Worms University of Applied Sciences, contact: wendzel (at) hs-worms (dot) de

This is an open online course on network information hiding. The course contains video material and slides that I use in my undergraduate and graduate courses at Worms University of Applied Sciences, Germany. (I recorded the videos anyway, so why shouldn't I make them public.) I also used (a part of) these slides at other universities, summer schools etc. over the years. I updated these slides over the years and will continue to do so. Feel free to use my slides in your own class. I made sure that references are using links so that you and your students can get easier access to the publications. After remaining a closed offline class for several years, this class was initially taught online in summer term 2020. However, it remains online for the future and will receive updates from time to time.

Please note that quite some content of this class is based on the book W. Mazurczyk, S. Wendzel, S. Zander, A. Houmansadr, K. Szczypiorski: Information Hiding in Communication Networks, WILEY-IEEE, 2016. If you are an IEEE member, you should be able to download the book for free.

YouTube Playlist for this Class

Here is a schedule for this class. Please note that some weeks contain multiple videos:

• N: relevant for Network Security class (B.Sc. level); scheduling in Moodle might differ and is correct
• M: relevant for Mobile Security class (M.Sc. level); scheduling in Moodle might differ and is correct

This chapter provides an overview of the whole class. Afterwards, fundamental terminology, taxonomy and history of information hiding will be covered. The chapter also highlights some use-cases (legitimate and criminal ones) and tells you a bit about the CUING initiative.

• Video: YouTube

• Slides: PDF

• Reading Assignment:

  • W. Mazurczyk, S. Wendzel, S. Zander, A. Houmansadr, K. Szczypiorski: Information Hiding in Communication Networks, Chapters 1 and 2, WILEY-IEEE, 2016.

• Optional Papers to Read:

  • F. Petitcolas, R. Anderson, M. Kuhn: Information Hiding – A Survey, Proc. IEEE, 87(7), 1999.
  • B. Pfitzmann: Information Hiding Terminology, Proc. 1st Information Hiding Workshop, Springer, 1996.
  • E. Zielinska, W. Mazurczyk, K. Szczypiorski: Trends in Steganography, Comm. ACM, 2014.
  • K. Cabaj, L. Caviglione, W. Mazurczyk, S. Wendzel, A. Woodward, S. Zander: The New Threats of Information Hiding: the Road Ahead, IT Professional, IEEE, 2018.
  • L. Caviglione: Steg in the Wild (a list of attacks and malware using steganography or information hiding), Github repository.
  • L. Caviglione: List of Stego Tools (a list of available stego tools)

• Exercise:

  • Explain one historic method of steganography that was not explained during the lecture in a short talk in front of the other students.
  • Is there a terminological inconsistency for the terms covert channel, network covert channel, steganography and network steganography given the introduced taxonomy? If yes: explain. (Chapter 2 of W. Mazurczyk et al., 2016)
  • Can Information Hiding methods be applied to deduce cryptography keys from encryption/decryption tools? If yes: how?

First, simple methods for local (system-internal) covert channels are discussed. Second, covert channels between Docker containers and for Android are shown.

• Video: YouTube

• Slides: PDF

• Reading Assignment:

  • none for this chapter

• Optional Papers to Read:

  • W. Mazurczyk, L. Caviglione: Steganography in Modern Smartphones and Mitigation Techniques, IEEE Communications Surveys & Tutorials, Vol. 17(1), 2014.
  • J.-F. Lalande, S. Wendzel: Hiding privacy leaks in Android applications using low-attention raising covert channels, Proc. 8th ARES, Regensburg, DE, IEEE, 2013.
  • C. Krätzer, J. Dittmann: Steganography by synthesis: Can commonplace image manipulations like face morphing create plausible steganographic channels?, in Proc. 13th International Conference on Availability, Reliability and Security (ARES 2018), ACM, 2018.

