Towards Covert Channels in Cloud Environments: A Study of Implementations in Virtual Networks

  • Daniel SpiekermannEmail author
  • Jörg Keller
  • Tobias Eggendorfer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10431)


Cloud environments are more and more used by cyber criminals to perform their malicious activities. With the help of covert channels they hide their data transmissions and message exchange. Whereas different techniques of covert channels in common networks are well-known, the existence of covert channels in cloud environments networks is a new topic in information hiding. The virtual environments provide new ways to hide the transmission of information. These environments use virtual networks in the cloud, which separate and isolate logical networks of the different customers. In this paper we present an examination of information hiding in virtual networks. We analyzed VXLAN, STT, GENEVE and NVGRE as the most notable so-called overlay protocols and examined different ways to create covert storage channels. Furthermore, we describe a covert timing channel based on the movement of virtual machines. As a result we propose possible countermeasures of the described covert channels.


Virtual network Covert channel Network steganography Information hiding 


  1. 1.
    Anderson, T., Peterson, L., Shenker, S., Turner, J.: Overcoming the internet impasse through virtualization. Computer 38(4), 34–41 (2005)CrossRefGoogle Scholar
  2. 2.
    Brook, C.: Attackers hiding stolen credit card numbers in images, October 2016. Accessed 13 June 2017
  3. 3.
    Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 178–187. ACM (2004)Google Scholar
  4. 4.
    Caviglione, L., Podolski, M., Mazurczyk, W., Ianigro, M.: Covert channels in personal cloud storage services: the case of dropbox. IEEE Trans. Ind. Inf. 6(99), 1 (2016)CrossRefGoogle Scholar
  5. 5.
    Constantin, L.: Fileless powershell malware uses DNS as covert channel, March 2017. Accessed 13 June 2017
  6. 6.
    Davie, B., Gross, J.: A Stateless Transport Tunneling Protocol for Network Virtualization (STT). Internet-Draft draft-davie-stt-08, Internet Engineering Task Force. Work in Progress
  7. 7.
    Fridrich, J.: Applications of data hiding in digital images. In: Proceedings of the Fifth International Symposium on Signal Processing and Its Applications, ISSPA 1999, vol. 1, pp. 1–9. IEEE (1999)Google Scholar
  8. 8.
    Garfinkel, S.: Anti-forensics: techniques, detection and countermeasures. In: 2nd International Conference on i-Warfare and Security, vol. 20087, pp. 77–84 (2007)Google Scholar
  9. 9.
    Gross, J., Sridhar, T., Garg, P., Wright, C., Ganga, I.: GENEVE: Generic network virtualization encapsulation. Internet Engineering Task Force, Internet Draft (2014)Google Scholar
  10. 10.
    Janicki, A., Mazurczyk, W., Szczypiorski, K.: Steganalysis of transcoding steganography. Annales des Télécommunications 69(7–8), 449–460 (2014)CrossRefGoogle Scholar
  11. 11.
    Johnson, N.F., Duric, Z., Jajodia, S.: Information Hiding: Steganography and Watermarking-Attacks and Countermeasures, vol. 1. Springer, New York (2001)CrossRefGoogle Scholar
  12. 12.
    Katzenbeisser, S., Petitcolas, F.: Information Hiding Techniques for Steganography and Digital Watermarking. Artech house, Boston (2000)Google Scholar
  13. 13.
    Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  14. 14.
    Lipinski, B., Mazurczyk, W., Szczypiorski, K.: Improving hard disk contention-based covert channel in cloud computing. In: Security and Privacy Workshops (SPW), 2014, pp. 100–107. IEEE (2014)Google Scholar
  15. 15.
    Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 147–166. Springer, Heidelberg (2006). doi: 10.1007/11767831_10 CrossRefGoogle Scholar
  16. 16.
    Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, L., Sridhar, T., Bursell, M., Wright, C.: Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks. RFC 7348 (Informational).
