Skip to main content

Investigative support for information confidentiality


With the ubiquity and pervasiveness of computers in daily activities and with the ever-growing complexity of communication networks and protocols, covert channels are becoming an eminent threat to the confidentiality of information. In light of this threat, we propose a technique to detect confidential information leakage via protocol-based covert channels. Although several works examine covert channel detection and analysis from the perspective of information theory by, for instance, analysing channel capacities, we propose a different technique that tackles the problem from a different perspective. The proposed technique takes an algebraic approach using relations. It provides tests to verify the existence of a leakage of information via a monitored covert channel. It also provides computations which show how the information was leaked if a leakage exists. We also discuss possible applications of the proposed technique in cryptanalysis and digital forensics based on a known-plaintext attack. We report on a prototype tool that allows for the automation of the proposed technique.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5


  1. The diagram in Fig. 1 actually commutes in four ways. The reader can find details on the commutativity of Fig. 1 and the simplification of the diagrams in Jaskolka et al. (2011).

  2. This sequence is generated using RSA encryption with \(p=3\), \(q=7\)\(N=21\)\(e=5\)\(d=41\).

  3. Post-mortem analysis refers to the fact that the analysis is being done in a digital forensics context whereby confidential information may have already been leaked and the damage may already be done.


  • Andrews GR, Reitman RP (1980) An axiomatic approach to information flow in programs. ACM Trans Program Lang Syst 2(1):56–76

    Article  MATH  Google Scholar 

  • Deavours CA, Kruh L (1990) The turing bombe: was it enough? Cryptologia 14(4):331–349

    Article  Google Scholar 

  • Emulex Corporation (2013) EndaceProbe INR specifications. Accessed 23 May 2014

  • Goguen JA, Meseguer J (1982) Security policies and security models. In: Proceedings of the 1982 symposium on security and privacy, New York, pp 11–20

  • Gray III JW (2000) Countermeasures and tradeoffs for a class of covert timing channels. Technical Report HKUST-CS94-18, Hong Kong University of Science and Technology

  • Grusho A, Kniazev A, Timonina E (2005) Detection of illegal information flow. In: Gorodetsky V, Kotenko I, Skormin V (eds) Proceedings of the 3rd international workshop on mathematical methods, models, and architectures for computer networked security, vol 3685. Lecture notes in computer science. Springer, Berlin, Heidelberg, pp 235–244

  • Handel TG, Sandford II MT (1996) Hiding data in the OSI network model. In: Proceedings of the first international workshop on information hiding, vol 1174, Lecture notes in computer science. Springer, London, pp 23–38

  • Heins R (2011) Indexing full packet capture data with flow. In: Proceedings of FloCon 2011

  • Hélouët L, Roumy A (2010) Covert channel detection using information theory. In: Chatzikokolakis K, Cortier V (eds) Proceedings of 8th international workshop on security issues in concurrency, SecCo 2010, August 2010, pp 34–51

  • Hélouët L, Zeitoun M, Degorre A (2005) Scenarios and covert channels: another game. Electron Notes Theor Comput Sci 119:93–116

    Article  Google Scholar 

  • Hélouët L, Zeitoun M, Jard C (2003) Covert channels detection in protocols using scenarios. In: Proceedings of security protocols verification, SPV’03, pp 21–25

  • Hoare CAR (1969) An axiomatic basis for computer programming. Commun ACM 12(10):576–580

    Article  MATH  Google Scholar 

  • Janssen G (2003) A consumer report on BDD packages. In: Proceedings of the 16th symposium on integrated circuits and systems design, SBCCI 2003, September 2003. IEEE Computer Society, Washington, pp 217–222

  • Jaskolka J, Khedri R (2011) Exploring covert channels. In: Proceedings of the 44th Hawaii international conference on system sciences, HICSS-44, Koloa, Kauai, HI, USA, January 2011, pp 1–10

