CYPRESS: Transferring Secrets in the Shadow of Visible Packets

TL;DR

CYPRESS introduces a practical, reliable covert communication framework that leverages regular network packets to transmit secret data at high speeds, bypassing security measures and evading detection.

Contribution

The paper presents CYPRESS, a novel decentralized framework for covert channels that dynamically manages multiple protocol-specific hidden communication methods.

Findings

Achieves up to 1.6MB/s secret bandwidth.

Demonstrates robustness in real-world security-sensitive scenarios.

Effectively bypasses security measures and hides attack sources.

Abstract

Network steganography and covert communication channels have been studied extensively in the past. However, prior works offer minimal practical use for their proposed techniques and are limited to specific use cases and network protocols. In this paper, we show that covert channels in networking have a much greater potential for practical secret communication than what has been discussed before. We present a covert channel framework, CYPRESS, that creates a reliable hidden communication channel by mounting packets from secret network entities on regular packets that flow through the network, effectively transmitting a separate network traffic without generating new packets for it. CYPRESS establishes a consolidated decentralized framework in which different covert channels for various protocols are defined with their custom handler code that are plugged into the system and updated on-demand to evade detection. CYPRESS then chooses at run-time how and in what order the covert channels should be used for fragmentation and hidden transmission of data. We can reach up to 1.6MB/s of secret bandwidth in a network of ten users connected to the Internet. We demonstrate the robustness and reliability of our approach in secret communication through various security-sensitive real-world experiments. Our evaluations show that network protocols provide a notable opportunity for unconventional storage and hidden transmission of data to bypass different types of security measures and to hide the source of various cyber attacks.