OverCovert: Using Stack-Overflow Software Vulnerability to Create a Covert Channel

Attackers exploit software vulnerabilities, such as stack overflow, heap overflow, and format string errors, to break into victim machines and implant backdoors to maintain access. They typically use obfuscation techniques, such as encryption and covert channels, to hide their command-and-control traffic and avoid detection. In this paper, we show how a vulnerable program can be used to create a covert channel that allows an entity (e.g., an attacker) to stealthily send information to another remote entity (e.g., a backdoor). The proposed covert channel, for which we coin the term OverCovert, is based on the common return-to-libc stack-overflow attack and the address space layout randomization defense. We implemented a proof-of-concept of OverCovert under Linux and evaluated its throughput sending files of different formats. We also propose and analyze techniques to improve channel undetectability and throughput.