MeMoir: A Software-Driven Covert Channel based on Memory Usage

TL;DR

This paper introduces MeMoir, a novel memory-based covert channel that is effective across different architectures, demonstrates real-world attack scenarios, and proposes a machine learning detector and noise-based countermeasure.

Contribution

The work presents the first memory usage-based covert channel, implements it on multiple architectures, and develops detection and mitigation strategies.

Findings

Effective covert channel with moderate transmission rates

High detection accuracy (>95%) using machine learning

Countermeasure with low power overhead

Abstract

Covert channel attacks have been continuously studied as severe threats to modern computing systems. Software-based covert channels are a typically hard-to-detect branch of these attacks, since they leverage virtual resources to establish illegitimate communication between malicious actors. In this work, we present MeMoir: a novel software-driven covert channel that, for the first time, utilizes memory usage as the medium for the channel. We implemented the new covert channel on two real-world platforms with different architectures: a general-purpose Intel x86-64-based desktop computer and an ARM64-based embedded system. Our results show that our new architecture- and hardware-agnostic covert channel is effective and achieves moderate transmission rates with very low error. Moreover, we present a real use-case for our attack where we were able to communicate information from a Hyper-V virtualized enviroment to a Windows 11 host system. In addition, we implement a machine learning-based detector that can predict whether an attack is present in the system with an accuracy of more than 95% with low false positive and false negative rates by monitoring the use of system memory. Finally, we introduce a noise-based countermeasure that effectively mitigates the attack while inducing a low power overhead in the system compared to other normal applications.