Protocol Channels

Covert channel techniques are used by attackers to transfer data in a way prohibited by the security policy. There are two main categories of covert channels: timing channels and storage channels. This paper introduces a new storage channel technique called a protocol channel. A protocol channel switches one of at least two protocols to send a bit combination to a destination. The main goal of a protocol channel is that packets containing covert information look equal to all other packets within a network, what makes a protocol channel hard to detect.

💡 Research Summary

The paper surveys covert channel techniques used by attackers to transmit data in violation of security policies, distinguishing between timing channels and storage channels. It then introduces a novel storage‑type covert channel called a “protocol channel.” Unlike traditional storage channels that embed hidden data in packet payloads or optional fields, a protocol channel encodes information solely by selecting among different network protocols that are already permitted in the environment. The sender maps each protocol to a binary value (for example, ICMP = 0, ARP = 1) and constructs a sequence of packets whose protocol identifiers represent the desired bit pattern. Because the packets themselves appear identical to ordinary traffic—only the protocol field changes—the channel is difficult for intrusion detection systems (IDS) or firewalls to spot.

The amount of data that can be transmitted per packet depends on the number of distinct protocols the attacker can safely employ. With two protocols, each packet carries one bit; with four protocols, each packet carries two bits, and so on. Although the raw bandwidth is low, the authors argue that the channel is sufficient for transmitting short secrets such as passwords, especially when combined with compression or custom encodings (e.g., a 5‑bit ASCII scheme with an additional parity bit, as demonstrated in their “p ct” proof‑of‑concept code).

The paper also discusses practical limitations. Because only one or two bits are hidden per packet, there is no room for reliability metadata (ACKs, sequence numbers, etc.). Consequently, any normal traffic that happens to use one of the selected protocols can desynchronize the receiver, causing loss of the hidden stream. Packet fragmentation and loss pose additional problems: a fragmented packet may be received twice, duplicating the encoded bits, while a lost packet creates a “hole” in the bit stream. The authors suggest checking the IPv4 “More Fragments” flag to mitigate duplication, but they acknowledge that loss remains a critical issue.

From a detection perspective, the channel can be exposed if the attacker uses unusual or rarely seen protocols, which would raise statistical anomalies. However, by restricting the channel to commonly used protocols and blending the traffic pattern with legitimate flows, the attacker can make detection extremely hard. Even if an analyst suspects a covert channel, reconstructing the hidden data requires knowledge of the exact protocol‑to‑bit mapping, endianness, and a complete capture of all transmitted packets—requirements that are rarely met in practice.

In conclusion, protocol channels provide a new avenue for covert communication that is harder to detect than many existing storage channels because the packets look indistinguishable from normal traffic. Nevertheless, the technique suffers from low bandwidth, synchronization fragility, and vulnerability to packet loss and fragmentation. Future work should explore error‑correction coding, multi‑protocol multiplexing, and traffic‑analysis‑based detection methods to both strengthen the channel for attackers and improve defensive capabilities for network security professionals.