Detecting Covert Channels Through Code Augmentation

Modern malware increasingly exploits information hiding or steganography to elude security frameworks and remain unnoticed for long periods. To this aim, a prime technique relies upon the ability of creating covert channels to bypass the limits imposed by a sandbox or to exfiltrate data towards a remote server. Unfortunately, detecting a covert channel is not a trivial task and often requires to inspect a composite set of information, e.g., the behavior of a software or statistical indicators of network traffic. Therefore, in this paper we investigate the adoption of code augmentation features offered by the Linux kernel to gather data useful to reveal the presence of covert communications. To prove the effectiveness of the approach, we tested a lightweight program to detect covert channels targeting IPv6 conversations. Results indicate that technologies like the extended Berkeley Packet Filter can offer a foundation to frameworks for spotting and mitigating covert communications.