• Exercise:

  • Low-attention raising covert channels (such as described in the paper by Lalande and Wendzel above) are usually linked to a small bitrate. Explain why such channels can be considered valuable especially in network environments.
  • Given the rising trend of censorship circumvention, why do you think is Information Hiding not applied by a large number of people? (And who does actually apply it?)
  • The above-mentioned paper by Krätzer et al. proposes a "modern (post 2010) steganographic communication setup". Why did the authors introduce this model? How does it differ from the classical prisoner's problem that was covered in Chapter 1?

In this chapter, you will learn how covert channels can be detected, eliminated, and limited on the basis of exemplary countermeasures. These countermeasures can be applied at different states of a system's lifetime (design-phase to operation phase). In particular, I cover the Shared Resource Matrix (SRM) methodology, Covert Flow Trees (CFT), Fuzzy Time, and the Spurious Processes Approach.

• Video: YouTube

• Slides: PDF

• Reading Assignment:

  • R. Kemmerer, P. Porras: Covert Flow Trees: A Visual Approach to Analyzing Covert Storage Channels, Trans. Software Engineering, IEEE, 1991.

• Optional Papers to Read:

  • in German: I discuss SRM, extended SRM (Gypsy SRM), CFT, the Pump, and several other fundamental anti-covert channel concepts in my book S. Wendzel: Tunnel und verdeckte Kanäle im Netz, Springer, 2012 (Chapter 6).

• Exercise:

  • Which method would you apply to eliminate/spot covert channels in the following situations:
    • The company you are working for wishes to get a certificate (e.g. a high level of EAL) for their product; the certificate requires a code-level audit that lists all possible covert storage channels.
    • You plan to design a new product (not implemented in code). You need to perform a covert channel analysis using the product’s specification.
    • Your company plans to sell a product to a military customer. The customer requires a covert timing channel audit, which you performed. However, the customer will only accept covert channels with a channel capacity below 1 bit/s.
  • How could you create a policy-breaking covert channel during your exam in order to secretly exchange answers to exam questions?
    • Link this scenario to the Prisoner’s Problem.

This chapter introduces basic methods for realizing network covert channels and their different types (active and passive covert channels, intentional and unintentional (side) channels, and direct and indirect covert channels).

• Video: YouTube

• Slides: PDF

• Reading Assignment:

  • L. Caviglione, W. Mazurczyk: Understanding Information Hiding in iOS, IEEE Computer, Vol. 48(1), 2015.

• Network Covert Channel Tools:

  • Source code of my network covert channel tools on GitHub (phcct, pct, vstt, ...)

• Exercise:

  • In the paper of the reading assignment, you will find a steganographic method called iStegSiri for iOS published by Caviglione and Mazurczyk. Explain how it works! Also, here is a news article about iStegSiri.

In this chapter, so-called hiding patterns are introduced. Patterns are a universal tool that is popular in software engineering and other disciplines, even outside of informatics. Hiding patterns are an easy way to describe and understand how data can be hidden using network covert channels. Instead of studying hundreds of separate hiding techniques, one can simply grasp all their core ideas using hiding patterns.

• Video: YouTube

• Slides: PDF

• Reading Assignment:

  • S. Wendzel, S. Zander, B. Fechner, C. Herdin: Pattern-based survey and categorization of network covert channel techniques, ACM Computing Survey (CSUR), Vol. 47(3), ACM, 2015.
  • W. Mazurczyk, S. Wendzel, S. Zander, A. Houmansadr, K. Szczypiorski: Information Hiding in Communication Networks, Chapter 3, WILEY-IEEE, 2016.

• Optional Papers to Read:

  • W. Mazurczyk, S. Wendzel, K. Cabaj: Towards Deriving Insights into Data Hiding Methods Using Pattern-based Approach, in Proc. ARES, ACM, 2018.

• Exercise:

  • Get an overview of the CCEAP tool and its protocol. Work through the provided sample exercises and try to understand the provided solutions.

This chapter covers distributed hiding methods, including pattern variation, pattern hopping, protocol switching (protocol channels, protocol hopping covert channels), dynamic overlay routing for covert channels, micro protocols (covert channel internal control protocols, including their optimization), reversible data hiding (RDH), and dead drops that exploit network caches.

