Code Augmentation for Detecting Covert Channels Targeting the IPv6 Flow Label

Information hiding is at the basis of a new-wave of malware able to elude common detection mechanisms or remain unnoticed for long periods. To this aim, a key approach exploits network covert channels, i.e., abusive communication paths nested within a legitimate traffic flow. The increasing diffusion of IPv6 makes it attractive for an attacker, especially for the presence of the Flow Label field, which can be manipulated to contain up to 20 secret bits per packet. Unfortunately, gathering data to implement a standalone detection mechanism or to support third-party security tools is a poorly generalizable process and often leads to scalability issues. This paper showcases how to take advantage of code augmentation features (i.e., the extended Berkeley Packet Filter) to detect covert channels targeting the IPv6 Flow Label. To prove its effectiveness, the proposed approach has been tested against Internet-wide traffic traces collected in the wild. Results indicate that it is possible to spot the channel while mitigating the memory footprint and the computational burden (e.g., the processed traffic is further delayed of only few nanoseconds).