Skip to main content
SpringerLink
Log in

Towards Covert Channels in Cloud Environments: A Study of Implementations in Virtual Networks

  • Conference paper
  • First Online:
Digital Forensics and Watermarking (IWDW 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10431))

Included in the following conference series:

Abstract

Cloud environments are more and more used by cyber criminals to perform their malicious activities. With the help of covert channels they hide their data transmissions and message exchange. Whereas different techniques of covert channels in common networks are well-known, the existence of covert channels in cloud environments networks is a new topic in information hiding. The virtual environments provide new ways to hide the transmission of information. These environments use virtual networks in the cloud, which separate and isolate logical networks of the different customers. In this paper we present an examination of information hiding in virtual networks. We analyzed VXLAN, STT, GENEVE and NVGRE as the most notable so-called overlay protocols and examined different ways to create covert storage channels. Furthermore, we describe a covert timing channel based on the movement of virtual machines. As a result we propose possible countermeasures of the described covert channels.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The time to migrate a VM depends heavily on the amount of data the VM uses.

  2. 2.

    Floating ip addresses are used in cloud environments to assign a public ip address to a VM for a short period of time [21].

References

  1. Anderson, T., Peterson, L., Shenker, S., Turner, J.: Overcoming the internet impasse through virtualization. Computer 38(4), 34–41 (2005)

    Article  Google Scholar 

  2. Brook, C.: Attackers hiding stolen credit card numbers in images, October 2016. https://threatpost.com/attackers-hiding-stolen-credit-card-numbers-in-images/121347/. Accessed 13 June 2017

  3. Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 178–187. ACM (2004)

    Google Scholar 

  4. Caviglione, L., Podolski, M., Mazurczyk, W., Ianigro, M.: Covert channels in personal cloud storage services: the case of dropbox. IEEE Trans. Ind. Inf. 6(99), 1 (2016)

    Article  Google Scholar 

  5. Constantin, L.: Fileless powershell malware uses DNS as covert channel, March 2017. http://www.computerworld.com/article/3176669/security/fileless-powershell-malware-uses-dns-as-covert-channel.html. Accessed 13 June 2017

  6. Davie, B., Gross, J.: A Stateless Transport Tunneling Protocol for Network Virtualization (STT). Internet-Draft draft-davie-stt-08, Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-davie-stt-08. Work in Progress

  7. Fridrich, J.: Applications of data hiding in digital images. In: Proceedings of the Fifth International Symposium on Signal Processing and Its Applications, ISSPA 1999, vol. 1, pp. 1–9. IEEE (1999)

    Google Scholar 

  8. Garfinkel, S.: Anti-forensics: techniques, detection and countermeasures. In: 2nd International Conference on i-Warfare and Security, vol. 20087, pp. 77–84 (2007)

    Google Scholar 

  9. Gross, J., Sridhar, T., Garg, P., Wright, C., Ganga, I.: GENEVE: Generic network virtualization encapsulation. Internet Engineering Task Force, Internet Draft (2014)

    Google Scholar 

  10. Janicki, A., Mazurczyk, W., Szczypiorski, K.: Steganalysis of transcoding steganography. Annales des Télécommunications 69(7–8), 449–460 (2014)

    Article  Google Scholar 

  11. Johnson, N.F., Duric, Z., Jajodia, S.: Information Hiding: Steganography and Watermarking-Attacks and Countermeasures, vol. 1. Springer, New York (2001)

    Book  Google Scholar 

  12. Katzenbeisser, S., Petitcolas, F.: Information Hiding Techniques for Steganography and Digital Watermarking. Artech house, Boston (2000)

    Google Scholar 

  13. Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)

    Article  Google Scholar 

  14. Lipinski, B., Mazurczyk, W., Szczypiorski, K.: Improving hard disk contention-based covert channel in cloud computing. In: Security and Privacy Workshops (SPW), 2014, pp. 100–107. IEEE (2014)

    Google Scholar 

  15. Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 147–166. Springer, Heidelberg (2006). doi:10.1007/11767831_10

    Chapter  Google Scholar 

  16. Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, L., Sridhar, T., Bursell, M., Wright, C.: Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks. RFC 7348 (Informational). http://www.ietf.org/rfc/rfc7348.txt

  17. Mazurczyk, W., Szczypiorski, K.: Covert channels in SIP for VoIP signalling. In: Jahankhani, H., Revett, K., Palmer-Brown, D. (eds.) ICGeS 2008. CCIS, vol. 12, pp. 65–72. Springer, Heidelberg (2008). doi:10.1007/978-3-540-69403-8_9

    Chapter  Google Scholar 

  18. Mazurczyk, W., Wendzel, S., Zander, S., Houmansadr, A., Szczypiorski, K.: Information Hiding in Communication Networks: Fundamentals, Mechanisms, and Applications. IEEE Series on Information and Communication Networks Security. Wiley, New York (2016)

    Google Scholar 

  19. Murdoch, S.J., Lewis, S.: Embedding covert channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005). doi:10.1007/11558859_19