• Video: YouTube

• Slides: PDF

• Reading Assignment:

  • W. Mazurczyk, P. Szary, S. Wendzel and L. Caviglione: Towards Reversible Storage Network Covert Channels, in Proc. Third International Workshop on Criminal Use of Information Hiding (CUING 2019), pp. 69:1-69:8, ACM, 2019.
  • W. Mazurczyk, S. Wendzel, S. Zander et al.: Information Hiding in Communication Networks, Chapter 4, Wiley-IEEE, 2016.

• Optional Papers to Read:

  • Yarochkin, F. et al.: Towards adaptive covert communication system, in Proc. 14th IEEE Pacific Rim International Symposium on Dependable Computing. IEEE, 2008.
  • S. Wendzel, J. Keller: Hidden and Under Control, Annals of Telecommunications (ANTE), Springer, 2014.
  • S. Wendzel, J. Keller: Systematic Engineering of Control Protocols for Covert Channels, in Proc. Communications & Multimedia Security (CMS), Springer, 2012.
  • C. Krätzer, J. Dittmann, A. Lang, T. Kühne: WLAN steganography: a first practical review, in Proc. 8th Workshop on Multimedia and Security (MM&Sec), ACM, 2006.
  • S. Schmidt, W. Mazurczyk, R. Kulesza, J. Keller, C. Caviglione: Exploiting IP telephony with silence suppression for hidden data transfers, Computers & Security, Vol. 79, 2018.
  • K. Szczypiorski, I. Margasiński, W. Mazurczyk, K. Cabaj, P. Radziszewski: TrustMAS: Trusted communication platform for multi-agent systems, in Proc. OTM On the Move to Meaningful Internet Systems, Springer, 2008.

• Exercise:

  • Which pattern-based distributed hiding methods do protocol channels and protocol hopping covert channels belong to?
  • Is the micro protocol grammar shown in the slides a language-subset of the cover protocol language?
  • Have a look at the above-mentioned paper on by Schmidt et al.: How do the authors hide data in IP telephony traffic?
  • Why was it beneficial to improve the NEL phase? Why does the original NEL phase suffer from a Two-army Problem and what is a Two-army Problem?
  • In the paper referenced above by Krätzer et al. you can read about a network steganography method for IEEE 802.11 (WLAN) networks. How does it work? Can you link the hiding approach to a particular pattern?
  • How do you think that distributed hiding methods could be detected or limited? (Will be answered in the next chapter.)
  • How did the paper Covert Storage Caches using the NTP Protocol advance over previous work that uses ARP (see reading assignment above)? Why is this useful for an attacker? What are the limitations of the NTP-based approach?

Chapter 7 finally introduces methods to combat network covert channels. The chapter is separated into two parts. Part A covers selected basic methods, namely traffic normalization (preventing/limiting), three methods by Berk et al. and Cabuk et al. (detection of inter-packet times pattern), and finally, the so-called countermeasure variation. Part B introduces countermeasures that help limiting and detecting sophisticated network covert channels, namely the protocol switching covert channels and the NEL phase. These methods are the protocol (switching covert) channel-aware active warden (PCAW) and the dynamic warden.

• Video: part A, YouTube, part B, YouTube

• Slides: part A, PDF, part B, PDF

• Reading Assignment:

  • W. Mazurczyk, S. Wendzel, S. Zander et al.: Information Hiding in Communication Networks, Chapter 8, Wiley-IEEE, 2016.
  • S. Wendzel, F. Link, D. Eller, W. Mazurczyk: Detection of Size Modulation Covert Channels Using Countermeasure Variation, Journal of Universal Computer Science (J.UCS), Vol. 25(11), pp. 1396-1416, 2019.

• Optional Papers to Read:

  • S. Cabuk, C. E. Brodley, C. Shields: IP covert channel detection, Trans. Information and System Security (TISSEC) Vol. 12(4), ACM, 2009.
  • W. Mazurczyk, S. Wendzel, M. Chourib, J. Keller: Countering Adaptive Network Covert Communication with Dynamic Wardens, Future Generation Computer Systems (FGCS), Vol. 94, pp. 712-725, Elsevier, 2019.

