CYPRESS: Transferring Secrets in the Shadow of Visible Packets

TL;DR

The paper addresses the practicality gap in network covert channels by enabling data to be hidden inside existing traffic rather than generating new carrier packets. It introduces CYPRESS, a gateway-based framework that uses a Fusion-Extraction pipeline and a modular Packet Moderation Set to fragment, embed, synchronize, and recover secret data across multiple channels. Experiments show secret bandwidth up to 1.6MB/s in a ten-user network and demonstrate covert access around NAT, IP restrictions, and network segmentation, with encryption and synchronization preserving integrity. The work highlights significant implications for security, suggesting defenses must monitor across multiple protocol fields and that covert channels can support persistence and stealth in real-world settings.

Abstract

Network steganography and covert communication channels have been studied extensively in the past. However, prior works offer minimal practical use for their proposed techniques and are limited to specific use cases and network protocols. In this paper, we show that covert channels in networking have a much greater potential for practical secret communication than what has been discussed before. We present a covert channel framework, CYPRESS, that creates a reliable hidden communication channel by mounting packets from secret network entities on regular packets that flow through the network, effectively transmitting a separate network traffic without generating new packets for it. CYPRESS establishes a consolidated decentralized framework in which different covert channels for various protocols are defined with their custom handler code that are plugged into the system and updated on-demand to evade detection. CYPRESS then chooses at run-time how and in what order the covert channels should be used for fragmentation and hidden transmission of data. We can reach up to 1.6MB/s of secret bandwidth in a network of ten users connected to the Internet. We demonstrate the robustness and reliability of our approach in secret communication through various security-sensitive real-world experiments. Our evaluations show that network protocols provide a notable opportunity for unconventional storage and hidden transmission of data to bypass different types of security measures and to hide the source of various cyber attacks.

Figures (14)

• Figure 1: High-level view of CYPRESS operation model. Secret packets stored in the transmission queue, are fragmented into secret segments and transferred to the next gateway. The segments are temporarily held in a local buffer until the original packet can be reconstructed at the receiver side.
• Figure 2: Read-Write handler pairs are defined, implemented, and then plugged into the PMS for each new carrier candidate.
• Figure 3: High-level view of Fusion-Extraction flow.
• Figure 4: For each potential carrier packet, at least one handler function is chosen for handling secret segments.
• Figure 5: The sequence of the extracted secret bytes carried by $p_1$ through $p_5$. SS and SH are secret segment and synchronization headers respectively. The synchronization headers have been transferred by the first, third and fourth packets.