Hide and Seek in Time — Robust Covert Timing Channels

  • Yali Liu
  • Dipak Ghosal
  • Frederik Armknecht
  • Ahmad-Reza Sadeghi
  • Steffen Schulz
  • Stefan Katzenbeisser
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


Covert timing channels aim at transmitting hidden messages by controlling the time between transmissions of consecutive payload packets in overt network communication. Previous results used encoding mechanisms that are either easy to detect with statistical analysis, thus spoiling the purpose of a covert channel, and/or are highly sensitive to channel noise, rendering them useless in practice. In this paper, we introduce a novel covert timing channel which allows to balance undetectability and robustness: i) the encoded message is modulated in the inter-packet delay of the underlying overt communication channel such that the statistical properties of regular traffic can be closely approximated and ii) the underlying encoding employs spreading techniques to provide robustness. We experimentally validate the effectiveness of our approach by establishing covert channels over on-line gaming traffic. The experimental results show that our covert timing channel can achieve strong robustness and undetectability, by varying the data transmission rate.


Channel Capacity Spreading Code User Datagram Protocol Timing Channel Covert Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Deparment of Defense Standard: Trusted computer system evaluation criteria. Tech. Rep. DOD 5200.28-STD (1985)Google Scholar
  2. 2.
    Handel, T.G., Sandford, M.T.: Hiding data in the OSI network model. In: Proceedings of the First International Workshop on Information Hiding, London, UK, pp. 23–38 (1996)Google Scholar
  3. 3.
    Rowland, C.H.: Covert channels in the TCP/IP protocol suite. Tech. Rep. 5, First Monday, Peer Reviewed Journal on the Internet (1997)Google Scholar
  4. 4.
    Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging through TCP timestamps. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Murdoch, S.J., Lewis, S.: Embedding covert channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Padlipsky, M., Snow, D., Karger, P.: Limitations of end-to-end encryption in secure computer networks. Tech. Rep. ESD TR-78-158, Mitre Corporation (1978)Google Scholar
  7. 7.
    Cabuk, S., Brodley, C.E., Shields, C.: IP covert timing channels: design and detection. In: CCS 2004: Proceedings of the 11th ACM Conference on Computer and Communications Security, New York, pp. 178–187 (2004)Google Scholar
  8. 8.
    Shah, G., Molina, A., Blaze, M.: Keyboards and covert channels. In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium, pp. 59–75 (2006)Google Scholar
  9. 9.
    Berk, V., Giant, A., Cybenko, G.: Detection of covert channel encoding in network packet delays. Tech. Rep. Darthmouth College (2005)Google Scholar
  10. 10.
    Girling, C.G.: Covert Channels in LAN’s. IEEE Transactions on Software Engineering 13(2), 292–296 (1987)CrossRefGoogle Scholar
  11. 11.
    Cabuk, S.: Network covert channels: Design, analysis, detection, and elimination. PhD thesis (2006)Google Scholar
  12. 12.
    Giles, J., Hajek, B.: An information-theoretic and game-theoretic study of timing channels. IEEE Transactions on Information Theory 48(9), 2455–2477 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Peng, P., Ning, P., Reeves, D.S.: On the secrecy of timing-based active watermarking trace-back techniques. In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, Washington, DC, pp. 334–349 (2006)Google Scholar
  14. 14.
    Gianvecchio, S., Wang, H.: Detecting covert timing channels: an entropy-based approach. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, pp. 307–316 (2007)Google Scholar
  15. 15.
    Prasad, R., Hara, S.: An overview of multi-carrier CDMA. In: IEEE 4th International Symposium on Spread Spectrum Techniques and Applications Proceedings, vol. 1, pp. 107–114 (1996)Google Scholar
  16. 16.
    Proakis, J.: Digital Communications (1995)Google Scholar
  17. 17.
    Shannon, C.E.: Communication in the presence of noise. Proceedings of the IEEE 72(9), 1192–1201 (1984)CrossRefGoogle Scholar
  18. 18.
    Cao, J., Cleveland, W.S., Lin, D., Sun, D.X.: On the nonstationarity of internet traffic. In: SIGMETRICS 2001: Proceedings of the International Conference on Measurement and Modeling of Computer Systems, Cambridge, Massachusetts, United States, pp. 102–112 (2001)Google Scholar
  19. 19.
    Färber, J.: Traffic modelling for fast action network games. Multimedia Tools and Applications 23(1), 31–46 (2004)CrossRefGoogle Scholar
  20. 20.
    Sellke, S.H., Wang, C., Shroff, N., Bagchi, S.: Capacity bounds on timing channels with bounded service times. In: IEEE International Symposium on Information Theory, pp. 981–985 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yali Liu
    • 1
  • Dipak Ghosal
    • 2
  • Frederik Armknecht
    • 3
  • Ahmad-Reza Sadeghi
    • 3
  • Steffen Schulz
    • 3
  • Stefan Katzenbeisser
    • 4
  1. 1.Department of Electrical and Computer EngineeringUniversity of CaliforniaDavisUSA
  2. 2.Department of Computer ScienceUniversity of CaliforniaDavisUSA
  3. 3.Horst-Görtz Institute for IT-Security (HGI)Ruhr-University BochumGermany
  4. 4.Department of Computer ScienceTechnische Universität DarmstadtGermany

Personalised recommendations