logo

Covert Channel

Incomplete Class
Structure: Simple
Description

A covert channel is a hidden communication path that allows data to be transmitted in a way that bypasses the system's intended security controls and monitoring.

Extended Description

Covert channels work by exploiting legitimate system features—like timing, storage patterns, or resource usage—to secretly encode and transfer information. Attackers or malicious processes use these channels to exfiltrate data, coordinate actions, or maintain persistence without triggering standard security alerts, effectively hiding in plain sight. From a developer's perspective, these channels are dangerous because the system neither authorizes nor detects the unauthorized transmission. This lack of awareness means security tools focused on network traffic or file permissions may completely miss the leak, leaving sensitive data exposed through unexpected side channels in your own application logic or platform dependencies.
Common Consequences 1
Scope: ConfidentialityAccess Control

Impact: Read Application DataBypass Protection Mechanism
Detection Methods 1
Architecture or Design ReviewSOAR Partial
According to SOAR [REF-1479], the following detection techniques may be useful: ``` Cost effective for partial coverage: ``` Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Demonstrative Examples 1

ID : DX-193

In this example, the attacker observes how long an authentication takes when the user types in the correct password.
When the attacker tries their own values, they can first try strings of various length. When they find a string of the right length, the computation will take a bit longer, because the for loop will run at least once. Additionally, with this code, the attacker can possibly learn one character of the password at a time, because when they guess the first character right, the computation will take longer than a wrong guesses. Such an attack can break even the most sophisticated password with a few hundred guesses.

Code Example:

Bad
Python
python
Note that in this example, the actual password must be handled in constant time as far as the attacker is concerned, even if the actual password is of an unusual length. This is one reason why it is good to use an algorithm that, among other things, stores a seeded cryptographic one-way hash of the password, then compare the hashes, which will always be of the same length.
References 2
A Taxonomy of Computer Program Security Flaws, with Examples
Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi
19-11-1993
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf(2024-11-17)
ID: REF-1431
State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, and Rama S. Moorthy
07-2014
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx(2025-09-05)
ID: REF-1479
Modes of Introduction
Implementation
Operation
Related Attack Patterns
Related Weaknesses
ChildOf: Creation of Emergent Resource (CWE-1229)
Taxonomy Mapping
  • Landwehr
Notes
TheoreticalA covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.
MaintenanceAs of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.