Skip to content

cdpxe/Network-Covert-Channels-A-University-level-Course

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 

Repository files navigation

Network Steganography and Network Information Hiding

Version: 2.0.11

Author

Prof. Dr. Steffen Wendzel, website
(Institute of Information Resource Management, University of Ulm Germany / FernUniversität in Hagen, Germany)

How to Cite this Class?

Steffen Wendzel: Network Steganography and Network Information Hiding (online class), available online: https://github.com/cdpxe/Network-Covert-Channels-A-University-level-Course/, 2024.

Introduction

This is an open online course on network information hiding and network steganography. The course contains video material and slides of a class that I teach at different universities. I updated the content over the years and will continue to do so.

Please note that quite some content of this class is based on the book W. Mazurczyk, S. Wendzel, S. Zander, A. Houmansadr, K. Szczypiorski: Information Hiding in Communication Networks, WILEY-IEEE, 2016. If you are an IEEE member, you should be able to download the book for free.

YouTube Playlist for this Class

List of my own Network Steganography Tools

Chapter 1 - Introduction to steganography and covert channels

This chapter provides an overview of the whole class. Afterwards, fundamental terminology, taxonomy and history of information hiding will be covered. The chapter also highlights some use-cases (legitimate and criminal ones) and tells you a bit about the CUING initiative.

  • Video: YouTube

  • Slides: PDF

  • Reading Assignment:

  • Optional Papers to Read:

  • Exercise:

    • Explain one historic method of steganography that was not explained during the lecture in a short talk in front of the other students.
    • Was there any terminological inconsistency regarding the terms network covert channel and network steganography in the introduced taxonomy? (Chapter 2 of W. Mazurczyk et al., 2016)
    • Different domains of steganography exist, including network steganography, digital media steganography, text steganography and cyber-physical systems steganography. Name typical cover objects for all four of them.
    • Would it beneficial to combine different types of wardens?

Chapter 2 - Introduction to classic covert channels

First, simple methods for local (system-internal) covert channels are discussed. Second, covert channels between Docker containers and for Android are shown.


Chapter 3 - Fundamental countermeasures (not network-specific)

In this chapter, you will learn how covert channels can be detected, eliminated, and limited on the basis of exemplary countermeasures. These countermeasures can be applied at different states of a system's lifetime (design-phase to operation phase). In particular, I cover the Shared Resource Matrix (SRM) methodology, Covert Flow Trees (CFT), Fuzzy Time, and the Spurious Processes Approach.

  • Video: YouTube

  • Slides: PDF

  • Reading Assignment:

    • R. Kemmerer, P. Porras: Covert Flow Trees: A Visual Approach to Analyzing Covert Storage Channels, Trans. Software Engineering, IEEE, 1991.
  • Optional Papers to Read:

    • in German: I discuss SRM, extended SRM (Gypsy SRM), CFT, the Pump, and several other fundamental anti-covert channel concepts in my book S. Wendzel: Tunnel und verdeckte Kanäle im Netz, Springer, 2012 (Chapter 6).
  • Exercise:

    • Which method would you apply to eliminate/spot covert channels in the following situations:
      • The company you are working for wishes to get a certificate (e.g. a high level of EAL) for their product; the certificate requires a code-level audit that lists all possible covert storage channels.
      • You plan to design a new product (not implemented in code). You need to perform a covert channel analysis using the product’s specification.
      • Your company plans to sell a product to a military customer. The customer requires a covert timing channel audit, which you performed. However, the customer will only accept covert channels with a channel capacity below 1 bit/s.
    • How could you create a policy-breaking covert channel during your exam in order to secretly exchange answers to exam questions?
      • Link this scenario to the Prisoner’s Problem.

Chapter 4 - Fundamental network information hiding techniques

This chapter introduces basic methods for realizing network covert channels and their different types (active and passive covert channels, intentional and unintentional (side) channels, and direct and indirect covert channels).


Chapter 5 - Getting the big picture: hiding patterns

In this chapter, so-called hiding patterns are introduced. Patterns are a universal tool that is popular in software engineering and other disciplines, even outside of informatics. Hiding patterns are an easy way to describe and understand how data can be hidden using network covert channels. Instead of studying hundreds of separate hiding techniques, one can simply grasp all their core ideas using hiding patterns. The second part of this chapter introduces a revised version of the patterns taxonomy that is not specific to the network context. Instead, it can be applied to all domains of steganography. This revised model was introduced in August 2021 and contains certain additional features, such as the distinction between embedding and representation patterns.


Chapter 6 - Staying under the radar: sophisticated hiding methods and distributed hiding patterns

This chapter covers distributed hiding methods, including pattern variation, pattern hopping, protocol switching (protocol channels, protocol hopping covert channels), dynamic overlay routing for covert channels, micro protocols (covert channel internal control protocols, including their optimization), reversible data hiding (RDH), and dead drops that exploit network caches.


Chapter 7 - Selected network-level countermeasures

Chapter 7 finally introduces methods to combat network covert channels. The chapter is separated into two parts. Part A covers selected basic methods, namely traffic normalization (preventing/limiting), three methods by Berk et al. and Cabuk et al. (detection of inter-packet times pattern), and finally, the so-called countermeasure variation. Part B introduces countermeasures that help limiting and detecting sophisticated network covert channels, namely the protocol switching covert channels and the NEL phase. These methods are the protocol (switching covert) channel-aware active warden (PCAW) and the dynamic warden.


Chapter 8 - Replicating experiments for scientific advancement

First, I briefly discuss why we need replication studies and which obstacles prevent the conduction of these studies. Second, I show one study that we conducted ourselves.

  • Video: YouTube

  • Slides: PDF

  • Optional Papers to Read:

  • Exercise:

    • Answer the following questions:
      • Why is it essential to replicate experiments?
      • What can scientists do to support experimental replications of their own work?
      • What is commonly referred to under the term Open Science?

Chapter 9 - OMG! I found a new hiding method. How do I become famous?!1! a.k.a. How to describe a new hiding method in a paper?

When a new hiding technique is found, how should it be described in a way that other authors can easily access it? How to ease replication studies? How to ease the process of finding out what still needs to be done? These questions can be answered with the unified description method for network information hiding techniques explained in this chapter. Moreover do I introduce the creativity metric that helps to decide about the novelty of a research contribution.

  • Video: YouTube

  • Slides: PDF

  • Reading Assignment:

  • Exercise:

    • Read the above-mentioned paper on the unified description method and answer the following questions:
      • What is the difference between the two attributes required properties of the carrier and covert channel properties?
      • Why is the attribute on control protocols not mandatory in the unified description method?
      • How does the creativity metric work together with the unified description method?

Chapter 10 - My smart fridge does strange things … a.k.a. steganography in the Internet of Things (IoT)

In the Internet of Things (and Cyber-physical Systems, CPS), data can either be hidden within network communications (e.g. in IoT protocols) or in can be hidden the CPS components (e.g. unused registers or states of actuators). I will discuss these methods as well as scenarios in this conference talk below. However, please note that the PDF files contain an extended scenario. I plan to update the PDF slides in the coming years as there is still quite a lot to say about this chapter.

  • Video: part A, YouTube, part B, YouTube. Part B is the video of the talk S. Wendzel, G. Haas, W. Mazurczyk: Information Hiding in Cyber-physical Systems, presented during the 2nd Int. BioSTAR workshop in late May, 2017 (IEEE Security & Privacy Workshops, San José, CA)

  • Slides: PDF

  • Reading Assignment:

  • Exercise:

    • What is the difference between an intentional covert channel and an intentional side channel in a CPS? Can you name a few examples? Both terms of CPS Steganography are introduced in this paper. What was the solution proposed by this paper to combat both types of channels?
    • In this paper, I describe how an MLS-based filtering can prevent covert and side channels in CPS network communications (exemplified using smart buildings). How does this work? What are limitations?

Chapter 11 - Summary and overall conclusion

This chapter summarizes what we have learned in the ten previous chapters. I also highlight open research problems that might support you in finding topics for a Master or even a PhD thesis.

  • Video: YouTube

  • Slides: PDF

  • Reading Assignment: none

  • Exercise: Congratulations, you made it through the whole class! Now it is time for the final (big!) exercise! Try to find a new network protocol for which there is absolutely no work available that analyzes covert channels in this protocol (use Google Scholar or any other paper search engine to find such works). Next, analyze the protocol regarding all known hiding patterns and describe all covert channels that you found using the unified description method. If you like, submit your paper to a conference (or: let me know and I can potentially link the paper at least here).


Changelog

  • v. 2.0.11, 2024-Oct-15

    • editorial changes in the README.md, replacing HS Worms w/ Uni Ulm
  • v. 2.0.10, 2024-Sep-05

    • added citation info and adjusted title in README.md to title in the slides
  • v. 2.0.9, 2024-Aug-21

    • added reference to Strachanski et al. in chapter 1
    • updated reference to DYST paper in chapter 4 (replaced pre-print with official TDSC paper)
    • remove nefias (out of date, not updated anymore)
    • update publications list for Ch. 8.
  • v. 2.0.7, 2024-Jun-24

    • tiny link update for DYST paper (TDSC)
  • v. 2.0.6, 2024-May-08

    • tiny link updates
  • v. 2.0.5 (no new version), 2023-Aug-14

    • modified schedule for HSW M.Sc. class
  • v. 2.0.5, 2023-Jan-04 (only slide updates; videos remain as is):

    • Updated Ch. 4: added "history covert channels" and "fully-passive covert channels".
  • v. 2.0.4, 2022-Sep-16 (only slide updates; videos remain as is):

    • Updated Ch. 1: added reference to new paper by Luca Caviglione (@lucacav) and Wojciech Mazurczyk on stego-malware.

EOF