C2Hunter: Detection and Mitigation of Covert Channels in Data Centers

  • Jingzheng WuEmail author
  • Yanjun Wu
  • Bei Guan
  • Yuqi Lin
  • Samee U. Khan
  • Nasro Min-Allah
  • Yongji Wang


Data centers provides both the applications, systems software and the hardware as services over the Internet, which is named cloud computing [1–3]. It is core infrastructure of cloud computing, supporting dynamic deployment and elastic resource management. With the powerful computing and storing capabilities, cloud computing has become increasingly popular [4, 5]. The fundamental mechanism of cloud is virtualization which allows virtual machines (VM) instantiate stand-alone operating systems on demand based on a software layer called virtual machine monitor (VMM) or hypervisor [6]. Although the virtualization technology provides strong isolation for the cloud, security and privacy are always the open problems [7]. Some of the problems are essentially traditional web application and data-hosting ones, e.g., phishing, downtime, data loss, and password weakness. One of the new problems introduced by the shared environment to cloud computing is the covert channel attack [8]. By this way, information is leaked from the data centers and meanwhile the security provided by isolation is breaken down [9, 10].

architecture security software monitoring control covert channel 



This work is supported by the National Science and Technology Major Project No.2012ZX01039-004, No.2010ZX01036-001-002, the National Natural Science Foundation of China No.61303057, No.61170072 and the Major Program of the National Natural Science Foundation of China No.91124014. Samee U. Khan’s work was partly supported by the Young International Scientist Fellowship of the Chinese Academy of Sciences, (Grant No. 2011Y2GA01).


  1. 1.
    M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin, I. Stoica, and M. Zaharia, “A view of cloud computing,” Commun. ACM, vol. 53, no. 4, pp. 50–58, 2010.Google Scholar
  2. 2.
    A. Greenberg, J. Hamilton, D. A. Maltz, and P. Patel, “The cost of a cloud: research problems in data center networks,” SIGCOMM Comput. Commun. Rev., vol. 39, no. 1, pp. 68–73, Dec. 2008.Google Scholar
  3. 3.
    G. L. Valentini, W. Lassonde, S. U. Khan, N. Min-Allah, S. A. Madani, J. Li, L. Zhang, L. Wang, N. Ghani, J. Kolodziej, H. Li, A. Y. Zomaya, C.-Z. Xu, P. Balaji, A. Vishnu, F. Pinel, J. E. Pecero, D. Kliazovich, and P. Bouvry, “An overview of energy efficiency techniques in cluster computing systems,” Cluster Computing, vol. 16, no. 1, pp. 3–15, 2013.Google Scholar
  4. 4.
    L. M. Vaquero, L. Rodero-Merino, J. Caceres, and M. Lindner, “A break in the clouds: towards a cloud definition,” SIGCOMM Comput. Commun. Rev., vol. 39, pp. 50–55, December 2008.Google Scholar
  5. 5.
    R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg, and I. Brandic, “Cloud computing and emerging it platforms: Vision, hype, and reality for delivering computing as the 5th utility,” Future Gener. Comput. Syst., vol. 25, pp. 599–616, June 2009.Google Scholar
  6. 6.
    P. Barham, B. Dragovic, K. Fraser, S. Hand, T. L. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, “Xen and the art of virtualization,” in SOSP, 2003, pp. 164–177.Google Scholar
  7. 7.
    H. Takabi, J. B. D. Joshi, and G.-J. Ahn, “Security and privacy challenges in cloud computing environments,” IEEE Security & Privacy, vol. 8, no. 6, pp. 24–31, 2010.Google Scholar
  8. 8.
    Y. Chen, V. Paxson, and R. H. Katz, “What’ s new about cloud computing security?” EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2010-5, Jan 2010.Google Scholar
  9. 9.
    T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds,” in ACM Conference on Computer and Communications Security, 2009, pp. 199–212.Google Scholar
  10. 10.
    J. Wu, L. Ding, and Y. Wang, “Research on key problems of covert channel in cloud computing,” Journal of Communications, vol. 32, no. 9A, pp. 184–203, 2011.Google Scholar
  11. 11.
    Z. Wang and X. Jiang, “Hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity,” in IEEE Symposium on Security and Privacy, 2010, pp. 380–395.Google Scholar
  12. 12.
    B. D. Payne, R. Sailer, R. Cáceres, R. Perez, and W. Lee, “A layered approach to simplified access control in virtualized systems,” Operating Systems Review, vol. 41, no. 4, pp. 12–19, 2007.Google Scholar
  13. 13.
    R. Sailer, T. Jaeger, E. Valdez, R. Cáceres, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn, “Building a mac-based security architecture for the XenXen open-source hypervisor,” in ACSAC, 2005, pp. 276–285.Google Scholar
  14. 14.
