Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MeMoir: A Software-Driven Covert Channel based on Memory Usage

Jeferson Gonzalez-Gomez, Jose Alejandro Ibarra-Campos, Jesus Yamir Sandoval-Morales, Lars Bauer, Jörg Henkel

TL;DR

MeMoir introduces a software-driven covert channel that uses memory usage as the transmission medium, demonstrated on x86-64 and ARM64 platforms with a real VM-to-host use case in Hyper-V/WSL2. The transmitter encodes data into memory pulses using 4-bit blocks with a 4-7 Hamming ECC and 8-bit frames, while the receiver decodes via /proc/meminfo sampling, high-pass filtering, and DFT-based demodulation followed by ECC reversal. A machine-learning detector is developed to differentiate covert-channel activity from normal memory usage, achieving high accuracy (>95%) across multiple models, and a noise-based countermeasure is proposed and evaluated, effectively disrupting communication at the cost of increased power usage. The work demonstrates the practical viability of memory-usage covert channels and provides concrete detection and mitigation strategies, informing defense considerations for memory-centric side channels in modern multi-tenant systems.

Abstract

Covert channel attacks have been continuously studied as severe threats to modern computing systems. Software-based covert channels are a typically hard-to-detect branch of these attacks, since they leverage virtual resources to establish illegitimate communication between malicious actors. In this work, we present MeMoir: a novel software-driven covert channel that, for the first time, utilizes memory usage as the medium for the channel. We implemented the new covert channel on two real-world platforms with different architectures: a general-purpose Intel x86-64-based desktop computer and an ARM64-based embedded system. Our results show that our new architecture- and hardware-agnostic covert channel is effective and achieves moderate transmission rates with very low error. Moreover, we present a real use-case for our attack where we were able to communicate information from a Hyper-V virtualized enviroment to a Windows 11 host system. In addition, we implement a machine learning-based detector that can predict whether an attack is present in the system with an accuracy of more than 95% with low false positive and false negative rates by monitoring the use of system memory. Finally, we introduce a noise-based countermeasure that effectively mitigates the attack while inducing a low power overhead in the system compared to other normal applications.

MeMoir: A Software-Driven Covert Channel based on Memory Usage

TL;DR

MeMoir introduces a software-driven covert channel that uses memory usage as the transmission medium, demonstrated on x86-64 and ARM64 platforms with a real VM-to-host use case in Hyper-V/WSL2. The transmitter encodes data into memory pulses using 4-bit blocks with a 4-7 Hamming ECC and 8-bit frames, while the receiver decodes via /proc/meminfo sampling, high-pass filtering, and DFT-based demodulation followed by ECC reversal. A machine-learning detector is developed to differentiate covert-channel activity from normal memory usage, achieving high accuracy (>95%) across multiple models, and a noise-based countermeasure is proposed and evaluated, effectively disrupting communication at the cost of increased power usage. The work demonstrates the practical viability of memory-usage covert channels and provides concrete detection and mitigation strategies, informing defense considerations for memory-centric side channels in modern multi-tenant systems.

Abstract

Covert channel attacks have been continuously studied as severe threats to modern computing systems. Software-based covert channels are a typically hard-to-detect branch of these attacks, since they leverage virtual resources to establish illegitimate communication between malicious actors. In this work, we present MeMoir: a novel software-driven covert channel that, for the first time, utilizes memory usage as the medium for the channel. We implemented the new covert channel on two real-world platforms with different architectures: a general-purpose Intel x86-64-based desktop computer and an ARM64-based embedded system. Our results show that our new architecture- and hardware-agnostic covert channel is effective and achieves moderate transmission rates with very low error. Moreover, we present a real use-case for our attack where we were able to communicate information from a Hyper-V virtualized enviroment to a Windows 11 host system. In addition, we implement a machine learning-based detector that can predict whether an attack is present in the system with an accuracy of more than 95% with low false positive and false negative rates by monitoring the use of system memory. Finally, we introduce a noise-based countermeasure that effectively mitigates the attack while inducing a low power overhead in the system compared to other normal applications.
Paper Structure (18 sections, 3 equations, 6 figures, 10 tables, 1 algorithm)

This paper contains 18 sections, 3 equations, 6 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. MeMoir: A Novel Software-Based Covert Channel via Memory Usage
  4. Threat model
  5. Attack implementation
  6. Transmitter
  7. Receiver
  8. Detection Technique and Countermeasures
  9. ML-based Detector
  10. Countermeasure
  11. Evaluation
  12. Evaluation platforms
  13. Covert channel metrics
  14. Covert channel under background noise
  15. Real use case: VM to host communication through MeMoir in a Hyper-V environment
  16. ...and 3 more sections

Figures (6)

  • Figure 1: Overview of the new software-controlled memory-usage-based covert channel
  • Figure 2: Overview of the transmitter module
  • Figure 3: Overview of the receiver module
  • Figure 4: Overview of the detection technique
  • Figure 5: Visual demonstration of the effectiveness of the software-driven memory usage covert channel
  • ...and 1 more figures