An Overview of Covert Channels
E. Pennington, W. Oblitey, S. Ezekiel, J. Wolfe
Covert Channels Research Group
Computer Science Department
IUP, Indiana, PA 15705
e.j.pennington, oblitey, sezekiel, jlwolfe@iup.edu
ABSTRACT
A covert channel is any method of communication that is
used to illicitly transfer information, thus breaking the
security policy of the system. Any shared resource can
potentially be used as a covert channel. There are many
threats that modern network security must take into
account. From brute force password attacks to port
scanning, the issues, which system engineers and
administrators must worry about, increase at a faster than
normal pace. However, one of the issues that many in the
field have not paid enough attention to is covert channels.
In this paper, we present an overview of covert channels
with examples. We explore the two types of covert
channels: storage channels and timing channels. Storage
channels are more commonly used than timing channels
because they are easier to implement. Both constitute
major security threats. Covert channels can be designed
for either a single system or a network. It is important for
system engineers to understand covert channels so that
they will be able to preemptively overcome certain
security problems. We also explore the implementation
problems associated with covert channels, for example
noise. The associated topic of information hiding, which
includes steganography, is also presented.
KEY WORDS
Covert Channel, Storage Channel, Timing Channel,
Steganography, Security, and Network
1. Introduction
Until the 1980s, issues of network security rarely entered
into the minds of system engineers – that has all changed.
A system’s security now has top priority. Despite this
fact, many system programmers have overlooked the
threat of covert channels. Although they have been
around since the dawn of modern computing, they are
only now beginning to receive wider attention. To
illustrate the problem more fully, let us use an analogy.
Alice and Bob have been incarcerated and placed in two
separate jail cells. They want to coordinate an escape
plan. However, they have a small problem. All messages
that they send to each other must first be read by the
warden before being passed on. In order to be able to
coordinate their plans while at the same time keeping
them hidden from the warden, they communicate with
each other in code. Each word with an even number of
letters is read as a 1. Each word with an odd number of
letters is read as a 0. For example, if Bob sent a message
to Alice asking “Hey, what are you up to,” Alice would
interpret is as “010011.” The warden, in this case, has
been used as a covert channel [1]. Although no prisoners
would probably attempt that in real life, it works very well
as an analogy for how a covert channel operates.
According to the Department of Defense’s (DoD) Trusted
Computer System Evaluation Criteria (TSEC), “A covert
channel is any communication channel that can be
exploited by a process to transfer information in a manner
that violates the system’s security policy” [2]. There are
two different types of covert channels, known as covert
storage channels and covert timing channels, respectively.
Following this introduction, we briefly discuss storage
channels, timing channels, and the problem of noise in the
next section. The connection between steganography and
covert channels is presented in section three, and section
four is our conclusion.
2. Types of Covert Channels
In this section, we discuss the basics of covert storage
channels and covert timing channels, with examples of
each. We also present the problem of noise in covert
channels.
2.1 Storage Channels
Covert storage channels are methods of communication
that “include all vehicles that would allow the direct or
indirect writing of a storage location by one process and
the direct or indirect reading of it by another” [2]. In
other words, one process writes to a shared resource,
while another process reads from it. Storage channels can
be used between processes within a single computer or
between multiple computers across a network [3]. A good
example of a storage channel is a printing queue. The
process with higher security privileges, the sending
process, either fills up the printer queue to signal a 1 or
leaves it as it is to signal a 0. The process with lower
security privileges, the receiving process, polls the printer
queue to see whether or not it is full and determines the
value accordingly.
2.2. Timing Channels
Covert timing channels are methods of communication
that “include all vehicles that would allow one process to
signal information to another process by modulating its
own use of system resources in such a way that the
change in response time observed by the second process
would provide information” [2]. In other words, it is
essentially any method that uses a clock or measurement
of time to signal the value being sent over channel.
Similarly to storage channels, timing channels can exist
both in a single-computer setting and a network setting.
However, they are less practical in a network setting [4].
An example of a timing channel can be found in a
movable head I/O device, such as a hard disk. One
process with higher security privileges, the sending
process, has access to the entire device while another
process with lower security privileges, the receiving
process, only has access to a small portion of the device.
Requests to the device are processed serially. To signal a
1, the sending process makes a read request far away from
the section that the receiving process has access to. To
signal a 0, it does nothing. The receiving process makes a
read request within its own section and uses the time it
takes for the head to travel to the section and finish the
read request to determine the value accordingly [2].
Papers by the National Computer Security Center [5] and
Van Vleck [6] provide more examples of timing channels.
2.3. Noise in Covert Channels
One of the major problems in a successful implementation
of a covert channel is noise. “A noisy channel
intentionally or accidentally corrupts the data signal with
errors so that the information rate is slower than the data
rate” [7]. Because it is a primary problem in their
implementation, it is also the best defenses against covert
channels. If enough noise is introduced into a covert
channel, it can hinder the use of that channel. The
receiving process would have to request the same data
continuously and wait for a very high level of redundancy
before knowing that it is reliable. This process may take
many hours for a request that would only take a few clock
cycles if the channel was noise-free. Although this does
not halt the covert channel, it can considerably decrease
its speed [7].
correctly, this should not alter the image enough to be
noticeable to the human eye. However, the more data
stored in the picture, the more the picture is altered [10].
4. Conclusion
We presented an overview of covert channels, its types,
and examples of each. We also briefly discussed noise in
covert channels as well as their relation to steganography.
Our research will continue with further study in
developing covert channel detection and defense.
Acknowledgements:
The authors would like to thank the Computer Science
Department at IUP, and acknowledge the help of the
Covert Channels Research Group members, Michael
McFail, Robert Trimble, and Kathleen Reiland.
References:
[1] G. Simmons. The Prisoner’s Problem, 1983.
[2] Department of Defense. Trusted Computer System
Evaluation Criteria, 1985.
[3] M. McFail. Covert Storage Channels: A Brief
Overview. PACISE conference. Bloomsburg, PA, 2005.
[4] E. Pennington. Covert Timing Channels: A Brief
Overview. PACISE conference. Bloomsburg, PA, 2005.
[5] National Computer Security Center. A Guide to
Understanding Covert Channel Analysis of Trusted
Systems, 1993.
[6] T. Van Vleck. Multics Timing Channels. IEEE TCSP
conference. Oakland, California, 1990.
[7] N. Proctor and P. Neumann. Architectural
Implications of Covert Channels. SRI International,
1992.
[8] M. Owens. A Discussion of Covert Channels and
Steganography.” SANS Institute, 2002.
[9] K. Reiland. Steganography and Covert Channels.
PACISE conference. Bloomsburg, PA, 2005.
[10] G. Kessler. Steganography: Hiding Data Within
Data. 2001.

3. Steganography
Steganography is a method of covert communication that
relates well to covert channels. It is any method used to
conceal a secret object within another public object [8].
When employing any steganographic techniques, a cover-
file is used to hide the information. It can be a text-file,
audio, image, video, piece of software, or others [9]. A
common example of steganography is known as least
significant bit (LSB) insertion. In a 24-bit bitmap image,
the colors red, green, and blue have one byte each that
represent their intensities. A steganographer could replace
the least intense bits with the hidden message. If done