Can you normalize the light in your office room? or: Why the fight against information hiding must be put onto a broader footing
Information hiding denotes the placement of secret information within innocent information, to hide the very existence of secret communication [4]. Information hiding in networks, called network steganography, uses hidden channels embedded in other communication channels, for example by misusing unused header fields in packets, often for an illegal purpose such as industry espionage or controlling zombie computers in a botnet. Hence, countermeasures are necessary.
Normalization is used to fight hidden channels, e.g. by setting unused header fields to zero. As there are many different header fields, different protocols, and different layers of the protocol stack, countermeasures target particular channel technologies, and are not effective in terms of overhead. Even more difficult to fight are hidden channels that do not use digital ways, such as channels that use ultrasound between two computers, of which the sender might not be connected to any network [2], variations of blinking harddisk lights or temperature differences of the processor that are sensed remotely [1]. Just as in digital communication, analog “normalization” is tailored closely to hidden channel technology.
Independent of the realization of the hidden channel, one similarity exists: the covert channel is either fed or read by a computer, and therefore changes the computer’s workings. As a consequence, a general approach to counter hidden channels should seek to detect these anomalies instead of normalizing TCP packets or the air around the computer.
The information hiding community can profit in this strive from knowledge already assembled in the organic computing community when investigating fault tolerance in autonomous (organic) systems. Their approach is to investigate which changes or anomalies in the workings of a computer, robot or system can be used as indications of impeding failures (cf. [3] as an example). In similarity to medical terms, these researchers have investigated how to identify signals in a system that can be interpreted as heart beats or health signals. Thus, deviation from normal behaviour can be detected by statistical analysis. By applying the identification schemes for heart beat and health signals from organic computing, research on hidden channel countermeasures should be able to generalize from detection of particular hidden channels to detection of the presence of some hidden channel, and thus to make a leap forward.
[1] M. Guri, M. Monitz, Y. Mirski and Y. Elovici. BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations. In Proc. 28th IEEE Computer Security Foundations Symp., pp. 276-289, 2015.
[2] M. Hanspach and M. Goetz. On Covert Acoustical Mesh Networks in Air. J. Communications 8(11):758-767, 2013.
[3] R. Maas and E. Maehle. Fault Tolerant and Adaptive Path Planning in Crowded Environments for Mobile Robots Based on Hazard Estimation via Health Signals. In Proc. Int.l. Conf. Architecture of Computing Systems (ARCS 2012), 2012.
[4] W. Mazurczyk, S. Wendzel, S. Zander, A. Houmansadr and K. Szczypiorski. Information Hiding in Communication Networks. Wiley, 2016.
Jörg Keller
Jörg Keller is a professor of computer engineering at FernUniversität in Hagen, Germany, and heads the Parallelism & VLSI group since 1996. His research interests are parallel and energy-efficient computing, security and fault-tolerance of computer systems, and web-based learning in engineering. He received MSc and PhD degrees from Saarland University, Germany, in 1989 and 1992, respectively, and spent his PostDoc phase at CWI (Netherlands Research Centre for Mathematics and Computer Science) in Amsterdam.