Covert Channels in Internet Protocols: A Survey D Llamas, C Allison and A Miller School of Computer Science University of St Andrews St Andrews KY16 9SX, Scotland, UK Tel: +44 (0) 133 4463253 Fax: +44 (0) 133 4463278 {david,ca,alanr}@dcs.st-andrews.ac.uk Abstract – The creation of covert channels in public computer networks can prove an effective means of information hiding and secret communication. With the widespread adoption of the Internet the TCP/IP suite of protocols have become pervasive, and therefore an attractive target for covert channel exploitation. This paper gives a brief overview of covert channels in communication networks, and presents a brief survey of some recent and relevant papers on the use of covert channels in the common Internet protocols. I. INTRODUCTION A covert channel is a communication channel that allows two cooperating processes to transfer information in a manner that violates the system’s security policy [1]. It is thus a way of communicating which is not part of the original design of the system, but can be used to transfer information to a process or user, that, a priori, would not be authorised to access to that information. Covert channels typically only exist in systems with multilevel security [2], which contain and manage information with different sensitivity levels. They allow different users to access to the same information, at the same time, but from different points-of-view, depending on their requirements to know and their access privileges. The covert channel concept was introduced in 1973 [3]. A classification scheme is proposed in [4]: • Scenarios. In general, when building covert channels, there is a differentiation between storage and timing covert channels [5]. Storage covert channels are where one process uses direct (or indirect) data writing, whilst another process reads the data. They generally use a finite system resource that is shared between entities with different privileges. Covert timing channels use the modulation of certain resources, such as the CPU timing, in order to exchange information between processes. • Noise. As with any other communication channel, covert channels can be noisy, and vary in their immunity to noise. Ideally, a channel immune to noise is one where the probability of the receiver receiving exactly what the sender has transmitted is unity, and there is no interference in the transmission. Obviously, in real-life, it is very difficult to obtain these perfect channels; hence, it is common to apply error correction codes, which can reduce the bandwidth. • Information flows. With conventional lines of transmission different techniques are applied to increase the bandwidth. A similar method can be achieved in the covert channels. Channels where several information flows are transmitted between sender and receiver are defined as aggregated channels, and depending on how sent variables are initialized, read and reset, aggregations can be classified as serial, parallel, and so on. Channels with a unique information flow are denominated non-aggregated. The concern for the presence of covert channels is common in high security systems, such as military ones, where typically two observed users know that someone wishes to listen to their conversations. Many of the studies on these attacks, based on covert channels and their prevention, have been done by US government and military bodies, such as the National Security Agency, US Air Force, National Computer Security Centre, and so on. However, with the dramatic growth of the Internet, there is now a growing concern about the use of covert channels in the TCP/IP protocol suite, which has a number of potential weaknesses that allow an attacker to surreptitiously pass data in otherwise benign packets. II. FOUNDATIONS OF COVERT CHANNELS This survey is based on the analysis of a selection of papers relevant to the use of covert channels in Internet protocols. Although the first three papers are not directly related to the TCP/IP protocols, they have been included due to their general relevance. A. A Guide to Understanding Covert Channel Analysis of Trusted Systems [4] This guide has been written to help the vendor and evaluator communities understand the requirements for covert channel analysis as described in the US Department of Defense Trusted Computer System Evaluation Criteria (TCSEC). The guide defines a set of baseline requirements and recommendations for the analysis and evaluation of covert channels. It includes sections focused on the definition and classification of