Hidden and under control - A survey and outlook on covert channel-internal control protocols

Network covert channels are policy-breaking and stealthy communication channels in computer networks. These channels can be used to bypass Internet censorship, to exfiltrate data without raising attention, to allow a safe and stealthy communication for members of political oppositions and for spies, to hide the communication of military units at the battlefield from the enemy, and to provide stealthy communication for today’s malware, especially for botnets. To enhance network covert channels, researchers started to add protocol headers, so called micro protocols, to hidden payload in covert channels. Such protocol headers enable fundamental features such as reliability, dynamic routing, proxy capabilities, simultaneous connections, or session management for network covert channels — features which enrich future botnet communications to become more adaptive and more stealthy than nowadays. In this survey, we provide the first overview and categorization of existing micro protocols. We compare micro protocol features and present currently uncovered research directions for these protocols. Afterwards, we discuss the significance and the existing means for micro protocol engineering. Based on our findings, we propose further research directions for micro protocols. These features include to introduce multi-layer protocol stacks, peer auto-configuration, and peer group communication based on micro protocols, as well as to develop protocol translation in order to achieve inter-connectivity for currently separated overlay networks. S. Wendzel Fraunhofer FKIE, Bonn, Germany E-mail: [email protected] J. Keller Faculty of Mathematics and Computer Science FernUniversität in Hagen, Hagen, Germany E-mail: [email protected] 2 Steffen Wendzel, Jörg Keller