Low-Attention Forwarding for Mobile Network Covert Channels

  • Steffen Wendzel
  • Jörg Keller
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7025)


In a real-world network, different hosts involved in covert channel communication run different covert channel software as well as different versions of such software, i.e. these systems use different network protocols for a covert channel. A program that implements a network covert channel for mobile usage thus must be capable of utilizing multiple network protocols to deal with a number of different covert networks and hosts. We present calculation methods for utilizable header areas in network protocols, calculations for channel optimization, an algorithm to minimize a covert channel’s overhead traffic, as well as implementation-related solutions for such a mobile environment. By minimizing the channel’s overhead depending on the set of supported protocols between mobile hosts, we also minimize the attention raised through the channel’s traffic. We also show how existing covert network channel infrastructure can be modified without replacing all existing infrastructure elements by proposing the handling of backward-compatible software versions.


network covert channel covert channel protocols covert proxy mobile security 


  1. 1.
    Castro, S.: cctt (covert channel testing tool) v0.1.8 (2003),
  2. 2.
    Castro, S.: Covert Channel and tunneling over the HTTP protocol detection: GW implementation theoretical design (November 2003),
  3. 3.
    Born, K.: Browser-Based Covert Data Exfiltration. In: Proc. 9th Annual Security Conference, Las Vegas, NV, April 7–8 (2010)Google Scholar
  4. 4.
    Daemon9: LOKI2 (the implementation), Phrack Magazine, vol. 7(5) (September 1997),
  5. 5.
    Lampson, B.W.: A Note on the Confinement Problem. Commun. ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  6. 6.
    Murdoch, S.J.: Covert channel vulnerabilities in anonymity systems, PhD thesis, University of Cambridge (Computer Laboratory) (2007)Google Scholar
  7. 7.
    Wonnemann, C., Accorsi, R., Müller, G.: On Information Flow Forensics in Business Application Scenarios. In: Proc. IEEE COMPSAC Workshop on Security, Trust, and Privacy for Software Applications (2009)Google Scholar
  8. 8.
    Postel, J.: Internet Control Message Protocol, DARPA Internet Program Protocol Specification, RFC 793 (September 1983)Google Scholar
  9. 9.
    Yarochkin, F.V., Dai, S.-Y., Lin, C.-H., et al.: Towards Adaptive Covert Communication System. In: 14th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC 2008), pp. 153–159 (2008)Google Scholar
  10. 10.
    Ray, B., Mishra, S.: A Protocol for Building Secure and Reliable Covert Channel. In: Sixth Annual Conference on Privacy, Security and Trust (PST), pp. 246–253 (2008)Google Scholar
  11. 11.
    Wendzel, S.: Protocol Hopping Covert Channel Tool v.0.1 (2007),
  12. 12.
    Wendzel, S.: Protocol Hopping Covert Channels. Hakin9 Magazine 1/08, 20–21 (2008) (in German)Google Scholar
  13. 13.
    Bejtlich, R.: Analyzing Protocol Hopping Covert Channel Tool (November 2007),
  14. 14.
    Ahsan, K.: Covert Channel Analysis and Data Hiding in TCP/IP, M.Sc. thesis, University of Toronto (2002)Google Scholar
  15. 15.
    Rowland, C.H.: Covert Channels in the TCP/IP Protocol Suite, First Monday, vol. 2(5) (May 1997)Google Scholar
  16. 16.
    Scott, C.: Network Covert Channels: Review of Current State and Analysis of Viability of the use of X.509 Certificates for Covert Communications, Technical Report RHUL-MA-2008-11, Department of Mathematics, Roal Holloway, University of London (January 2008)Google Scholar
  17. 17.
    Hintz, D.: Covert Channels in TCP and IP Headers. Presentation Slides of the DEFCON 10 Conference (2002),
  18. 18.
    Berk, V., Giani, A., Cybenko, G.: Detection of Covert Channel Encoding in Network Packet Delays, Technical Report TR536, Rev. 1, Dep. of Computer Science, Dartmouth College (November 2005)Google Scholar
  19. 19.
    Cabuk, S., Brodley, C.E., Shields, C.: IP Covert Timing Channels: Design and Detection. In: Proc. 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 178–187 (2004)Google Scholar
  20. 20.
    Fadlalla, Y.A.H.: Approaches to Resolving Covert Storage Channels in Multilevel Secure Systems, Ph.D. Thesis, University of New Brunswick (1996)Google Scholar
  21. 21.
    Fisk, G., Fisk, M., Papadopoulos, C., Neil, J.: Eliminating Steganography in Internet Traffic with Active Wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 18–35. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Hu, W.-M.: Reducing Timing Channels with Fuzzy Time. In: 1991 Symposium on Security and Privacy, pp. 8–20. IEEE Computer Society, Los Alamitos (1991)CrossRefGoogle Scholar
  23. 23.
    Kang, M.H., Moskowitz, I.S.: A Pump for Rapid, Reliable, Secure Communication. In: Proceedings of the 1st ACM Conference on Computer and Communication Security, pp. 119–129 (November 1993)Google Scholar
  24. 24.
    Kemmerer, R.A.: Shared resource matrix methodology: an approach to identifying storage and timing channels. ACM Transactions on Computer Systems (TOCS) 1(3), 256–277 (1983)CrossRefGoogle Scholar
  25. 25.
    Kemmerer, R.A., Porras, P.A.: Covert Flow Trees: A Visual Approach to Analyzing Covert Storage Channels. IEEE Transactions on Software Engineering 17(II), 1166–1185 (1991)CrossRefGoogle Scholar
  26. 26.
    Murdoch, S.J., Lewis, S.: Embedding covert channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  27. 27.
    Fielding, R., Gettys, J., Mogul, J., et al.: Hypertext Transfer Protocol – HTTP/1.1, RFC 2616 (June 1999)Google Scholar
  28. 28.
    Zander, S., Armitage, G., Branch, P.: Covert Channels and Countermeasures in Computer Networks. IEEE Communications Magazine, 136–142 (December 2007)Google Scholar
  29. 29.
    Handley, M., Paxson, V., Kreibich, C.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proc. 10th USENIX Security Symposium, vol. 10, pp. 115–131 (2001)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Steffen Wendzel
    • 1
  • Jörg Keller
    • 1
  1. 1.Faculty of Mathematics and Computer ScienceUniversity of HagenHagenGermany

Personalised recommendations