Covert Storage Channel

Incomplete Base

Structure: Simple

Description

A covert storage channel is a type of security flaw where one process secretly encodes data into a shared system resource (like a file, memory bit, or status flag), and another unauthorized process later reads that resource to extract the hidden information.

Extended Description

This vulnerability exploits the normal reuse of system memory or resources to create a hidden communication path. Instead of using a dedicated data channel, an attacker manipulates observable system properties—such as file names, registry values, or even the presence of temporary files—to store and transmit encoded messages. This turns everyday operations into a secret data pipeline that bypasses standard security controls. In practice, covert storage channels are a form of information leakage often linked to steganography or side-channel attacks. For example, a process with high privileges might write a user's password into a log file field meant only for timestamps, and a less-privileged process could then read that file. Developers must be aware that any system state readable by multiple actors can be misused in this way, requiring careful design to isolate sensitive data and audit all shared resource interactions.

Common Consequences 2

Scope: Confidentiality

Impact: Read Application Data

Covert storage channels may provide attackers with important information about the system in question.

Scope: IntegrityConfidentiality

Impact: Read Application Data

If these messages or packets are sent with unnecessary data contained within, it may tip off malicious listeners as to the process that created the message. With this information, attackers may learn any number of things, including the hardware platform, operating system, or algorithms used by the sender. This information can be of significant value to the user in launching further attacks.

Potential Mitigations 1

Phase: Implementation

Ensure that all reserved fields are set to zero before messages are sent and that no unnecessary information is included.

Demonstrative Examples 1

An excellent example of covert storage channels in a well known application is the ICMP error message echoing functionality. Due to ambiguities in the ICMP RFC, many IP implementations use the memory within the packet for storage or calculation. For this reason, certain fields of certain packets -- such as ICMP error packets which echo back parts of received messages -- may contain flaws or extra information which betrays information about the identity of the target operating system. This information is then used to build up evidence to decide the environment of the target. This is the first crucial step in determining if a given system is vulnerable to a particular flaw and what changes must be made to malicious code to mount a successful attack.

References 1

A Taxonomy of Computer Program Security Flaws, with Examples

Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi

19-11-1993

https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf(2024-11-17)

ID: REF-1431

Likelihood of Exploit

High

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Covert Channel (CWE-514)

Taxonomy Mapping

Landwehr
CLASP

Notes

MaintenanceAs of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.