TY - CHAP
T1 - Revealing Kernel Mode Covert Channels Using Virtualization
AU - Zaidenberg, Nezer
AU - Kiperberg, Michael
AU - Menachi, Eliav
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.
PY - 2026
Y1 - 2026
N2 - In modern cyber-attacks, after breaching the victim’s infrastructure, the attacker must establish communication with the malware installed at the victim’s premises. The attackers try to hide their communication using covert channel techniques to avoid being revealed by intrusion detection systems. Packet reordering and timing control are popular techniques for constructing covert channels, that can be applied to any protocol that employs the notion of a sequence number, e.g., TCP, RTP, SCTP, etc. Unlike modifying the packet timing or order in a particular stream, we would like to introduce and investigate the reordering of packets over multiple distinguished streams. Using multiple streams to decode information makes it harder for detection tools to identify since the impact over each stream is minimal and the covert channel is achieved by the combination of the two streams. The presented covert channel technique is protocol agnostic and can be easily implemented using kernel mode or User mode applications. Nevertheless, we introduce a technique to detect such covert channels under strict restrictions of the detection tool which makes it feasible to implement and integrate to existing systems.
AB - In modern cyber-attacks, after breaching the victim’s infrastructure, the attacker must establish communication with the malware installed at the victim’s premises. The attackers try to hide their communication using covert channel techniques to avoid being revealed by intrusion detection systems. Packet reordering and timing control are popular techniques for constructing covert channels, that can be applied to any protocol that employs the notion of a sequence number, e.g., TCP, RTP, SCTP, etc. Unlike modifying the packet timing or order in a particular stream, we would like to introduce and investigate the reordering of packets over multiple distinguished streams. Using multiple streams to decode information makes it harder for detection tools to identify since the impact over each stream is minimal and the covert channel is achieved by the combination of the two streams. The presented covert channel technique is protocol agnostic and can be easily implemented using kernel mode or User mode applications. Nevertheless, we introduce a technique to detect such covert channels under strict restrictions of the detection tool which makes it feasible to implement and integrate to existing systems.
KW - Covert channel
KW - Intrusion detection system
KW - Virtualization
UR - https://www.scopus.com/pages/publications/105027844845
U2 - 10.1007/978-3-032-08890-1_20
DO - 10.1007/978-3-032-08890-1_20
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.chapter???
AN - SCOPUS:105027844845
T3 - Studies in Big Data
SP - 503
EP - 521
BT - Studies in Big Data
PB - Springer Science and Business Media Deutschland GmbH
ER -