Modern malware increasingly exploits information hiding or steganography to elude security frameworks and remain unnoticed for long periods. To this aim, a prime technique relies upon the ability of creating covert channels to bypass the limits imposed by a sandbox or to exfiltrate data towards a remote server. Unfortunately, detecting a covert channel is not a trivial task and often requires to inspect a composite set of information, e.g., the behavior of a software or statistical indicators of network trafic. Therefore, in this paper we investigate the adoption of code augmentation features ofered by the Linux kernel to gather data useful to reveal the presence of covert communications. To prove the efectiveness of the approach, we tested a lightweight program to detect covert channels targeting IPv6 conversations. Results indicate that technologies like the extended Berkeley Packet Filter can ofer a foundation to frameworks for spotting and mitigating covert communications.
Improvements in network defense and the increasing sophistication of modern software and
services have caused the proliferation of advanced techniques allowing a malware to remain
unnoticed or to bypass secure execution enclaves. Until recently, main approaches used by
attackers exploited code obfuscation, multi-stage loading, file-less implementations to prevent
detection from antivirus, encryption as well as anti-forensics methods to evade code and
memory analysis [
The general concept of covert channel has been introduced by Lampson in 1973. According to
[
During the years, both researchers and cybercriminals developed a variety of mechanisms
to create hidden communication paths in a wide array of scenarios, such as, virtualized
environments, cloud datacenters, network infrastructures, and multi-processor frameworks [
Therefore, an important requirement to fully assess the security of modern devices and digital
infrastructures deals with the ability of detecting covert channels. To cope with the composite
nature of hardware and software components that can be used to conceal secret information,
we take advantage of code augmentation techniques made available by the Linux kernel. In
more detail, we showcase the use of the extended Berkeley Packet Filter (eBPF), which supports
the monitoring of a rich set of behaviors, such as system calls, page faults, memory occupation
and network packets (see, e.g., [
The contributions of this paper are: i) a discussion on the main attack models exploiting covert channels, which are often neglected when addressing security of a digital infrastructure, ii) a framework leveraging code augmentation able to provide a technological foundation against information-hiding-capable threats, and iii) a preliminary performance evaluation campaign considering threats targeting IPv6 trafic.
The rest of the paper is structured as follows. Section 2 briefly introduces covert channels and how they can be used to attack computing and networking scenarios. Section 3 deals with code augmentation and how it can support the detection of network covert channels, while Section 4 showcases numerical results. Lastly, Section 5 concludes the paper and portraits potential future developments.
Even if covert channels can also enforce privacy of users, e.g., to preserve the anonymity of a
source in investigative journalism or to prevent censorship in regimes, they are primarily used
to develop ofensive techniques [
In this attack model, the hidden communication happens among entities that reside on the same
host/device, e.g., processes, virtual machines, and containers able to communicate by exploiting
resources of the host. Some examples of techniques for creating a local covert channel include
the modulation of the usage of resources such as the CPU and RAM or the manipulation of the
underlying file system [
Network covert channels enable remote peers to secretly communicate by manipulating
protocols or injecting data in network trafic, [
Figure 2 depicts the reference attack model. In more detail, the covert sender wants to transmit an information to a remote peer, for instance a sensitive information exfiltrated by a third-party malicious routine. To this aim, it gathers incoming packets belonging to an overt, licit flow (denoted as P1 in the figure) and, according to the used injection method, it performs suitable modifications. As a possible example, the covert sender can encode a secret by adding a predefined delay or by directly injecting data within some fields of the header. As a result, an “altered” packet containing the secret information (denoted as P1’ in the figure) is sent through the network. The covert receiver can then retrieve the information by knowing in advance the feature of the trafic flow that has been used as the carrier. However, discrepancies between P1 and P1’ can reveal the presence of the covert channel. To reduce the chance of detection, the covert receiver should restore the trafic flow in such a way to not arise suspects.
Even if the majority of covert channels targets the IPv4 protocol [
Due to the diferent nature of the models outlined in Section 2, each attack could require a
specific detection technique. For instance, colluding applications can be revealed via correlation
metrics, e.g., processes wanting to communicate become active in an overlapped manner to
alter/read the used carrier before it is disrupted by other competing entities or the OS [
Given the broad range of potential methodologies for creating covert channels, a promising
idea to perform their detection concerns the use flexible and easily extensible frameworks. In fact,
being able to collect threat-independent measurements using the same technology is desirable
since the carrier exploited by the attacker is usually not known in advance. However, the ability
of generalizing the detection process should not be considered the only objective: another
desired goal deals with performances and the detection process must limit the consumption of
processing, memory, and networking resources. In this respect, code augmentation stands out
as the best approach to gain visibility over multiple functions and processes within a host and
its operating system [
In this section, we briefly introduce the used code augmentation framework. Then, we present how data can be organized to guarantee performances and mitigate the consumption of
Originally developed as an eficient mechanism for packet monitoring and filtering, the eBPF has been recently extended into a more complex framework. For example, it can be used to inspect network packets, to trace specific kernel functions or to monitor the CPU or the memory usage. In this extent, eBPF can provide a basic mechanism to collect threat-independent measurements for detecting stegomalware. To this aim, eBPF provides a wide set of functionalities, including key/value maps to store data, supporting routines to allow kernel to user-space communications and mechanisms to concatenate multiple programs. The eBPF programs may be executed on the reception of packets in raw sockets, queues, xdp driver or can be attached to kprobes, tracepoints and perf events. To enforce security, eBPF provides a dedicated virtual machine within the Linux kernel, with a limited access to system resources. Thus, eBPF is intrinsically safer and more robust than other mechanisms (e.g., kernel modules) even if executed in kernel mode. Due to performance and security constraints, the only way to interact with an eBPF program is through maps, which are shared-memory regions. For this reason, the typical development pattern includes both the eBPF program and a user-space utility for its loading and to exchange data through maps. An in-kernel verifier validates the code to avoid kernel deadlocks.
