Hunting Shadows: Towards Packet Runtime-based Detection Of Computational Intensive Reversible Covert Channels

The appearance of novel ideas for network covert channels leads to an urge for developing new detection approaches. One of these new ideas are reversible network covert channels that are able to restore the original overt information without leaving any direct evidence of their appearance. Some of these reversible covert channels are based upon computational intensive operations, like for example encoding hidden information in the authentication hashes of a hash chain based one-time password. For such a covert channel implementation, the hash function has to be called repeatedly to extract the hidden message and to restore the original information. In this paper, we investigate the influence of repeated MD5 and SHA3 hash operations on the runtime of an authentication request-response. We first define two alphabets, one which leads to the fewest hash operations and one which leads to the most hash operations to be performed. Further, for each alphabet, we carry out three experiments. One without a covert channel, one with a covert channel altering all hashes, and finally, one with a covert channel altering every second hash. We further investigate the detection rates of computational intensive reversible covert channels for all scenarios by applying a threshold-based detection upon the average packet runtime without encoded covert information. Finally, we describe countermeasures and the limitations of this detection approach.