  • Jaskolka J, Khedri R, Sabri KE (2011) Information leakage via protocol-based covert channels: detection, automation, and applications. Technical Report CAS-11-05-RK, McMaster University, Hamilton, ON, Canada, August 2011. Accessed 23 May 2014

  • Jaskolka J, Khedri R, Sabri KE (2014a) Investigative support for information confidentiality part I: Detecting confidential information leakage via protocol-based covert channels. In: Proceedings of the 9th international conference on future networks and communications, procedia computer science, FNC 2014 and MobiSPC 2014, Niagara Falls, ON, Canada, vol 34, pp 276–285

  • Jaskolka J, Khedri R, Sabri KE (2014b) Investigative support for information confidentiality part II: Applications in cryptanalysis and digital forensics. In: Proceedings of the 9th international conference on future networks and communications, procedia computer science, FNC 2014 and MobiSPC 2014, Niagara Falls, ON, Canada, August 2014, vol 34, pp 266–275

  • Ji L, Jiang W, Dai B, Niu X (2009) A novel covert channel based on length of messages. In: Proceedings of the 2009 international symposium on information engineering and electronic commerce, IEEC 2009, Piscataway, NJ, USA, pp 551–554

  • Kang MH, Moskowitz IS (1993) A pump for rapid, reliable, secure communication. In: Proceedings of the 1st ACM conference on computer and communications security, Fairfax, VA, USA, pp 119–129

  • Kemmerer RA (1983) Shared resource matrix methodology: an approach to identifying storage and timing channels. ACM Trans Comput Syst 1(3):256–277

    Article  Google Scholar 

  • Kiyomoto S, Fukushima K, Miyake Y (2014) Security issues on IT systems during disasters: a survey. J Ambient Intell Hum Comput 5(2):173–185

    Article  Google Scholar 

  • Lampson BW (1973) A note on the confinement problem. Commun ACM 16(10):613–615

    Article  Google Scholar 

  • Lanotte R, Maggiolo-Schettini A, Tini S, Troina A, Tronci E (2004) Automatic covert channel analysis of a multilevel secure component. In: Lopez J, Qing S, Okamoto E (eds) Proceedings of the 6th international conference on information and communications security, vol 3269. Lecture notes in computer science, Springer, Berlin, Heidelberg, pp 249–261

  • Lee I, Tsai W (2010) A new approach to covert communication via PDF files. Signal Proces 90(2):557–565

    Article  MATH  Google Scholar 

  • Liu TY, Tsai WH (2007) A new steganographic method for data hiding in Microsoft Word documents by a change tracking technique. IEEE Trans Inf Forens Secur 2(1):24–30

    MathSciNet  Article  Google Scholar 

  • Lowe G (2002) Quantifying information flow. In: Proceedings of the 15th IEEE computer security foundations workshop, CSFW-15. IEEE Computer Society, Los Alamitos, pp 18–31

  • Moskowitz IS, Greenwald SJ, Kang MH (1998) An analysis of the timed Z-channel. IEEE Trans Inf Theory 44(7):3162–3168

    Article  MATH  Google Scholar 

  • Nagatou N, Watanabe T (2006) Run-time detection of covert channels. In: Proceedings of the 1st international conference on availability, reliability and security, ARES 2006. IEEE Computer Society, Vienna, pp 577–584

  • Özsu M, Valduriez P (2011) Principles of distributed database systems, 3rd edn. Springer, New York

    Google Scholar 

  • Ponemon Institute (2014) 2014 cost of data breach study: global analysis. Ponemon Institute Research report, May 2014

  • Porras PA, Kemmerer RA (1991) Covert flow trees: A technique for identifying and analyzing covert storage channels. In: Proceedings of the 1991 IEEE Computer Society symposium on research in security and privacy. IEEE Computer Society, Los Alamitos, pp 36–51

  • Ravi N, Gruteser M, Iftode L (2006) Non-inference: an information flow control model for location-based services. In: Proceedings of the 3rd international conference on mobile and ubiquitous systems, Piscataway, NJ, USA, pp 206–215

