area of network covert channels and steganography. Within the last years, new models, such as the network-aware active warden, were developed. The presented building-aware active warden is an adoption of the concept of a network-aware active warden to building automation. Building-aware active wardens modify or drop building automation commands as well as building information requests from users based on their security levels to enhance a buildings security. We extended an interoperable system for building automation supporting hardware from two vendors for the purpose of a building-aware active warden and for providing an unified application programming interface.