What is Covert Channel Amplification? What are History Covert Channels? I tried to summarize this in few words:
https://www.wendzel.de/misc/2026/02/28/history-cc.html
The post will be updated soon with our upcoming IFIP SEC 2026 paper.
#netsec #infosec #cybersecurity #cybersec #steganography #covertchannels #informationhiding #research
How to describe #steganography methods in a comparable and unified way to aid #replicability?
We combined pre-existing methodology into a single framework. New pre-print + online tool prototype (will get improved soon) on our website: https://patterns.omi.uni-ulm.de/news/
Full version of the paper and the online tool will be presented at the ARES'25 CUING workshop in August.
#replicability #steganography #covertchannels #informationhiding #infosec #cybersecurity #security #research
New pre-print: Domainator: Detecting and Identifying DNS-Tunneling Malware Using Metadata Sequences
(final version to appear at ARES'25)
#dns #tunneling #infosec #cybersecurity #malware #steganography #covertchannels #security
Scientific papers are not free from overlaps and even re-inventions that utilize a different terminology. With the ever-growing pile of published papers, scientists need to keep track of the available research, understand links and similarities between existing ideas and concepts. Steganography is the science of concealed storage and transfer of secret data. Like other scientific domains which have a multi-decade history, steganography contains sub-domains which grew partially independent, resulting in redundancy. This is why our taxonomy draws links between these sub-disciplines. On an abstract level, we show that ideas from one domain can also be found in the other, and we find a common term for such ideas.
A Generic Taxonomy for #Steganography. Published today by ACM Comp. Surveys (CSUR). Joint-work w/ W. Mazurczyk , @lucacav, A. Mileva, @Jana_Dittmann, @kraetzer, K. Lamshöft, @THB_Security_Research, L. Hartmann, J. Keller, @TN_THB and @niosat
Paper: https://dl.acm.org/doi/10.1145/3729165
#infosec #surveys #taxonomy #informationhiding #covertchannels #stego
There's supplemental material available (just scroll down on the linked page). It also features the description method for steganography techniques.
Being an #EnigmaProtector is the only consistent part of the job description. 
Tradecraft speaks volumes. The practice I usually see used is just going about your day without trying too hard to hide what you are & if they can figure things out on their own then you're both "cool enough" to know what each other really are. (After all, #CovertChannels are the best channels.) This also functions as a test of your own best practices; & if either of you wants to quit your current job, as a job interview with the other's organization).
J. Vilalonga et al., "TorKameleon: Improving Tor's Censorship Resistance With K-anonimization and Media-based Covert Channels"¹
The use of anonymity networks such as Tor and similar tools can greatly enhance the privacy and anonymity of online communications. Tor, in particular, is currently the most widely used system for ensuring anonymity on the Internet. However, recent research has shown that Tor is vulnerable to correlation attacks carried out by state-level adversaries or colluding Internet censors. Therefore, new and more effective solutions emerged to protect online anonymity. Promising results have been achieved by implementing covert channels based on media traffic in modern anonymization systems, which have proven to be a reliable and practical approach to defend against powerful traffic correlation attacks. In this paper, we present TorKameleon, a censorship evasion solution that better protects Tor users from powerful traffic correlation attacks carried out by state-level adversaries. TorKameleon can be used either as a fully integrated Tor pluggable transport or as a standalone anonymization system that uses K-anonymization and encapsulation of user traffic in covert media channels. Our main goal is to protect users from machine and deep learning correlation attacks on anonymization networks like Tor. We have developed the TorKameleon prototype and performed extensive validations to verify the accuracy and experimental performance of the proposed solution in the Tor environment, including state-of-the-art active correlation attacks. As far as we know, we are the first to develop and study a system that uses both anonymization mechanisms described above against active correlation attacks.
#arXiv #ResearchPapers #TorKameleon #Tor #CensorshipResistance #Privacy #CovertChannels
__
¹ https://arxiv.org/abs/2303.17544
Anonymity networks like Tor significantly enhance online privacy but are vulnerable to correlation attacks by state-level adversaries. While covert channels encapsulated in media protocols, particularly WebRTC-based encapsulation, have demonstrated effectiveness against passive traffic correlation attacks, their resilience against active correlation attacks remains unexplored, and their compatibility with Tor has been limited. This paper introduces TorKameleon, a censorship evasion solution designed to protect Tor users from both passive and active correlation attacks. TorKameleon employs K-anonymization techniques to fragment and reroute traffic through multiple TorKameleon proxies, while also utilizing covert WebRTC-based channels or TLS tunnels to encapsulate user traffic.
M. Gross et al., "CPU to FPGA Power Covert Channel in FPGA-SoCs"¹
FPGA-SoCs are a popular platform for accelerating a wide
range of applications due to their performance and flexibility. From a
security point of view, these systems have been shown to be vulnerable
to various attacks, especially side-channel attacks where an attacker can
obtain the secret key of a cryptographic algorithm via laboratory mea-
surement equipment or even remotely with sensors implemented inside
the FPGA logic itself. Fortunately, a variety of countermeasures on the
algorithmic level have been proposed to mitigate this threat. Beyond side-
channel attacks, covert channels constitute another threat which enables
communication through a hidden channel. In this work, we demonstrate
the possibility of implementing a covert channel between the CPU and
an FPGA by modulating the usage of the Power Distribution Network.
We show that this resource is especially vulnerable since it can be easily
controlled and observed, resulting in a stealthy communication and a
high transmission data rate. The power usage is modulated using simple
and inconspicuous instructions executed on the CPU. Additionally, we
use Time-to-Digital Converter sensors to observe these power variations.
The sensor circuits are programmed into the FPGA fabric using only
standard logic components. Our covert channel achieves a transmission
rate of up to 16.7 kbit/s combined with an error rate of 2.3%. Besides
a good transmission quality, our covert channel is also stealthy and can
be used as an activation function for a hardware trojan.
#IACR #ResearchPapers #FPGA-SoCs #CovertChannels #PowerDistributionNetwork #OnChipPowerSensors #HardwareTrojan
__
¹ https://eprint.iacr.org/2023/429
Network covert channels are applied for the secret exfiltration of confidential data, the stealthy operation of malware, and legitimate purposes, such as censorship circumvention. In recent decades, some major detection methods for network covert channels have been developed. In this paper, we investigate two highly cited detection methods for covert timing channels, namely <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\epsilon$</tex-math></inline-formula> -similarity and compressibility score from Cabuk et al. (jointly cited by 930 papers and applied by thousands of researchers). We additionally analyze two recent ML-based detection methods: <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">GAS</i> (2022) and <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">SnapCatch</i> (2021). While all these detection methods must be considered valuable for the analysis of typical covert timing channels, we show that these methods are not reliable when a covert channel's behavior is slightly modified. In particular, we demonstrate that when confronted with a simple covert channel that we call <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\epsilon$</tex-math></inline-formula> - <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\kappa$</tex-math></inline-formula> libur, all detection methods can be circumvented or their performance can be significantly reduced although the covert channel still provides a high bitrate. In comparison to previous timing channels that circumvent these methods, <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\epsilon$</tex-math></inline-formula> - <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\kappa$</tex-math></inline-formula> libur is much simpler and eliminates the need of altering previously recorded traffic. Moreover, we propose an enhanced <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\epsilon$</tex-math></inline-formula> -similarity that can detect the classical covert timing channel as well as <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\epsilon$</tex-math></inline-formula> - <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$\kappa$</tex-math></inline-formula> libur.
Steffen Wendzel
Pseudonymous 
cynicalsecurity 
