Covert Channels Evaluation Framework (CCHEF)
encryption is not sufficient to secure communication because the simple
fact that communication exists is often enough to raise suspicion and
take further actions. Covert channels aim to hide the very existence of
communication by using means of communication not normally intended to
be used. The huge amount of data and vast number of different protocols
in the Internet makes it ideal as a high-bandwidth vehicle for covert channels in network protocols.
The de-facto standard
covert channel communication model is the prisoner problem. Two people,
Alice and Bob, are thrown into prison and intend to escape. To agree on
an escape plan they need to communicate, but Wendy the warden monitors
all their messages. If Wendy finds any signs of suspicious messages she
will place Alice and Bob into solitary confinement -- making an escape
impossible. Alice and Bob must exchange innocuous messages containing
hidden information that (hopefully) Wendy will not notice.
We have developed a
flexible software framework for empirically evaluating covert channels
in network protocols called Covert Channels Evaluation Framework
(CCHEF). CCHEF runs under Linux and can be used in real networks with
real overt traffic, but can also emulate covert channels using overt
traffic from trace files. Usually testing with real traffic is
restricted to controlled testbeds where it is almost impossible to
generate a realistic traffic mix from a larger number of hosts.
Therefore, CCHEF also runs on single hosts emulating covert channels
based on overt traffic from trace files.
CCHEF is not designed to
be (mis)used for real covert channel communication. Therefore, we
have made no attempts to disguise the sender or receiver in any way,
illegally acquire superuser priviledges etc. The sender and receiver
are normal user space applications. This allows us to focus on the
actual covert channel methods (embedding of hidden information in
network protocols), prevents possible misuse, and makes porting easier
since techniques to hide executables etc. are very operating system
The central component of
CCHEF is the Channel module that interfaces with multiple device
modules. Covert data to be send is read from the Covert In
device, while received covert data is written to the Covert Out
device. The Overt In/Out device taps into a stream of IP packets to be
used as carrier for the covert data. At the sender suitable overt
packets are intercepted and passed to the Channel module. The
Channel module encodes the covert data and passes the modified
packet back to the device, which will re-inject it into the
network. If an overt packet arrives at the receiver the Channel module
decodes any covert information and removes the covert channel (if
possible) before re-injecting the packet. (CCHEF also supports passive
receivers that uses copies of overt packets and do not delay the actual
traffic, if removing the covert channel is not necessary.) The Channel
module has various sub-modules responsible for modulation, framing,
reliable transport, encryption etc.
Figure 1 shows CCHEF transmitting covert information over a
network from Alice (covert sender) to Bob (covert receiver). The figure
shows a unidirectional channel but in general channels in CCHEF are
bi-directional (depending on the available overt traffic).
Figure 1: CCHEF transmitting covert data across the network from Alice to Bob
Figure 2 shows how
CCHEF is used with trace files. Covert data is encoded into overt
traffic read from a packet trace and then decoded straightaway (Alice
and Bob are one entity). Optionally, CCHEF can simulate channel noise.
Furthermore, CCHEF can write a modified trace file containing the
original traffic with the embedded covert channel.
Figure 2: CCHEF emulating covert channels based on overt traffic from trace files
The source code for CCHEF
is available under the GPL. CCHEF runs on Linux only (actually most of
the code is pretty portable but there are some Linux specific modules).
So far I have only tested it with the openSUSE distribution (kernel 2.6.16).
Beware CCHEF is quite experimental!
Download CCHEF version 0.1 source code.
Download CCHEF version 0.2 source code.
The user manual is available as PDF file. It is also part of the distribution (doc subdirectory).
Download CCHEF user manual.
Furthermore, a tech report describing the design and implementation of CCHEF is available as PDF file.
Download CCHEF design and implementation document.