  • Rowlingson R (2004) A ten step process for forensic readiness. Int J Digit Evid 2(3):Winter

  • Ryan P, McLean J, Millen J, Gligor V (2001) Non-interference: who needs it? In: Proceedings of the 14th IEEE workshop on computer security foundation. IEEE Computer Society, Washington, DC, pp 237–238

  • Sabri KE, Khedri R, Jaskolka J (2009) Verification of information flow in agent-based systems. In: Babin G, Kropf P, Weiss M (eds) Proceedings of the 4th international MCETECH conference on e-technologies, vol 26. Lecture notes in business information processing. Springer, Berlin, Heidelberg, pp 252–266

  • Schmidt G, Ströhlein T (1993) Relations and graphs: discrete mathematics for computer science. EATCS monographs on theoretical computer science. Springer

  • Scott C (2007) Network covert channels: Review of current state and analysis of viability of the use of X.509 certificates for covert communications. Technical report RHUL-MA-2008-11, Royal Holloway, University of London, January 2007

  • Sengar H, Wang H, Iranmanesh SA (2014) Wiretap-proof: What they hear is not what you speak, and what you speak they do not hear. In: Proceedings of the 4th ACM conference on data and application security and privacy, CODASPY ’14. ACM, pp 345–356

  • Shieh S, Chen ALP (1999) Estimating and measuring covert channel bandwidth in multilevel secure operating systems. J Inf Sci Eng 15(1):91–106

    Google Scholar 

  • Smeets M, Koot M (2006) Research report: covert channels. Master’s thesis, University of Amsterdam, Amsterdam, Netherlands, February 2006

  • Sohn T, Seo J, Moon J (2003) A study on the covert channel detection of TCP/IP header using support vector machine. In: Qing S, Gollmann D, Zhou J (eds) Information and communications security, vol 2836. Lecture notes in computer science. Springer, Berlin, Heidelberg, pp 313–324

  • Srinivasan S (2006) Security and privacy in the computer forensics context. In: Proceedings of the 2006 international conference on communication technology, November 2006. IEEE Computer Society, Piscataway, pp 1–3

  • Tumoian E, Anikeev M (2005) Network based detection of passive covert channels in TCP/IP. In: Proceedings of the 30th IEEE conference on local computer networks, Sydney, Australia, pp 802–807

  • Turing A (2004) The essential turing: seminal writings in computing, logic, philosophy, artificial intelligence, and artificial life, plus the secrets of enigma. Oxford University Press Inc., New York

    Google Scholar 

  • U.S.A. Department of Defense (1985) Trusted computer system evaluation criteria (TCSEC). Number DoD 5200.28-STD in Defense Department Rainbow Series (Orange Book). Department of Defense/National Computer Security Center, Fort George G. Meade, MD, USA, December 1985

  • U.S.A. National Computer Security Center (1993) A guide to understanding covert channel analysis of trusted systems. Number NCSC-TG-030 in NSA/NCSC Rainbow Series (Light Pink Book). National Security Agency/National Computer Security Center, Fort George G. Meade, MD, USA, November 1993

  • U.S.A. Department of Homeland Security (2009) A roadmap for cybersecurity research. Department of Homeland Security Science and Technology Directorate, Washington, DC, USA, November 2009

  • Volpano D, Smith G (1997) Eliminating covert flows with minimum typings. In: Proceedings of the 10th computer security foundations workshop, Los Alamitos, CA, USA, pp 156–168

  • Wallace M, Kollias S (2007) Two algorithms for fast incremental transitive closure of sparse fuzzy binary relations. Int J Comput Methods 4(1):1–13

    MathSciNet  Article  MATH  Google Scholar 

  • Wei Z, Zhao B, Liu B, Su J, Xu L, Xu E (2014) A novel steganography approach for voice over IP. J Ambient Intell Hum Comput 5(4):601–610

