• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.1
• /
• pp.243-248
• /
• 2021

Although many different types of covert channels have been suggested in the literature, there are little work in directly applying game theory to building up covert channel. This is because researchers have mainly focused on tailoring game theory for covert channel analysis, identification, and covert channel problem solving. Unlike typical adaptation of game theory to covert channel, we show that game theory can be utilized to establish a new type of covert channel in IoT devices. More specifically, we propose a covert channel that can be constructed by utilizing the Nash Equilibrium with sensor data collected from IoT devices. For covert channel construction, we set random seed to the value of sensor data and make payoff from random number created by running pseudo random number generator with the configured random seed. We generate I × J (I ≥ 2, J ≥ 2) matrix game with these generated payoffs and attempt to obtain the Nash Equilibrium. Covert channel construction method is distinctly determined in accordance with whether or not to acquire the Nash Equilibrium.

• International journal of advanced smart convergence
• /
• v.10 no.3
• /
• pp.10-16
• /
• 2021

In this paper, we devise a Shapley-value-based covert channel in smartphones. More specifically, unlike ordinary use of Shapley value in cooperative game, we make use of a series of Shapley values, which are computed from sensor data collected from smartphones, in order to create a covert channel between encoding smartphone and decoding smartphone. To the best of our knowledge, we are the first to contrive covert channel based on Shapley values. We evaluate the encoding process of our proposed covert channel through simulation and present our evaluation results.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.5
• /
• pp.961-971
• /
• 2019

Isolation between virtual machines in a cloud computing environment is an important security factor. The violation of isolation between virtual machines leads to interferences of shared resources and the implementation of covert channels. In this paper, the structure of Hyper-V hypervisor is analyzed to implement covert channels between virtual machines. Hyper-V uses a mutex technique for mutual exclusion between virtual machines. It indicates that isolation of virtual machines is violated and covert channels can be implemented due to mutex. We implemented several covert channels by designing a method for searching mutex resources applicable to Hyper-V with complex architectures. The mutex-based covert channel is not hardware dependent. If the covert channel is detected or defended, the defensive technique can be avoided by using the other covert channel among several covert channels.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.8
• /
• pp.3550-3566
• /
• 2020

As a widely used way to exfiltrate information, wireless covert channel (WCC) brings a serious threat to communication security, which enables the wireless communication process to bypass the authorized access control mechanism to disclose information. Unlike the covert channel on the network layer, wireless covert channels on the physical layer (WCC-P) is a new covert communication mode to implement and improve covert wireless communication. Existing WCC-P scheme modulates the secret message bits into the Gaussian noise, which is also called covert digital communication system based on the joint normal distribution (CJND). Finding the existence of this type of covert channel remains a challenging work due to its high undetectability. In this paper, we exploit the square autocorrelation coefficient (SAC) characteristic of the CJND signal to distinguish the covert communication from legitimate communication. We study the sharp increase of the SAC value when the offset is equal to the symbol length, which is caused by embedding secret information. Then, the SAC value of the measured sample is compared with the threshold value to determine whether the measured sample is CJND sample. When the signal-to-noise ratio reaches 20db, the detection accuracy can reach more than 90%.

• ETRI Journal
• /
• v.43 no.3
• /
• pp.561-570
• /
• 2021

This paper presents master key identifier based protocol steganography (MKIPS), a new approach toward creating a covert channel within the Secure Real-time Transfer Protocol, also known as SRTP. This can be achieved using the ability of the sender of Voice-over-Internet Protocol packets to select a master key from a pre-shared list of available cryptographic keys. This list is handed to the SRTP sender and receiver by an external key management protocol during session initiation. In this work, by intelligent utilization of the master key identifier field in the SRTP packet creation process, a covert channel is created. The proposed covert channel can reach a relatively high transfer rate, and its capacity may vary based on the underlying SRTP channel properties. In comparison to existing data embedding methods in SRTP, MKIPS can convey a secret message without adding to the traffic overhead of the channel and packet loss in the destination. Additionally, the proposed covert channel is as robust as its underlying user datagram protocol channel.

