This repository contains the proof-of-concept implementation of the DYST covert channel introduced in the following article:
| Steffen Wendzel, Tobias Schmidbauer, Sebastian Zillien, Jörg Keller: DYST (Did You See That?): An Amplified Covert Channel That Points To Previously Seen Data, in: IEEE Transactions on Dependable and Secure Computing (TDSC), Vol. 22(1), 2025. |
|---|
Live mode of DYST. This mode will send a covert message via the DYST covert channel.
sudo python3 DYST.py <Covert Message File> <# of Chars> <interface> <logfile binaries> <[cr|cs]> <[trivial_single|trivial_multiple|ECC]> <CS and CR! :Broadcast Target IP> <Signal Source IP (=CS IP)> <CR:Message Log>
Covert Message File- Path to a text file containing the covert message to be sent
# of Chars- How many characters to sent at once
interface- What netwotk interface to use for the covert channel
logfile binaries- Path to the logfile for statistics (seen hashes, match percentages, timestamps, etc.)
cr|cs- What mode to use? Covert Sender or Covert Receiver
trivial|trivial_robust|ext|ext_robust|ECC- What encoding mode to use?
- trivial: DYST-Basic, waits for 100% matches for each signal, no robustness measures
- trivial_robust: Same as trivial, added robustness measures
- ext: DYST-Ext, uses checksums for faster trnsmission, no robustness measures
- ext_robust: Same as ext, added robustness measures
- ECC: Experimental DYST-ECC mode.
- What encoding mode to use?
Broadcast Target IP(CR and CS)- Target IP that the CS will use in its signal-ARP-requests.
- CR will watch for this IP to filter signals
Signal Source IP(CR only)- The IP of the covert sender, is used to filter signals
Message Log(CR only)- Path to logfile which will contain teh recieved message
sudo python3 scripts/DYST.py config/The_Shadow_Out_of_Time.txt 2 wlan0 log/CS/HomeLANcs trivial_single 192.168.2.254 2>/dev/null
sudo python3 scripts/DYST.py config/The_Shadow_Out_of_Time.txt 2 wlan0 log/CR/HomeLan cr trivial_single 192.168.2.254 192.168.2.146 log/CR/HomeLan_msg 2>/dev/null
Offline Mode to analyse pcap files for matches. Reads pcap files packet by packet and looks for matches.
For each PacketOfInterest, the match (true/false), number of PacketOfInterest, total number of packets, match percentage/count and match time is recorded.
With this we can do statistics on how often we would send out an ARP packet, either based on time or on packet count.
The tool needs the broadcast IP of the subnet from the recording to know wich packets can be seen by CS and CR.
offlineMode.py contains robustness measures while offlineMode_nonrobust.py does not.
python scripts/offlineMode.py /config/The_Shadow_Out_of_Time.txt 3 test.pcapng basic 192.168.200.255 test.out
The basic mode uses no checksums and waitss for a 100% match between hash and message
python scripts/offlineMode.py /config/The_Shadow_Out_of_Time.txt 2 test.pcapng ext 192.168.200.255 test.out 21
The extended mode uses a basic 8 bit checksum (byte alignment). The checksum contains the number of 1s in the original message, binary encoded.
python offlineMode.py <Message Input File> <Bytes per Pkt> <Pcap Input> <Mode> <Broadcast IP of Recording> <Output File> [<Match Target>]
Message Input File- Path to a text file containing the covert message to be sent
Bytes per Pkt- How many bytes/characters to be sent at once
Pcap Input- Path to a pcap file, which will be used as a base for the simulation
Modebasic: DYST-Basic modeext: DYST-Ext mode
Broadcast IP of Recording- What is the broadcast IP of the network present in the input pcap (is used to filter packets of interest)
Output File- Path to the logfile for statistics (seen hashes, match percentages, timestamps, etc.)
Match Target(ext Mode only)- How many bits to match in DYST-Ext mode before sendign a signal
The log folder contains some extracted example inter-packet delays (IPDs) in the CSV format.