    Article  Google Scholar 

  • Weierud F (1998) The ENIGMA message. Spooks Newsletter. Fourth Edition of the N&O column. Accessed 28 November 2011

  • Williams C (2010) Russian spy ring bust uncovers tech toolkit. The Register, June 2010

  • Wireshark Foundation (2011) Wireshark. Accessed 28 November 2011

  • Zander S, Armitage G, Branch P (2007) Covert channels and countermeasures in computer network protocols. IEEE Commun Mag 45(12):136–142

    Article  Google Scholar 

  • Zou X, Li Q, Sun S, Niu X (2005) The research on information hiding based on command sequence of FTP protocol. In: Khosla R, Howlett R, Jain L (eds) Proceedings of the 9th international conference on knowledge-based intelligent information and engineering systems, vol 3683. Lecture notes in computer science. Springer, Berlin, Heidelberg, pp 1079–1085

Download references


This research is supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) through the Grant RGPIN 2014-06115.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Jason Jaskolka.

Additional information

This article is a revised and enlarged version of Jaskolka et al. (2014a, b).


Appendix 1: Proofs of propositions and corollaries

The following proposition provides a selection of properties of relations and residues required for the proofs below.

Proposition 6

Let P and Q be relations.

  1. (i)

    \(\overline{\overline{P}} = P\)

  2. (ii)

    \(P{^\smallsmile} {^\smallsmile} = P\)

  3. (iii)

    \((P \! \cap \! Q)^\smallsmile = P^\smallsmile \! \cap \;\! Q^\smallsmile \,\)

  4. (iv)

    \((P ; Q)^\smallsmile = Q^\smallsmile ; P^\smallsmile \,\)

  5. (v)

    \(({P}/{Q})^\smallsmile \, = {Q^\smallsmile }\backslash {P^\smallsmile }\)

  6. (vi)

    \(({P}\backslash {Q})^\smallsmile \, = {Q^\smallsmile \,}/{P^\smallsmile \,}\)

  7. (vii)

    \(({P}/{Q}) ; Q \subseteq P\)

  8. (viii)

    \(Q ; ({Q}\backslash {P}) \subseteq P\)

Detailed Proof of Proposition 2

Detailed Proof of Proposition 3

\((\;\Longrightarrow \;) \quad X\,{;}\, P = Q\) has a solution \(\;\Longrightarrow \;Q = ({Q}/{P})\,{;}\, P\)

Detailed Proof of Corollary 1

According to the problem formulation illustrated by Fig. 2, we need to find solutions to either Eq. 1 or 2. Therefore,

Detailed Proof of Proposition 4

\((\;\Longleftarrow \;) \quad Q \subseteq \big (R \; \cap \;({Q}/{P})\big )\,{;}\, P \;\Longrightarrow \;X\,{;}\, P = Q\) has \(R \; \cap \;({Q}/{P})\) as a solution

\((\;\Longrightarrow \;) \quad X\,{;}\, P = Q\) has \(R \; \cap \;({Q}/{P})\) as a solution \(\;\Longrightarrow \;Q \subseteq \big (R \; \cap \;({Q}/{P})\big )\,{;}\, P\)

Detailed Proof of Corollary 2

Detailed Proof of Corollary 3

According to the problem formulation illustrated by Fig. 2, we need to find solutions to Eqs. 1 and 2.

Detailed Proof of Proposition 5

Appendix 2: Cryptanalysis case study

Using the prototype tool described in Sect. 5, we have automated the process of applying the proposed cryptanalysis technique. In Deavours and Kruh (1990), we find a ciphertext originally encrypted using a German Army Enigma machine. This message has since been decrypted and roughly translated into English in Weierud (1998). For illustrative purposes in this case study, we use a portion of the English translation of this message. Since we are dealing with a message that was sent by an army, the need for confidentiality cannot be stressed enough as the unauthorised disclosure of the plaintext of this message could have devastating consequences.

