Title: slackFS - resilient and persistent information hiding framework
Authors: Avinash Srinivasan; Christian Rose; Jie Wu
Addresses: Department of Cyber Science, United States Naval Academy, 597 McNair Road, Hopper Hall – Room 478, Annapolis, MD 21402, USA ' Amber Orchard Ct., Odenton, MD 21113, USA ' Department of Computer and Information Sciences, Center of Networked Computing, Temple University, SERC 362, 1925 N. 12th Street, Philadelphia, PA 19122, USA
Abstract: The ever-expanding cyberspace, driven by digital convergence, inadvertently broadens the attack surface. Savvy modern cybercriminals have embraced steganography as a key weapon. This paper introduces slackFS, a novel steganographic framework utilising file slack space for covert data concealment. Unlike prior methods focusing on individual files, slackFS hides entire filesystems, offering a structured means for data exfiltration. It ensures persistence across system reboots, robust detection resistance, portability, and minimal performance impact. Incorporating erasure-code-based fault-tolerance, slackFS enables recovery from partial loss due to accidental slack space overwriting. Prototype validation on Ubuntu 20.04 with ext4 filesystems as the cover medium and FAT16 as the hidden malicious filesystem is conducted. The study includes testing of three coding libraries and two Reed-Solomon erasure code implementations - VANDERMONDE and CAUCHY matrices - highlighting slackFS's resilience and effectiveness.
Keywords: attacker; data exfiltration; fault-tolerance; filesystem; information hiding; malicious; operating system; persistence; resilience; security; steganography.
International Journal of Security and Networks, 2024 Vol.19 No.2, pp.77 - 91
Received: 24 Feb 2024
Accepted: 09 Mar 2024
Published online: 01 Aug 2024 *