NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-31 — Covert Channel Analysis
Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert {{ insert: param, sc-31_odp }} channels; and Estimate the maximum bandwidth of those channels.
Supplemental Guidance
Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, such as in the case of systems that contain export-controlled information and have connections to external networks (i.e., networks that are not controlled by organizations). Covert channel analysis is also useful for multilevel secure systems, multiple security level systems, and cross-domain systems.
Practitioner Notes
Covert channels are hidden methods attackers use to extract data or communicate with malware — like encoding data in packet timing, unused protocol fields, or DNS queries. This control requires analyzing your systems for these hidden channels.
Example 1: Conduct a covert channel analysis during system development or major upgrades. Identify shared resources (memory, storage, network buffers) where information could leak between processes at different security levels. Document findings in your System Security Plan.
Example 2: Use network monitoring tools to look for data in unusual protocol fields — excessively long DNS queries (DNS tunneling), data encoded in ICMP payloads, or HTTP headers containing encoded information. Configure your IDS rules to alert on these patterns.