Did You See That? A Covert Channel Exploiting Recent Legitimate Traffic

Covert channels are unforeseen and stealthy communication channels that enable manifold adversary scenarios, such as the covert exfiltration of confidential data or the stealthy orchestration of botnets. However, they can also allow the exchange of confidential information by journalists. All covert channels described until now therefore need to craft seemingly legitimate information flows for their information exchange, mimicking unsuspicious behavior. In this paper, we present DYST (Did You See That?), which represents a new class of covert channels we call history covert channels. History covert channels can communicate almost exclusively based on unaltered legitimate traffic created by regular nodes participating in a network. Only a negligible fraction of the covert communication process requires the transfer of actual covert channel information. We extend the current taxonomy for covert channels to show how history channels can be categorized. We theoretically analyze the characteristics of history channels and show how their configuration can be optimized for two channel implementations, called DYST-Basic and DYST-Ext. We further implement a proof-of-concept code for both DYST variants and evaluate the performance (robustness, detectability, and optimization) with both, simulated and real traffic. Finally, we discuss application scenarios and potential countermeasures against DYST.