English

MeMoir: A Software-Driven Covert Channel based on Memory Usage

Cryptography and Security 2024-09-23 v1 Machine Learning

Abstract

Covert channel attacks have been continuously studied as severe threats to modern computing systems. Software-based covert channels are a typically hard-to-detect branch of these attacks, since they leverage virtual resources to establish illegitimate communication between malicious actors. In this work, we present MeMoir: a novel software-driven covert channel that, for the first time, utilizes memory usage as the medium for the channel. We implemented the new covert channel on two real-world platforms with different architectures: a general-purpose Intel x86-64-based desktop computer and an ARM64-based embedded system. Our results show that our new architecture- and hardware-agnostic covert channel is effective and achieves moderate transmission rates with very low error. Moreover, we present a real use-case for our attack where we were able to communicate information from a Hyper-V virtualized enviroment to a Windows 11 host system. In addition, we implement a machine learning-based detector that can predict whether an attack is present in the system with an accuracy of more than 95% with low false positive and false negative rates by monitoring the use of system memory. Finally, we introduce a noise-based countermeasure that effectively mitigates the attack while inducing a low power overhead in the system compared to other normal applications.

Keywords

Cite

@article{arxiv.2409.13310,
  title  = {MeMoir: A Software-Driven Covert Channel based on Memory Usage},
  author = {Jeferson Gonzalez-Gomez and Jose Alejandro Ibarra-Campos and Jesus Yamir Sandoval-Morales and Lars Bauer and Jörg Henkel},
  journal= {arXiv preprint arXiv:2409.13310},
  year   = {2024}
}
R2 v1 2026-06-28T18:51:06.320Z