    B. D. Payne, M. Carbone, M. I. Sharif, and W. Lee, “Lares: An architecture for secure active monitoring using virtualization,” in IEEE Symposium on Security and Privacy, 2008, pp. 233–247.Google Scholar
  15. 15.
    A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky, “Hypersentry: enabling stealthy in-context measurement of hypervisor integrity,” in ACM Conference on Computer and Communications Security, 2010, pp. 38–49.Google Scholar
  16. 16.
    S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau, “Antfarm: Tracking processes in a virtual machine environment,” in USENIX Annual Technical Conference, General Track, 2006, pp. 1–14.Google Scholar
  17. 17.
    A. M. Azab, P. Ning, E. C. Sezer, and X. Zhang, “Hima: A hypervisor-based integrity measurement agent,” in ACSAC, 2009, pp. 461–470.Google Scholar
  18. 18.
    J. Wu, Y. Wu, Z. Wu, M. Yang, and Y. Wang, “Vulcloud: Scalable and hybrid vulnerability detection in cloud computing,” in Software Security and Reliability-Companion (SERE-C), 2013 IEEE 7th International Conference on, 2013, pp. 225–226.Google Scholar
  19. 19.
    J. Wu, Y. Wu, M. Yang, Z. Wu, and Y. Wang, “Vulnerability detection of android system in fuzzing cloud,” in Proceedings of the 2013 IEEE Sixth International Conference on Cloud Computing, ser. CLOUD '13. Washington, DC, USA: IEEE Computer Society, 2013, pp. 954–955.Google Scholar
  20. 20.
    A. Aviram, S. Hu, B. Ford, and R. Gummadi, “Determinating timing channels in compute clouds,” in CCSW ’10: Proceedings of the 2010 ACM workshop on Cloud computing security workshop. New York, NY, USA: ACM, 2010, pp. 103–108.Google Scholar
  21. 21.
    NCSC, “Trusted computer system evaluation criteria (orange book),” 1985.Google Scholar
  22. 22.
    B. W. Lampson, “A note on the confinement problem,” Commun. ACM, vol. 16, no. 10, pp. 613–615, 1973.Google Scholar
  23. 23.
    J. Wu, L. Ding, Y. Wang, and W. Han, “A practical covert channel identification approach in source code based on directed information flow graph,” in IEEE SSIRI, Jeju Island, Korea, 2011, pp. 98–107.Google Scholar
  24. 24.
    C.-R. Tsai, V. D. Gligor, and C. S. Chandersekaran, “A formal method for the identification of covert storage channels in source code,” in IEEE Symposium on Security and Privacy, 1987, pp. 74–87.Google Scholar
  25. 25.
    T. F. Keefe, W.-T. Tsai, and J. Srivastava, “Database concurrency control in multilevel secure database management systems,” IEEE Trans. Knowl. Data Eng., vol. 5, no. 6, pp. 1039–1055, 1993.Google Scholar
  26. 26.
    S. Zander, G. J. Armitage, and P. Branch, “A survey of covert channels and countermeasures in computer network protocols,” IEEE Communications Surveys and Tutorials, vol. 9, no. 1–4, pp. 44–57, 2007.Google Scholar
  27. 27.
    J. Wu, Y. Wang, L. Ding, and X. Liao, “Improving performance of network covert timing channel through huffman coding,” Mathematical and Computer Modelling, vol. 55, no. 1–2, pp. 69–79, 2012.Google Scholar
  28. 28.
    ISO/IEC, “Common criteria for information technology security evaluation,” 2005.Google Scholar
  29. 29.
    Y. Wang, J. Wu, H. Zeng, L. Ding, and X. Liao, “Covert channel research,” Journal of Software, vol. 21, no. 9, pp. 2262–2288, 2010.Google Scholar
  30. 30.
    J. Wu, Y. Wang, L. Ding, and Y. Zhang, “Constructing scenario of event-flag covert channel in secure operating system,” in ICIMT, Hongkong, 2010, pp. 371–375.Google Scholar
  31. 31.
    C.-R. Tsai and V. D. Gligor, “A bandwidth computation model for covert storage channels and its applications,” in IEEE conference on Security and privacy, Oakland, California, 1988, pp. 108–121.Google Scholar
  32. 32.
    S. Cabuk, C. E. Brodley, and C. Shields, “IP covert timing channels: design and detection,” in ACM Conference on Computer and Communications Security, 2004, pp. 178–187.Google Scholar
  33. 33.
    ——, “IP covert channel detection,” ACM Trans. Inf. Syst. Secur., vol. 12, no. 4, pp. 1–29, 2009.Google Scholar
  34. 34.
