Covert channel detection using Information Theory

This paper presents an information theory based detection framework for covert channels. We first show that the usual notion of interference does not characterize the notion of deliberate information flow of covert channels. We then show that even an enhanced notion of “iterated multivalued interference” can not capture flows with capacity lower than one bit of information per channel use. We then characterize and compute the capacity of covert channels that use control flows for a class of systems.

💡 Research Summary

The paper “Covert channel detection using Information Theory” critiques the traditional notion of interference as an inadequate model for covert channels and proposes a novel, information‑theoretic framework for detecting and quantifying such channels.
The authors begin by recalling that covert channels are illicit information flows that violate a system’s security policy: two legitimate users cooperate to misuse system functionality in order to bypass communication restrictions. Classical security models (e.g., Bell‑LaPadula) treat information leaks as “interference,” defined loosely as “what one user does can affect what another can observe.” The paper shows that this definition is orthogonal to covert channels for two reasons. First, interference does not require cooperation and can be triggered by a single transition; covert channels, by contrast, must support the transmission of arbitrarily long messages through repeated interactions. Second, interference satisfies the “small‑message criterion” (a single bit leak suffices), whereas covert channels must be capable of delivering messages of unbounded size.

To illustrate the gap, the authors present three small transition‑system examples (Figure 1, systems S₁, S₂, S₃). In S₁, user u’s action a enables v to emit a prefix of (bcc + bdc)*, establishing u→v interference, but the effect occurs only once and cannot be used for sustained communication. In S₂ the roles are reversed, yet after u performs a the system dead‑locks, preventing any further exchange. In S₃ both directions can repeat, but v’s observation of a sequence of b’s does not reveal whether a full covert message has been transmitted; timing would be required to encode bits. These examples demonstrate that interference, even when iterated or multivalued, fails to capture channels whose capacity is below one bit per use.

Consequently, the authors adopt a coding‑theoretic viewpoint: a pair of users u and v is said to have a covert channel if they can simulate a memoryless discrete channel within the system. Formally, the system S is modeled as a finite transition system (Q, →, Σ, q₀) possibly equipped with probabilistic transition weights P_S(q,a,q′). Each action a∈Σ is associated with a unique executor (Ex) and a set of observers (Obs). By projecting S onto the observation alphabet of v (Π_v) and restricting S to the actions of u (S\ u), the classic SNNI (Strong Non‑Deterministic Non‑Interference) definition of interference is recovered: u interferes with v iff Π_v(S) ≠ Π_v(S\ u).

The new covert‑channel definition replaces the binary interference test with a quantitative capacity test. Users select an input alphabet X (actions under u’s control) and an output alphabet Y (observable actions for v). The probabilistic transition structure induces a conditional distribution P(Y|X). The channel capacity is then

C = max_{P_X} I(X;Y)

where I denotes mutual information. If C > 0, the system can convey information from u to v and thus contains a covert channel; if C = 0, no such channel exists.

The paper details how to compute C for control‑flow based covert channels. The procedure is:

1. Model the target system as a probabilistic transition system.
2. Identify the sets of actions that can serve as inputs for u and observable outputs for v.
3. Extract the transition probabilities that map each input to each possible output, forming the matrix P(Y|X).
4. Apply the Blahut‑Arimoto algorithm (or any convex‑optimization method) to find the input distribution P_X that maximizes I(X;Y).
5. Evaluate C; a positive value certifies a covert channel.

An illustrative example shows a simple control‑flow channel where u’s decision to take one of two branches influences whether v later observes action b or c. The resulting P(Y|X) matrix yields a capacity of 0.5 bits per use, confirming that even sub‑one‑bit channels are detectable under the proposed framework—something interference‑based analyses would miss.

The authors acknowledge that timing channels are not covered, but note that timing can be abstracted as an additional input/output dimension, allowing the same information‑theoretic analysis to apply. They also discuss practical concerns such as state‑space explosion, suggesting abstraction techniques and statistical sampling to obtain reliable transition probabilities from logs.

In conclusion, the paper argues that interference‑based security verification is insufficient for covert‑channel detection. By framing covert channels as communication channels with measurable capacity, the authors provide a rigorous, quantitative method that can be automated for a wide class of systems. Future work is outlined: tool support for automatic extraction of transition models, extension to multi‑user and multi‑channel scenarios, and real‑time monitoring using lightweight capacity estimators.