    Chapter  Google Scholar 

  20. Okamura, K., Oyama, Y.: Load-based covert channels between Xen virtual machines. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 173–180. ACM (2010)

    Google Scholar 

  21. OpenStack: Manage IP addresses, May 2017. https://docs.openstack.org/user-guide/cli-manage-ip-addresses.html. Accessed 13 June 2017

  22. Paxson, V., Allman, M., Chu, J., Sargent, M.: Computing TCP’s retransmission timer. RFC 6298, RFC Editor. http://www.rfc-editor.org/rfc/rfc6298.txt

  23. Pfaff, B., Pettit, J., Koponen, T., Jackson, E.J., Zhou, A., Rajahalme, J., Gross, J., Wang, A., Stringer, J., Shelar, P., et al.: The design and implementation of open vswitch. In: 12th USENIX Symposium on Networked Systems Design and Implementation, pp. 117–130 (2015)

    Google Scholar 

  24. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM (2009)

    Google Scholar 

  25. Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Advances in Cryptology - CRYPTO 1983, pp. 51–67. Plenum (1984)

    Google Scholar 

  26. Spiekermann, D., Eggendorfer, T.: Challenges of network forensic investigation in virtual networks. J. Cyber Secur. Mobility 5(2), 15–46 (2016)

    Google Scholar 

  27. Spiekermann, D., Eggendorfer, T.: Towards digital investigation in virtual networks: a study of challenges and open problems. In: International Workshop of Cyber Crime, 2016 International Conference. IEEE (2016)

    Google Scholar 

  28. Spiekermann, D., Keller, J., Eggendorfer, T.: Network forensic investigation in openflow networks with forcon. Digital Invest. 20, 66–74 (2017)

    Article  Google Scholar 

  29. Walker, S.: The day we discovered our parents were russian spies, May 2016. https://www.theguardian.com/world/2016/may/07/discovered-our-parents-were-russian-spies-tim-alex-foley. Accessed 13 June 2017

  30. Wang, Y.S., Garg, P.: NVGRE: Network Virtualization Using Generic Routing Encapsulation. RFC 7637. https://rfc-editor.org/rfc/rfc7637.txt

  31. Wendzel, S.: Protocol hopping covert channels. Hakin9 8, 20–21 (2008)

    Google Scholar 

  32. Wendzel, S.: The problem of traffic normalization within a covert channel’s network environment learning phase. In: Suri, N., Waidner, M. (eds.) Sicherheit. LNI, vol. 195, pp. 149–161. GI (2012)

    Google Scholar 

  33. Wendzel, S.: Novel approaches for network covert storage channels. Ph.D. thesis, FernUniverstität Hagen (2013)

    Google Scholar 

  34. Wendzel, S., Keller, J.: Design and implementation of an active warden addressing protocol switching covert channels. In: Proceedings of 7th International Conference on Internet Monitoring and Protection (ICIMP 2012), pp. 1–6. IARIA (2012)

    Google Scholar 

  35. Wu, J., Ding, L., Wang, Y., Han, W.: Identification and evaluation of sharing memory covert timing channel in Xen virtual machines. In: 2011 IEEE International Conference on Cloud Computing (CLOUD), pp. 283–291. IEEE (2011)

    Google Scholar 

  36. Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of l2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 29–40. ACM (2011)

    Google Scholar 

  37. Zimmermann, H.: OSI reference model – the ISO model of architecture for open systems interconnection. IEEE Trans. Commun. 28(4), 425–432 (1980)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. FernUniversität in Hagen, 58084, Hagen, Germany

    Daniel Spiekermann & Jörg Keller

  2. HS Ravensburg-Weingarten, 88250, Weingarten, Germany

    Tobias Eggendorfer

Authors
  1. Daniel Spiekermann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jörg Keller
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tobias Eggendorfer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Spiekermann .

Editor information

Editors and Affiliations

  1. Department of Computer Science, Otto-von-Guericke University Magdeburg, Magdeburg, Germany

    Christian Kraetzer

  2. Department of Electrical and Computer Engineering, New Jersey Institute of Technology, Newark, New Jersey, USA

    Yun-Qing Shi

  3. Department of Computer Science, Otto-von-Guericke University Magdeburg, Magdeburg, Germany

    Jana Dittmann

  4. Graduate School Information Security, Korea University, Seoul, Korea (Republic of)

    Hyoung Joong Kim

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Spiekermann, D., Keller, J., Eggendorfer, T. (2017). Towards Covert Channels in Cloud Environments: A Study of Implementations in Virtual Networks. In: Kraetzer, C., Shi, YQ., Dittmann, J., Kim, H. (eds) Digital Forensics and Watermarking. IWDW 2017. Lecture Notes in Computer Science(), vol 10431. Springer, Cham. https://doi.org/10.1007/978-3-319-64185-0_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64185-0_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64184-3

  • Online ISBN: 978-3-319-64185-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation