However, there are new covert channels arising every now and then for which no countermeasures are known. For this reason, it would be beneficial to find some way to apply the ideas of existing countermeasures to such a new covert channel technique, i.e. to determine whether the blue question marks in the following table can be addressed.
We present the concept of Countermeasure variation (CV). Countermeasure variation is the idea of `transforming' a countermeasure that was designed to detect one specific covert channel so that it can also detect other covert channels. The core idea is to take a given countermeasure, change the parameters that are inserted into it (e.g. packet sizes instead of inter-arrival times) and adjust some threshold of its output value, and then be able to detect an entirely different covert channel with the transformed countermeasure. This would reduce the amount of required code (per covert channel that has to be detected) and the number of fundamentally different countermeasures to be applied in parallel. Also would it allow to transform existing countermeasures to upcoming covert channels.
The first paper to propose countermeasure variation and that exemplifies its feasibility was presented at CECC'18:
S. Wendzel, D. Eller, W. Mazurczyk: One Countermeasure, Multiple Patterns: Countermeasure Variation for Covert Channels, in Proc. Central European Security Conference (CECC'18), ACM, 2018.
In the CECC paper, we exemplify countermeasure variation using the so-called compressibility score originally presented by Cabuk et al. The compressibility score is used to detect covert channels of the ‘inter-packet times’ hiding pattern* and we show that countermeasure variation allows the application of the compressibility score to detect covert channels of the ‘size modulation’ pattern.
In other words, we use a countermeasure designed to detect a type of covert timing channel and apply it to a type storage channel.
In a follow-up paper, we show that countermeasure variation also works for other countermeasures and hiding patterns. Our second paper will be presented at NordSec:
S. Zillien, S. Wendzel: Detection of covert channels in TCP retransmissions, in Proc. 23rd Nordic Conference on Secure IT Systems (NordSec), Springer, 2018.
In the NordSec paper, we describe the implementation and detection of a novel approach for a TCP retransmission-based covert channel. We implemented and evaluated two statistical detection measures that were originally designed for inter-arrival time-based network channels, namely the ε-similarity and the compressibility score (the compressibility score is the same as above for the first paper). The ε-similarity originally measures the similarity of two timing distributions. The compressibility indicates the presence of a covert channel by measuring the compression ratio of a textual representation of concatenated inter-arrival times. We modified both approaches so that they can also be applied to the detection of retransmission-based covert channels. Our initial results indicate that the ε-similarity can be considered a promising detection method for retansmission-based covert channels while the compressibility itself provides insufficient results but could potentially be used as a classification feature.
In other words, there are limits to countermeasure variation. Some approaches might work well for multiple hiding patterns while they do not work well for other patterns.
* A summary of all known hiding patterns can be found here.