As part of a broader organisational restructure, data networking research at Swinburne University of Technology has moved from the Centre for Advanced Internet Architecture (CAIA) to the Internet For Things (I4T) Research Lab.

Although CAIA no longer exists, this website reflects CAIA's activities and outputs between March 2002 and February 2017, and is being maintained as a service to the broader data networking research community.

Covert Channels Evaluation Framework (CCHEF)

Using encryption is not sufficient to secure communication because the simple fact that communication exists is often enough to raise suspicion and take further actions. Covert channels aim to hide the very existence of communication by using means of communication not normally intended to be used. The huge amount of data and vast number of different protocols in the Internet makes it ideal as a high-bandwidth vehicle for covert channels in network protocols.

The de-facto standard covert channel communication model is the prisoner problem. Two people, Alice and Bob, are thrown into prison and intend to escape. To agree on an escape plan they need to communicate, but Wendy the warden monitors all their messages. If Wendy finds any signs of suspicious messages she will place Alice and Bob into solitary confinement -- making an escape impossible. Alice and Bob must exchange innocuous messages containing hidden information that (hopefully) Wendy will not notice.

We have developed a flexible software framework for empirically evaluating covert channels in network protocols called Covert Channels Evaluation Framework (CCHEF). CCHEF runs under Linux and can be used in real networks with real overt traffic, but can also emulate covert channels using overt traffic from trace files. Usually testing with real traffic is restricted to controlled testbeds where it is almost impossible to generate a realistic traffic mix from a larger number of hosts. Therefore, CCHEF also runs on single hosts emulating covert channels based on overt traffic from trace files.

CCHEF is not designed to be (mis)used for real covert channel communication. Therefore, we have made no attempts to disguise the sender or receiver in any way, illegally acquire superuser priviledges etc. The sender and receiver are normal user space applications. This allows us to focus on the actual covert channel methods (embedding of hidden information in network protocols), prevents possible misuse, and makes porting easier since techniques to hide executables etc. are very operating system dependent.

The central component of CCHEF is the Channel module that interfaces with multiple device modules. Covert data to be send  is read from the Covert In device, while received covert data is written to the Covert Out device. The Overt In/Out device taps into a stream of IP packets to be used as carrier for the covert data. At the sender suitable overt packets are intercepted and passed to the Channel module. The Channel module encodes the covert data and passes the modified packet back to the device, which will re-inject it into the network. If an overt packet arrives at the receiver the Channel module decodes any covert information and removes the covert channel (if possible) before re-injecting the packet. (CCHEF also supports passive receivers that uses copies of overt packets and do not delay the actual traffic, if removing the covert channel is not necessary.) The Channel module has various sub-modules responsible for modulation, framing, reliable transport, encryption etc.

Figure 1  shows CCHEF transmitting covert information over a network from Alice (covert sender) to Bob (covert receiver). The figure shows a unidirectional channel but in general channels in CCHEF are bi-directional (depending on the available overt traffic).

CCHEF Tunnel

Figure 1: CCHEF transmitting covert data across the network from Alice to Bob

Figure 2 shows how CCHEF is used with trace files. Covert data is encoded into overt traffic read from a packet trace and then decoded straightaway (Alice and Bob are one entity). Optionally, CCHEF can simulate channel noise. Furthermore, CCHEF can write a modified trace file containing the original traffic with the embedded covert channel. 


Figure 2: CCHEF emulating covert channels based on overt traffic from trace files

The source code for CCHEF is available under the GPL. CCHEF runs on Linux only (actually most of the code is pretty portable but there are some Linux specific modules). So far I have only tested it with the openSUSE distribution (kernel 2.6.16). Beware CCHEF is quite experimental!

Download CCHEF version 0.1 source code.

Download CCHEF version 0.2 source code.

The user manual is available as PDF file. It is also part of the distribution (doc subdirectory).

Download CCHEF user manual.

Furthermore, a tech report describing the design and implementation of CCHEF is available as PDF file.

Download CCHEF design and implementation document.

Last Updated: Friday 10-Sep-2010 19:03:31 EST | Maintained by: Sebastian Zander ( | Authorised by: Grenville Armitage (