A new technical paper titled “Clock-to-Clock Modulation Covert Channel” was published by researchers at University of Rennes-INSA Rennes-IETR-UMR and University of South Brittany/Lab-STICC- UMR CNRS.
Abstract
“Various Electromagnetic (EM) attacks have been developed to modulate and utilize EM emanations for covert communication, including exploiting processors, memory modules, and peripheral interfaces. The exploitation of clock systems presents unique challenges for attackers, as clocks are typically designed as output circuits with minimal susceptibility to software manipulation. Furthermore, Spread Spectrum (SS) modulated clocks pose additional difficulties since they are specifically engineered to reduce Electromagnetic Interference (EMI), exhibiting lower power levels for EM attacks. State-of-the-art Spread Spectrum Clock (SSC) covert channels depend on the precise control of the memory activities, which generates carrier signals as an imitation to a Local Oscillator (LO) behavior. In this paper, we demonstrate that an air-gap covert channel attack on SSCs can be established by leveraging the existing (unintended) coupling between an SSC and nearby clocks, a phenomenon we name Clock-to-Clock Modulation (CCM). CCM-based SSC attacks are characterized by their low complexity, as they require only basic on/off operations to control the carrier signal, without necessitating fine clock manipulation. Unlike previous approaches that rely on non-clock components, CCM represents a direct attack on the clock system itself. We propose a simulation for the observed wide band phenomenon of clock-to-clock modulation, and validate our approach through experimental implementation on an air-gapped desktop system, where we successfully manipulate Peripheral Component Interconnect (PCI) clocks to establish an air-gap covert channel. Our results demonstrate that this novel channel is capable, from a victim-running software, of transmitting 3 bits per symbol period, achieving a bit rate of 100 bit/s.”
Find the preprint technical paper here. May 2025.
Bahi, Mohamed Alla Eddine, Maria Méndez Real, Erwan Nogues, and Maxime Pelcat. “Clock-to-Clock Modulation Covert Channel.” (2025). ⟨hal-05069600⟩
Leave a Reply