• International journal of advanced smart convergence
• /
• v.6 no.4
• /
• pp.56-59
• /
• 2017

In this paper, we design a covert channel based on instruction gadgets in smart sensing devices. Unlike the existing convert channels that usually utilize diverse physical characteristics or user behaviors or sensory data of smart sensing devices, we show that instruction gadgets could be exploited for covert channel establishment in smart sensing devices. In our devised covert channels, trojan smart sensing devices exchange attack packets in such a way that they encode an attack bit in attack packet to a series of addresses of instruction gadgets and decode an attack bit from a series of addresses of instruction gadgets.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.4
• /
• pp.1866-1883
• /
• 2019

As the youngest branch of information hiding, network covert timing channels conceal the existence of secret messages by manipulating the timing information of the overt traffic. The popular model-based framework for constructing covert timing channels always utilizes cumulative distribution function (CDF) of the inter-packet delays (IPDs) to modulate secret messages, whereas discards high-order statistics of the IPDs completely. The consequence is the vulnerability to high-order statistical tests, e.g., entropy test. In this study, a rich security model of covert timing channels is established based on IPD chains, which can be used to measure the distortion of multi-order timing statistics of a covert timing channel. To achieve rich security, we propose two types of covert timing channels based on nested lattices. The CDF of the IPDs is used to construct dot-lattice and interval-lattice for quantization, which can ensure the cell density of the lattice consistent with the joint distribution of the IPDs. Furthermore, compensative quantization and guard band strategy are employed to eliminate the regularity and enhance the robustness, respectively. Experimental results on real traffic show that the proposed schemes are rich-secure, and robust to channel interference, whereas some state-of-the-art covert timing channels cannot evade detection under the rich security model.

• Proceedings of the Korea Institutes of Information Security and Cryptology Conference
• /
• 2001.11a
• /
• pp.340-347
• /
• 2001

Security operating system applied to MAC(Mandatory Access Control) or to MLS(Multi Level Security) gives both subject and object both Security Level and value of Category, and it restrict access to object from subject. But it violates Security policy of system and could be a circulated course of illegal information. This is correctly IPC(Interprocess Communication)mechanism and Covert Channel. In this thesis, I tried to design and implementation as OS kernel in order not only to give confidence of information circulation in the Security system, but also to defend from Covert Channel by Storage and IPC mechanism used as a circulated course of illegal information. For removing a illegal information flow by IPC mechanism. I applied IPC mechanism to MLS Security policy, and I made Storage Covert Channel analyze system call Spec. and than distinguish Storage Covert Channel. By appling auditing and delaying, I dealt with making low bandwidth.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2024.05a
• /
• pp.395-396
• /
• 2024

최근 국가 핵심 기반시설을 중단시키거나 파괴시킴으로서 사회적 혼란 및 국가 경제적 손실을 일으키는 공격 사례가 증가되고 있는 실정이다. 이와 같은 사이버 공격에 대응하기 위해 각 국가는 인터넷이나 다른 네트워크와 물리적 또는 논리적으로 분리되어 있는 폐쇄망 환경을 기반으로 기반시설을 구성함으로서 높은 수준의 보안성과 안정성을 유지하고자 한다. 하지만, 악의적인 공격자들은 Covert Channel을 통해 폐쇄망 환경 내 민감한 데이터 및 기밀 데이터를 탈취하고 있는 실정이다. 이에 본 논문에서는 음향신호 기반 Covert Channel 공격 기술에 대해 분석함으로써 안전한 폐쇄망 환경 구축의 필요성을 보이고자 한다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.4
• /
• pp.1927-1943
• /
• 2016

Jitterbug is a passive network covert timing channel supplying reliable stealthy transmission. It is also the basic manner of some improved covert timing channels designed for higher undetectability. The existing entropy-based detection scheme based on training sample binning may suffer from model mismatching, which results in detection performance deterioration. In this paper, a new detection method based on the feature of Jitterbug covert channel traffic is proposed. A fixed binning strategy without training samples is used to obtain bins distribution feature. Coefficient of variation (CV) is calculated for several sets of selected bins and the weighted mean is used to calculate the final CV value to distinguish Jitterbug from normal traffic. Furthermore, the timing window parameter of Jitterbug is estimated based on the detected traffic. Experimental results show that the proposed detection method can achieve high detection performance even with interference of network jitter, and the parameter estimation method can provide accurate values after accumulating plenty of detected samples.