CCHEF is a Linux-based software framework that evaluates covert channels for network protocols. It conducts empirical tests to assess the efficiency of these channels.
The de-facto standard of covert channel communication is prison problem modeled as Alice and Bob trying to escape from prison by communicating secretly. Wendy, the warden, monitors their every move, leaving Alice and Bob to exchange innocent-looking messages with hidden content.
The Covert Channels Evaluation Framework (CCHEF) is quite flexible since it runs under Linux and can be used in real networks with real overt traffic. Additionally, CCHEF can also emulate covert channels using overt traffic from trace files. This feature is essential since testing with real traffic is usually restricted to controlled testbeds making it impossible to generate a realistic traffic mix. CCHEF also runs on single hosts emulating covert channels based on overt traffic from trace files.
CCHEF has been designed with the ethical consideration of preventing misuse. Therefore, it has no attempt to disguise the sender or receiver, illegally acquire superuser privileges, etc. Instead, the sender and receiver are both normal user space applications, allowing a focus on covert channel methods. This choice of design also prevents future misuse and makes porting easier since techniques to hide executables are operating system dependent.
The Channel module - a central component of CCHEF interfaces with multiple device modules. The Covert In/Out device reads covert data to be sent, and received covert data is written to the Covert Out device. The Overt In/Out device taps into a stream of IP packets to be used as the carrier for covert data. The Channel module then intercepts suitable overt packets from the sender, encodes the covert data, and passes the modified packet back to the device to re-inject it into the system.
If an overt packet arrives at the receiver, the Channel module decodes any covert information and removes the covert channel if possible before re-injecting the packet CCHEF also supports passive receivers that use copies of overt packets and do not delay the actual traffic. The Channel module has several sub-modules responsible for modulation, framing, reliable transport, encryption, etc. CCHEF is a powerful tool in transmitting covert information over a network from the covert sender (Alice) to the covert receiver (Bob), as seen in Figure 1. Channels in CCHEF are typically bidirectional, depending on available overt traffic.
Version 0.1: N/A