So far, the primary usage of eBPF has been tracing and monitoring the Linux kernel for investigating performance issues. As an example, the toolkit (e)BPF Compiler Collection (BCC)1 contains several working tools to do such operations. The tools are based on a user-friendly Python class for compiling, loading and attaching eBPF programs to several hooks.
Owing to is flexibility, the eBPF framework can collect a wide range of data, addressing both local covert channels and network covert channels.
Since the range of techniques for creating covert channels is very broad and the used carrier
could be not known a priori, anomaly detection approaches appear suitable to spot the presence
of stegomalware. For the case of colluding applications, anomalies can be searched for by
evaluating usage patterns of kernel functions. As a possible example, a kernel function can be traced
to spot the presence of colluding applications exchanging data through a local covert channel
manipulating file permissions. Thus, eBPF can monitor the kernel function _ _ x 6 4 _ s y s _ c h m o d to
identify anomalies in its distribution and evolution [
n bits Bins
Index the array of bins
(Flow Label) +1 B bins some challenges for the case of F l o w L a b e l , which generates a space of 220 diferent values. To overcome performance issues, we split the whole range values into a smaller number of groups (called “bins”), and used a counter for each group.
The implementation of this mechanism within an eBPF program is depicted in Figure 3, with the F l o w L a b e l as an example. For each incoming packet, the value of the F l o w L a b e l is placed in the corresponding bin, and the associated counter is incremented. To make the implementation more eficient, the number of bins is always a power of 2, so that the association of a field value to the corresponding bin is a simple bitwise operation to match the prefix.
The bin-based structure reduces the memory usage of the eBPF program, but at the expense of coarser-grained granularity of the collected statistics. The proper number of bins must be selected according to the specific use case, seeking an optimal balance between resource consumption and precision of the detection. In this case, the anomaly could be searched for by evaluating how the volume of changing bins evolves during time. To have a condensed indicator, our user-space utility periodically collects the values for all bins and considers the number of bins that change between two consecutive reads.
To prove the efectiveness of the proposed approach based on code augmentation, we prepared a testbed composed of two virtual machines running Debian GNU/Linux 10 (kernel 4.20.9), which communicate through a third virtual machine. The latter, with the same technical specifications, is in charge both of routing trafic and running the eBPF program to gather information about the trafic exchanged between the two peers. To test our idea in realistic network conditions, we replayed legitimate IPv6 trafic conversations collected on a OC192 link between Sao Paulo and New York on January 17, 2019 from 14:00 to 15:00 CET, made available by the Center for Applied Internet Data Analysis. Specifically, for this work we used the CAIDA Anonymized Internet Traces Dataset collected in the April 2008 - January 2019 period2. Trafic traces has been replied with the t c p r e p l a y tool and resulting flows represented the bulk overt trafic. To have a suitable degree of freedom, we generated via the i P e r f 3 tool an additional conversation between the two endpoints wanting to secretly communicate with a bandwidth of 500 kbps. The covert channel has been implemented via an ad-hoc Python script using Scapy 2.4.3 and
Available online: https://www.caida.org/data/monitors/passive-equinix-nyc.xml [Last Accessed: March 2021].
In the first set of trials, we wanted to evaluate the efectiveness of the eBPF-based approach in gathering statistical information on the trafic useful to spot the presence of a network covert channel. To this aim, we run a script able to capture, on a per-packet basis, the value of the F l o w L a b e l , T r a f f i c C l a s s , and H o p L i m i t fields and populate the data structure described in Section 3.2. The sampling time used to gather information obtained from the trafic, i.e., the timeframe between two diferent measurements, was set to 1 second. In other words, the user-space programs retrieve from the eBPF counterparts the collected values for the bins every second. The number of bins used in the case of F l o w L a b e l was set to 215, while for the remaining fields the value was set to 28.
