1

I have seen several academic sources mentioning covert channels in computers, such as one process sending data to another process/thread on the same machine in a way that attempts to avoid detection. Covert channels methods include for instance timing, resource contention... According to the Trusted Computer Security Evaluation Criteria, covert channels are

ways of transferring information from a higher classification compartment to a lower classification.

Is there an example of an actual malware having this behavior?

I am interested more in covert channels inside a single computer than network channels.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jacques
  • 565
  • 1
  • 5
  • 12
  • Why do you have the tag of `steganography`? Are you looking for an answer specifically about that or is it just one of the covert channels that you thought a user might use? – Neil Smithline Jul 22 '15 at 22:31
  • @NeilSmithline I was rather thinking the other way around: isn't covert channels a kind of steganography? If there was a covert-channel tag, I would have used that instead – Jacques Jul 22 '15 at 23:25
  • Steganography is hiding data in an image. Similar but not quite what you are asking about. – Neil Smithline Jul 23 '15 at 02:55

2 Answers2

2

It depends on what do you want to achieve: to hide the information that is being sent between the processes or the fact that they are communicating. If your goal is only to obtain confidentiality you can encrypt the information that is being sent between two or more processes.

Prior to this you need to some background information on IPC(on both windows and *NIX), a number of implemented cryptographic primitives(i.e. openssl) and a protocol that actually requires two or more processes to communicate.

An example would be stuxnet.

Sebi
  • 1,391
  • 9
  • 16
1

Some (most) malware needs a way to contact its master (the "C&C" as "Command and Control" -- a military expression). This can be to exfiltrate some confidential data that was plundered from the affected system, or, possibly, to obtain fresh information from the C&C, e.g. more commands to execute on the target. Most of the time, the malware wishes to do so discreetly so as not to warn the victim of the malware presence. This is typical of a key logger, that captures user passwords, and normally wishes to keep on doing so, which entails NOT letting the user become aware of the key logger presence.

Covert channels are what malware uses to avoid detection from systems designed to detect anomalous traffic, often called Intrusion Detection Systems. IDS exist because malware needs to get data out discreetly.

A covert channel being by definition a matter of communication between two entities, I am not sure about what you mean by "covert channels within a single computer".

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    I believe the OP is referring to covert inter-process communication, but I'm not entirely sure. – RoraΖ Jul 23 '15 at 11:49
  • @raz is correct. Given the reference the OP made, it is an inter-process channel: https://en.wikipedia.org/wiki/Covert_channel#TCSEC_criteria – schroeder Jul 23 '15 at 14:55