With the advent of big data, modern businesses face an increasing need to store and process large volumes of sensitive customer information on the cloud. In these environments, resources are shared across a multitude of mutually untrusting tenants increasing propensity for data leakage. With the recent spate of high-profile data exfiltration attacks and the emergence of critical vulnerabilities such as Heartbleed and Shellshock, coupled with increasing use of clouds in all aspects of our daily lives, this problem stands to grow further in severity.
In this thesis, we present a novel network-based covert channel that can arise in the context of shared network resources in data-center environments even in the presence of network monitors regulating flow destinations with NAC policies and VLAN-based isolation mechanisms. Through a series of experiments on diverse network hardware (including SDNs) and commercial clouds such as EC2 and Azure, we demonstrate that our network-based channel achieves orders of magnitude greater bit rates than reported in any recent literature. Furthermore, we present an information-theoretic framework to model and study the channel. Using this model we derive an upper bound on the information rate of the channel and propose a coding scheme that nearly achieves this upper bound. Additionally we introduce some techniques to make the covert channel robust to noise, and empirically study its performance in the presence of realistic cross-traffic. Finally, we discuss several avenues for mitigation, and demonstrate the effectiveness of our schemes both empirically and mathematically