    V. Berk, A. Giani, G. Cybenko, and N. Hanover, “Detection of covert channel encoding in network packet delays,” Rapport technique TR536, de lUniversité de Dartmouth. Novembre, 2005.Google Scholar
  35. 35.
    N. Nagatou and T. Watanabe, “Run-time detection of covert channels,” in ARES, 2006, pp. 577–584.Google Scholar
  36. 36.
    L. Hélouët and A. Roumy, “Covert channel detection using information theory,” in SecCo, 2010, pp. 34–51.Google Scholar
  37. 37.
    J. K. Millen, “20 years of covert channel modeling and analysis,” in IEEE Symposium on Security and Privacy, 1999, pp. 113–114.Google Scholar
  38. 38.
    C. G. Girling, “Covert channels in LAN’s,” IEEE Trans. Software Eng., vol. 13, no. 2, pp. 292–296, 1987.Google Scholar
  39. 39.
    L. Yao, X. Zi, L. Pan, and J. Li, “A study of on/off timing channel based on packet delay distribution,” Computers & Security, vol. 28, no. 8, pp. 785–794, 2009.Google Scholar
  40. 40.
    T. G. Handel and M. T. S. II, “Hiding data in the osi network model,” in Information Hiding, 1996, pp. 23–38.Google Scholar
  41. 41.
    K. Ahsan and D. Kundur, “Practical data hiding in TCP/IP,” in Proc. Workshop on Multimedia Security at ACM Multimedia. Citeseer, 2002.Google Scholar
  42. 42.
    C. Rowland, “Covert channels in the TCP/IP protocol suite,” First Monday, vol. 2, no. 5–5, 1997.Google Scholar
  43. 43.
    S. Gianvecchio and H. Wang, “Detecting covert timing channels: an entropy-based approach,” in CCS '07: Proceedings of the 14th ACM conference on Computer and communications security. New York, NY, USA: ACM, 2007, pp. 307–316.Google Scholar
  44. 44.
    A. O. Yinqian Zhang, Ari Juels and M. K. Reiter, “Homealone: Co-residency detection in the cloud via side-channel analysis,” in IEEE Symposium on Security and Privacy, Oakland, California, 2011, pp. 313–328.Google Scholar
  45. 45.
    K. Okamura and Y. Oyama, “Load-based covert channels between Xen virtual machines,” in SAC, 2010, pp. 173–180.Google Scholar
  46. 46.
    H. Zeng, Y. Wang, L. Ruan, W. Zu, and J. Cai, “Covert channel mitigation method. for secure real-time database using capacity metric,” Journal on Communications, vol. 29, no. 8, pp. 46–56, 2008.Google Scholar
  47. 47.
    Y. Wang, J. Wu, L. Ding, and H. Zeng, “Detecion approach for covert channel based concurrency conflict interval time,” Journal of Computer Research and Development, vol. 48, no. 8, pp. 1542–1553, 2011.Google Scholar
  48. 48.
    J. Wu, L. Ding, Y. Wang, and W. Han, “Identification and evaluation of sharing memory covert timing channel in Xen virtual machines,” in IEEE CLOUD, Washington DC, USA, 2011, pp. 283–291.Google Scholar
  49. 49.
    J. Wu, L. Ding, Y. Lin, N. Min-Allah, and Y. Wang, “Xenpump: A new method to mitigate timing channel in cloud computing,” in IEEE CLOUD, Hawaii, USA, 2012, pp. 678–685.Google Scholar
  50. 50.
    D. Chisnall, The definitive guide to the xen hypervisor. Prentice Hall Press, 2007.Google Scholar
  51. 51.
    J. K. Millen, “Finite-state noiseless covert channels,” in CSFW, 1989, pp. 81–86.Google Scholar
  52. 52.
    R. Lanotte, A. Maggiolo-Schettini, and A. Troina, “Time and probability-based information flow analysis,” Software Engineering, IEEE Transactions on, vol. 36, no. 5, pp. 719–734, 2010.Google Scholar
  53. 53.
    J. Wu, L. Ding, Y. Wu, N. Min-Allah, S. U. Khan, and Y. Wang, “C2detector: A covert channel detection framework in cloud computing,” Security and Communication Networks, 2013.Google Scholar
  54. 54.
    L. R. Rabiner, “A tutorial on hidden markov models and selected applications in speech recognition,” Proceedings of the IEEE, vol. 77, no. 2, pp. 257–286, feb 1989.Google Scholar
  55. 55.
    J. Hu, X. Yu, D. Qiu, and H.-H. Chen, “A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection,” IEEE Network, vol. 23, no. 1, pp. 42–47, 2009.Google Scholar
  56. 56.