Figure 5 depicts the obtained results. For the sake of clarity, we limited traces to 15 minutes of trafic. In more details, the figure shows the ability of our lightweight code augmentation framework to capture the temporal evolution of the values characterizing a specific field of the IPv6 header. Recalling that to have a “condensed” metric we inspect the number of bins changed between two consecutive measurements provided by the eBPF filter, the depicted trends ofer several insights on the observed IPv6 trafic. As an example, if an attacker exploits the T r a f f i c C l a s s field to contain secrets, the evolution of the number of bins changed will difer significantly from the expected behavior. In fact, as it is possible to notice from Figure 5(b), the number of diferent T r a f f i c C l a s s observed is always limited to only few values. Therefore, the presence of a hidden communication could reflect into a sort of “signature” in the number of changing bins and allow to spot the covert communication. A similar consideration can be done for the F l o w L a b e l , even if Figure 5(a) depicts a greater variety in terms of observed values. In this case, additional inputs from the network could be needed. For instance, this trace could be checked against the number of active flows present at a given time step. Since each flow is characterized by a unique value for the F l o w L a b e l , discrepancies between the number of active conversations and the volume of changing bins could reveal the presence of the hidden channel. Instead, for the case of H o p L i m i t , a more sophisticated approach could be needed as the information-modulating nature of the embedding methods makes the covert communication 0 0 100 200 300 400 500 600 700 800 900
time [s] (a) Evolution of the Flow Label 0 0 100 200 300 400 500 600 700 800 900
time [s] (b) Evolution of the Traffic Class
Hop Limit 20.0 17.5 ed15.0 g an12.5 h c isn10.0 b .fo 7.5 o n 5.0 2.5 0.0 0 100 200 300 400 500 600 700 800 900
time [s] (c) Evolution of the Hop Limit harder to spot.
Concerning the resources consumption, we measured the CPU usage and the amount of
memory needed by both the eBPF program and the user-space utility. Since the eBPF program
is executed only when a packet is processed, defining the amount of CPU used is not
straightforward, whereas the memory occupation strictly depends on the size of the used kernel map.
Owing to the proposed bin-counting architecture, it remains bounded to few megabytes. As
regards the CPU usage for the user-space utility, measurements indicate that, for the T r a f f i c
C l a s s and H o p L i m i t cases, it is ∼3%, while for the F l o w L a b e l the consumption increases to
∼12%. We point out that these values may change according to the selected sampling interval
(1 second, in our tests). Summing up, the eBPF-based approach demonstrated to introduce
only minimal overheads especially in terms of delays added to the network trafic. Thus it
has to be considered a suitable technology for the development of countermeasures to be
deployed in realistic scenarios (see, e.g., [
To assess the real capacity of using bin-based behaviors as efective indicators to spot the presence of a channel, we conducted an additional round of tests. To this aim, we hold the same trafic conditions described above and we added a covert channel exfiltrating data within an
IPv6 conversation. We considered a hidden transmission targeting the T r a f f i c C l a s s , which has
been used to exfiltrate a secret message of 1, 024 random bits. This can represent the exfiltration
of a cryptographic key or of a sensitive information [
In order to make the covert communication more dificult to spot, an attacker can choose, for example, to limit the steganographic bandwidth of the hidden channel. To prove this idea, we conducted an additional round of tests. Specifically, we considered an attacker able to reduce the bandwidth of the hidden channel by alternating the amount of consecutive stego-packets (i.e., packets that are injected with the secret, denoted with in the following) with the amount of legitimate packets (denoted with in the following). In this vein, we conducted trials with = 10 and = 50, 100, and 300 packets.
Figure 7 depicts the outcome when diferent patterns of injection are applied. As the
steganographic bandwidth decreases, i.e., increases, the time needed by the attacker to transmit the
secret in its entirety rises. As regards detectability of the covert channel, when the attacker uses
a value for = 50 (i.e., the blue line in Figure 7), the rate of hidden data is still not adequate
compared to the rest of the trafic, thus making the channel more detectable. This is due to
the superimposition of two causes: the few diferent values for the T r a f f i c C l a s s
characterizing the overt trafic, and a too aggressive injection procedure. To mitigate such efect, the
attacker can apply some form of encoding, e.g., map the secret into a reduced number of values,
possibly observed in the overt bulk of data [
In this work, we presented a lightweight approach based on a “counting” scheme designed to detect network covert channels targeting IPv6 trafic. The approach take advantage of the code augmentation mechanism based on eBPF and can help to reveal the presence of covert channels. Results have indicated the efectiveness of the approach.
Future work aims at refining the idea and carry out a thorough performance evaluation campaign. A relevant part of our efort is devoted to understand the feasibility of using code augmentation to implement an “active warden”, i.e., an intermediate node able to disrupt the covert channel. For the case of network covert channels, this can be a middlebox overwriting suitable fields in the header of packets. Instead, for the case of colluding applications, this approach is less obvious and requires further investigations. Another part of our ongoing research concerns the design of a threat-independent metric able to reveal the presence of both local and network covert channels as well as an efective mechanism to automatically raise an alarm when detecting the hidden communication attempt.
This work has been supported by the EU Project GUARD, Grant Agreement No 833456, and by the EU Project SIMARGL, Grant Agreement No 833042.