  17. 17.
    Mazurczyk, W., Szczypiorski, K.: Covert channels in SIP for VoIP signalling. In: Jahankhani, H., Revett, K., Palmer-Brown, D. (eds.) ICGeS 2008. CCIS, vol. 12, pp. 65–72. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-69403-8_9 CrossRefGoogle Scholar
  18. 18.
    Mazurczyk, W., Wendzel, S., Zander, S., Houmansadr, A., Szczypiorski, K.: Information Hiding in Communication Networks: Fundamentals, Mechanisms, and Applications. IEEE Series on Information and Communication Networks Security. Wiley, New York (2016)Google Scholar
  19. 19.
    Murdoch, S.J., Lewis, S.: Embedding covert channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005). doi: 10.1007/11558859_19 CrossRefGoogle Scholar
  20. 20.
    Okamura, K., Oyama, Y.: Load-based covert channels between Xen virtual machines. In: Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 173–180. ACM (2010)Google Scholar
  21. 21.
    OpenStack: Manage IP addresses, May 2017. Accessed 13 June 2017
  22. 22.
    Paxson, V., Allman, M., Chu, J., Sargent, M.: Computing TCP’s retransmission timer. RFC 6298, RFC Editor.
  23. 23.
    Pfaff, B., Pettit, J., Koponen, T., Jackson, E.J., Zhou, A., Rajahalme, J., Gross, J., Wang, A., Stringer, J., Shelar, P., et al.: The design and implementation of open vswitch. In: 12th USENIX Symposium on Networked Systems Design and Implementation, pp. 117–130 (2015)Google Scholar
  24. 24.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 199–212. ACM (2009)Google Scholar
  25. 25.
    Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Advances in Cryptology - CRYPTO 1983, pp. 51–67. Plenum (1984)Google Scholar
  26. 26.
    Spiekermann, D., Eggendorfer, T.: Challenges of network forensic investigation in virtual networks. J. Cyber Secur. Mobility 5(2), 15–46 (2016)Google Scholar
  27. 27.
    Spiekermann, D., Eggendorfer, T.: Towards digital investigation in virtual networks: a study of challenges and open problems. In: International Workshop of Cyber Crime, 2016 International Conference. IEEE (2016)Google Scholar
  28. 28.
    Spiekermann, D., Keller, J., Eggendorfer, T.: Network forensic investigation in openflow networks with forcon. Digital Invest. 20, 66–74 (2017)CrossRefGoogle Scholar
  29. 29.
    Walker, S.: The day we discovered our parents were russian spies, May 2016. Accessed 13 June 2017
  30. 30.
    Wang, Y.S., Garg, P.: NVGRE: Network Virtualization Using Generic Routing Encapsulation. RFC 7637.
  31. 31.
    Wendzel, S.: Protocol hopping covert channels. Hakin9 8, 20–21 (2008)Google Scholar
  32. 32.
    Wendzel, S.: The problem of traffic normalization within a covert channel’s network environment learning phase. In: Suri, N., Waidner, M. (eds.) Sicherheit. LNI, vol. 195, pp. 149–161. GI (2012)Google Scholar
  33. 33.
    Wendzel, S.: Novel approaches for network covert storage channels. Ph.D. thesis, FernUniverstität Hagen (2013)Google Scholar
  34. 34.
    Wendzel, S., Keller, J.: Design and implementation of an active warden addressing protocol switching covert channels. In: Proceedings of 7th International Conference on Internet Monitoring and Protection (ICIMP 2012), pp. 1–6. IARIA (2012)Google Scholar
  35. 35.
    Wu, J., Ding, L., Wang, Y., Han, W.: Identification and evaluation of sharing memory covert timing channel in Xen virtual machines. In: 2011 IEEE International Conference on Cloud Computing (CLOUD), pp. 283–291. IEEE (2011)Google Scholar
  36. 36.
    Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of l2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, pp. 29–40. ACM (2011)Google Scholar
  37. 37.
    Zimmermann, H.: OSI reference model – the ISO model of architecture for open systems interconnection. IEEE Trans. Commun. 28(4), 425–432 (1980)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.FernUniversität in HagenHagenGermany
  2. 2.HS Ravensburg-WeingartenWeingartenGermany

Personalised recommendations