For the purpose of this case study, we have encrypted the message using a substitution cipher. Table 1 shows the ciphertext in its entirety. We provide the highlights of the tool usage for applying the cryptanalysis technique and show how the technique for detecting confidential information leakage, in conjunction with a known-plaintext attack, can break the cipher to uncover the message.

Table 1 Case study ciphertext message

As preparation for the analysis, we first need to enumerate each of the cipher characters so that we are able to represent them for use with the prototype tool. The enumeration is given in Table 2.

Table 2 Case study ciphertext character enumeration

We start by loading the prototype tool modules in the Glasgow Haskell Compiler’s interactive environment (ghci) as follows:

We store the enumerated representation in a file for use with the prototype tool. From this point forward, we call the file containing the enumerated ciphertext cipher.rel. We construct the relational representation of the information contained in the cipher.rel file and store it in the newly created data store, CryptanalysisDB, by issuing the following commands:

The idea is to guess a known word or phrase that is likely to appear in the plaintext message corresponding to the given ciphertext. It is assumed that we know the context of the message. Therefore, we know that the cipher was written during a time of battle and it might be suspected that the author may have been conveying orders to a brigade of commanders and troops. So, we might expect to find words such as “orders”, “troops”, or “forces” in some reference to the conveyance of orders. These would offer formidable starting points for the analysis. However, for simplicity, brevity, and illustrative purposes, suppose that we have obtained a tip by some means (it is not important how) that the message may refer to an attack on a fortification which must not fall to the enemy. Therefore, we might guess that the plaintext message contains the phrase “FORTIFICATIONS MUST BE HELD”. Using the prototype tool, we generate a relation based on this phrase. In our representation of the phrase, we use only uppercase letters and ignore spaces as we are simply trying to find a readable plaintext based on the assumption that spaces are not encoded. We generate a relation based on this phrase by issuing the following command with the prototype tool:

Next, we apply the cryptanalysis procedure based on the proposed technique described in Sect. 6. We use the following command:

As a result of applying the cryptanalysis technique, we find that we have two fragmented possibilities for the cryptographic key. After examining the two possible plaintexts (which are generated by the prototype tool, but not shown here due to space limitations), we see that there is only one plaintext which appears to make any sense. Based on the sensible plaintext, we find that our phrase is succeeded by “A _ _ L _ C O _ _ S” which might suggest that the our guessed phrase is followed by the phrase “AT ALL COSTS”. We can concatenate our original phrase and this new phrase to have a much more refined phrase. After this refinement, we apply the cryptanalysis with the phrase “FORTIFICATIONS MUST BE HELD AT ALL COSTS”. The process of performing the cryptanalysis and its output are given below.

As a result of applying the cryptanalysis, we find that we are left with only one fragmented cryptographic key. As an example, the relation that is output by the prototype tool contains “T” |-> [“16”,“40”,“47”], showing that the letter ‘T’ corresponds to ciphertext characters enumerated as 16, 40, and 47 (in particular “L”, “I”, and “\(\bullet\)”). One can easily fill in many of the blanks in the possible plaintext to reconstruct the original message, which is given in Table 3.

We have demonstrated the application and automation of the technique for detecting confidential information leakage in the context of cryptanalysis. This illustrates the usefulness of the technique beyond the scope of covert channel analysis and detecting confidential information leakages. Using the short illustrative example above, we have shown that in a cryptanalytic investigation where we may be able to perform a known-plaintext attack, we are able to uncover the encrypted message using the proposed cryptanalysis technique.

Table 3 Case study plaintext message

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Jaskolka, J., Khedri, R. & Sabri, K.E. Investigative support for information confidentiality. J Ambient Intell Human Comput 6, 425–451 (2015).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI:


  • Covert channels
  • Information confidentiality
  • Formal methods
  • Digital forensics
  • Cryptanalysis
  • Security