Covert Channels in Personal Cloud Storage Services: The Case of Dropbox

Personal storage services are one of the most popular applications based on the cloud computing paradigm. Therefore, the analysis of possible privacy and security issues has been a relevant part of the research agenda. However, threats arising from the adoption of information hiding techniques have been mainly neglected. In this perspective, the paper investigates how personal cloud storage services can be used for building covert channels for stealthy exchange of information through the Internet. To have a realistic use case, we consider the Dropbox application and we present the performance evaluation of two different covert communication methods. To understand the stealthiness of our approach and propose countermeasures, we also investigate some behaviors of Dropbox in a production quality deployment.

[1]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[2]  Cong Wang,et al.  Toward publicly auditable secure cloud data storage services , 2010, IEEE Network.

[3]  Aiko Pras,et al.  Inside dropbox: understanding personal cloud storage services , 2012, Internet Measurement Conference.

[4]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[5]  Wojciech Mazurczyk,et al.  Information Hiding as a Challenge for Malware Detection , 2015, IEEE Security & Privacy.

[6]  Vincent H. Berk,et al.  Detection of Covert Channel Encoding in Network Packet Delays , 2005 .

[7]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[8]  Benny Pinkas,et al.  Proofs of ownership in remote storage systems , 2011, CCS '11.

[9]  Cong Wang,et al.  Security Challenges for the Public Cloud , 2012, IEEE Internet Computing.

[10]  Zhifeng Xiao,et al.  Security and Privacy in Cloud Computing , 2013, IEEE Communications Surveys & Tutorials.

[11]  R. K. Bunkar,et al.  Data Security and Privacy Protection Issues in Cloud Computing , 2014 .

[12]  Wojciech Mazurczyk,et al.  Trends in steganography , 2014, Commun. ACM.

[13]  Ben Y. Zhao,et al.  Efficient Batched Synchronization in Dropbox-Like Cloud Storage Services , 2013, Middleware.

[14]  Wojciech Mazurczyk,et al.  Steganography in Modern Smartphones and Mitigation Techniques , 2014, IEEE Communications Surveys & Tutorials.

[15]  Ira S. Moskowitz,et al.  A pump for rapid, reliable, secure communication , 1993, CCS '93.

[16]  N. B. Anuar,et al.  The rise of "big data" on cloud computing: Review and open research issues , 2015, Inf. Syst..

[17]  Jiri Fridrich,et al.  Applications of data hiding in digital images , 1999, ISSPA '99. Proceedings of the Fifth International Symposium on Signal Processing and its Applications (IEEE Cat. No.99EX359).

[18]  Wojciech Mazurczyk,et al.  Hidden and Uncontrolled - On the Emergence of Network Steganographic Threats , 2014, ISSE.

[19]  Steffen Wendzel,et al.  Hiding Privacy Leaks in Android Applications Using Low-Attention Raising Covert Channels , 2013, 2013 International Conference on Availability, Reliability and Security.

[20]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[21]  Krista Bennett,et al.  LINGUISTIC STEGANOGRAPHY: SURVEY, ANALYSIS, AND ROBUSTNESS CONCERNS FOR HIDING INFORMATION IN TEXT , 2004 .

[22]  Sangjin Lee,et al.  Digital forensic investigation of cloud storage services , 2012, Digit. Investig..

[23]  Wojciech Mazurczyk,et al.  Understanding Information Hiding in iOS , 2015, Computer.

[24]  Edgar R. Weippl,et al.  Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space , 2011, USENIX Security Symposium.

[25]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[26]  Wojciech Mazurczyk,et al.  Seeing the Unseen: Revealing Mobile Malware Hidden Communications via Energy Consumption and Artificial Intelligence , 2016, IEEE Transactions on Information Forensics and Security.

[27]  Benny Pinkas,et al.  Side Channels in Cloud Services: Deduplication in Cloud Storage , 2010, IEEE Security & Privacy.

[28]  Luca Caviglione Can satellites face trends? The case of Web 2.0 , 2009, 2009 International Workshop on Satellite and Space Communications.

[29]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[30]  Markus G. Kuhn,et al.  Information hiding-a survey , 1999, Proc. IEEE.

[31]  Alessio Merlo,et al.  A survey on energy-aware security mechanisms , 2015, Pervasive Mob. Comput..

[32]  William A. Pearlman,et al.  Capacity of Steganographic Channels , 2005, IEEE Transactions on Information Theory.

[33]  Jeanna Neefe Matthews,et al.  The good, the bad and the ugly of consumer cloud storage , 2010, OPSR.

[34]  Aiko Pras,et al.  Benchmarking personal cloud storage , 2013, Internet Measurement Conference.

[35]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[36]  Yunhao Liu,et al.  Towards Network-level Efficiency for Cloud Storage Services , 2014, Internet Measurement Conference.

[37]  Valérie Viet Triem Tong,et al.  Detection and Identification of Android Malware Based on Information Flow Monitoring , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[38]  Philip Shilane,et al.  WAN-optimized replication of backup datasets using stream-informed delta compression , 2012, TOS.

[39]  Helen J. Wang,et al.  Enabling Security in Cloud Storage SLAs with CloudProof , 2011, USENIX ATC.

[40]  Chin-Chen Chang,et al.  High payload steganography mechanism using hybrid edge detector , 2010, Expert Syst. Appl..

[41]  Dhiru Kholia,et al.  Looking Inside the (Drop) Box , 2013, WOOT.