Conference paper Open Access

Code Augmentation for Detecting Covert Channels Targeting the IPv6 Flow Label

Caviglione, Luca; Zuppelli, Marco; Mazurczyk, Wojciech; Shaffhauser, Andreas; Repetto, Matteo

Information hiding is at the basis of a new-wave of malware able to elude common detection mechanisms or remain unnoticed for long periods. To this aim, a key approach exploits network covert channels, i.e., abusive communication paths nested within a legitimate traffic flow. The increasing diffusion of IPv6 makes it attractive for an attacker, especially for the presence of the Flow Label field, which can be manipulated to contain up to 20 secret bits per packet. Unfortunately, gathering data to implement a standalone detection mechanism or to support third-party security tools is a poorly generalizable process and often leads to scalability issues. This paper showcases how to take advantage of code augmentation features (i.e., the extended Berkeley Packet Filter) to detect covert channels targeting the IPv6 Flow Label. To prove its effectiveness, the proposed approach has been tested against Internet-wide traffic traces collected in the wild. Results indicate that it is possible to spot the channel while mitigating the computational burden and the memory footprint.

Files (530.6 kB)
Name Size
secsoft2021-3-2-1.pdf
md5:55a9bfa2c3779963c4aab5c3edb4a8eb
530.6 kB Download
8
6
views
downloads
All versions This version
Views 88
Downloads 66
Data volume 3.2 MB3.2 MB
Unique views 88
Unique downloads 66

Share

Cite as