• Exercise:

  • Install the open-source tool NeFiAS and try to detect covert channels using the inter-packet times pattern with the script kappa_IAT.sh (traffic recordings are available within the tool's repository).

First, I briefly discuss why we need replication studies and which obstacles prevent the conduction of these studies. Second, I show one study that we conducted ourselves.

• Video: YouTube

• Slides: PDF

• Optional Papers to Read:

  • S. Wendzel, L. Caviglione, W. Mazurczyk, J.-F. Lalande: Network Information Hiding and Science 2.0: Can it be a Match?, International Journal of Electronics and Telecommunications 63(2), 2017.

• Exercise:

  • Answer the following questions:
    • Why is it essential to replicate experiments?
    • What can scientists do to support experimental replications of their own work?
    • What is commonly referred to under the term Open Science?

When a new hiding technique is found, how should it be described in a way that other authors can easily access it? How to ease replication studies? How to ease the process of finding out what still needs to be done? These questions can be answered with the unified description method for network information hiding techniques explained in this chapter. Moreover do I introduce the creativity metric that helps to decide about the novelty of a research contribution.

• Video: YouTube

• Slides: PDF

• Reading Assignment:

  • S. Wendzel, W. Mazurczyk, S. Zander: Unified Description Method for Network Information Hiding Methods, Journal of Universal Computer Science (J.UCS), Vol. 22(11), 2016.

• Exercise:

  • Read the above-mentioned paper on the unified description method and answer the following questions:
    • What is the difference between the two attributes required properties of the carrier and covert channel properties?
    • Why is the attribute on control protocols not mandatory in the unified description method?
    • How does the creativity metric work together with the unified description method?

In the Internet of Things (and Cyber-physical Systems, CPS), data can either be hidden within network communications (e.g. in IoT protocols) or in can be hidden the CPS components (e.g. unused registers or states of actuators). I will discuss these methods as well as scenarios in this conference talk below. However, please note that the PDF files contain an extended scenario. I plan to update the PDF slides in the coming years as there is still quite a lot to say about this chapter.

• Video: part A, YouTube, part B, YouTube. Part B is the video of the talk S. Wendzel, G. Haas, W. Mazurczyk: Information Hiding in Cyber-physical Systems, presented during the 2nd Int. BioSTAR workshop in late May, 2017 (IEEE Security & Privacy Workshops, San José, CA)

• Slides: part A, PDF , part B, PDF

• Reading Assignment:

  • S. Wendzel, W. Mazurczyk, G. Haas: Steganography for Cyber-physical Systems, Journal of Cyber Security and Mobility (JCSM), Vol. 6(2), pp. 105-126, River Publishers, 2017.
  • A. Velinov, A. Mileva, S. Wendzel, W. Mazurczyk: Covert Channels in the MQTT-Based Internet of Things, IEEE ACCESS, 2019.
  • A Mileva, A Velinov, D Stojanov: New covert channels in Internet of Things, in Proc. Securware 2018.

• Exercise:

  • What is the difference between an intentional covert channel and an intentional side channel in a CPS? Can you name a few examples? Both terms of CPS Steganography are introduced in this paper. What was the solution proposed by this paper to combat both types of channels?
  • In this paper, I describe how an MLS-based filtering can prevent covert and side channels in CPS network communications (exemplified using smart buildings). How does this work? What are limitations?

This chapter summarizes what we have learned in the ten previous chapters. I also highlight open research problems that might support you in finding topics for a Master or even a PhD thesis.

• Video: YouTube

• Slides: PDF

• Reading Assignment: none

• Exercise: Congratulations, you made it through the whole class! Now it is time for the final (big!) exercise! Try to find a new network protocol for which there is absolutely no work available that analyzes covert channels in this protocol (use Google Scholar or any other paper search engine to find such works). Next, analyze the protocol regarding all known hiding patterns and describe all covert channels that you found using the unified description method. If you like, submit your paper to a conference (or: let me know and I can potentially link the paper at least here).

EOF