    T. M. Mitchell, Machine learning. McGraw-Hill, 1997.Google Scholar
  57. 57.
    A. W. Moore and D. Zuev, “Internet traffic classification using Bayesian analysis techniques,” in SIGMETRICS, 2005, pp. 50–60.Google Scholar
  58. 58.
    T. Auld, A. W. Moore, and S. F. Gull, “Bayesian neural networks for internet traffic classification,” IEEE Transactions on Neural Networks, vol. 18, no. 1, pp. 223–239, 2007.Google Scholar
  59. 59.
    E. S. Ristad and P. N. Yianilos, “Learning string-edit distance,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 20, no. 5, pp. 522–532, 1998.Google Scholar
  60. 60.
    M. H. Kang and I. S. Moskowitz, “A pump for rapid, reliable, secure communication,” in ACM Conference on Computer and Communications Security, 1993, pp. 119–129.Google Scholar
  61. 61.
    M. H. Kang, I. S. Moskowitz, and D. C. Lee, “A network pump,” IEEE Trans. Software Eng., vol. 22, no. 5, pp. 329–338, 1996.Google Scholar
  62. 62.
    J. Son and J. Alves-Foss, “A formal framework for real-time information flow analysis,” Comput. Secur., vol. 28, no. 6, pp. 421–432, 2009.Google Scholar
  63. 63.
    D. A. Osvik, A. Shamir, and E. Tromer, “Cache attacks and countermeasures: The case of aes,” in CT-RSA, 2006, pp. 1–20.Google Scholar
  64. 64.
    E. Tromer, D. A. Osvik, and A. Shamir, “Efficient cache attacks on aes, and countermeasures,” J. Cryptology, vol. 23, no. 1, pp. 37–71, 2010.Google Scholar
  65. 65.
    S. Chen, R. Wang, X. Wang, and K. Zhang, “Side-channel leaks in web applications: A reality today, a challenge tomorrow,” in IEEE Symposium on Security and Privacy, 2010, pp. 191–206.Google Scholar
  66. 66.
    K. Kourai and S. Chiba, “Hyperspector: virtual distributed monitoring environments for secure intrusion detection,” in VEE, 2005, pp. 197–207.Google Scholar
  67. 67.
    T. Garfinkel and M. Rosenblum, “A virtual machine introspection based architecture for intrusion detection,” in NDSS, 2003.Google Scholar
  68. 68.
    X. Jiang and X. Wang, “"out-of-the-box" monitoring of vm-based high-interaction honeypots,” in RAID, 2007, pp. 198–218.Google Scholar
  69. 69.
    J. Li, B. Li, T. Wo, C. Hu, J. Huai, L. Liu, and K. Lam, “Cyberguarder: A virtualization security assurance architecture for green cloud computing,” Future Generation Computer Systems, vol. 28, no. 2, pp. 379–390, 2012.Google Scholar
  70. 70.
    M. Kang, I. Moskowitz, and D. Lee, “A network version of the pump,” in Security and Privacy, 1995. Proceedings., 1995 IEEE Symposium on, 1995, pp. 144–154.Google Scholar
  71. 71.
    M. Kang, I. Moskowitz, and S. Chincheck, “The pump: a decade of covert fun,” in Computer Security Applications Conference, 21st Annual, 2005, pp. 352–360.Google Scholar
  72. 72.
    W.-M. Hu, “Reducing timing channels with fuzzy time,” in IEEE Symposium on Security and Privacy, 1991, pp. 8–20.Google Scholar
  73. 73.
    D. Zhang, A. Askarov, and A. C. Myers, “Predictive mitigation of timing channels in interactive systems,” in Proceedings of the 18th ACM conference on Computer and communications security, ser. CCS ’11. New York, NY, USA: ACM, 2011, pp. 563–574.Google Scholar
  74. 74.
    A. Askarov, D. Zhang, and A. C. Myers, “Predictive black-box mitigation of timing channels,” in ACM Conference on Computer and Communications Security, 2010, pp. 297–307.Google Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  • Jingzheng Wu
    • 1
    Email author
  • Yanjun Wu
    • 1
  • Bei Guan
    • 2
  • Yuqi Lin
    • 2
  • Samee U. Khan
    • 3
  • Nasro Min-Allah
    • 4
  • Yongji Wang
    • 2
    • 5
  1. 1.Institute of Software, Chinese Academy of SciencesBeijingChina
  2. 2.National Engineering Research Center for Fundamental SoftwareBeijingChina
  3. 3.North Dakota State UniversityFargoUSA
  4. 4.COMSATS Institute of Information TechnologyIslamabadPakistan
  5. 5.State Key Laboratory of Computer SciencesBeijingChina

Personalised recommendations