This work addresses the lack of formal security guarantees in existing covert communication systems (HCS), whose undetectability is often evaluated under ad hoc experimental setups and implicit adversarial assumptions. The authors formally define undetectability as the statistical indistinguishability between the observable execution traces of a system with and without covert communication. To enable rigorous analysis, they develop Maude-HCS, an executable modeling and verification framework based on the Maude language. Integrating Monte Carlo sampling, Kullback–Leibler divergence estimation, and statistical hypothesis testing, Maude-HCS supports verifiable security evaluation of complex HCS designs. Experimental validation on tunnel-based HCS instances demonstrates strong alignment between model predictions and measurements from a physical testbed, effectively quantifying the trade-offs among protocol configuration, background traffic, packet loss, and their collective impact on both undetectability and performance.

Hidden communication systems (HCS) embed covert messages within ordinary network activity to hide the presence of communication. In practice, the undetectability of an HCS is typically evaluated using ad hoc traffic statistics or specific detectors, making security claims tightly coupled to experimental setups and implicit adversarial assumptions. In this work, we formalize undetectability as the statistical indistinguishability of observable execution traces under two deployments: a baseline system without hidden communication and an HCS deployment carrying covert traffic. Undetectability is expressed as a bound on a quantitative measure of distance between the trace distributions induced by these two executions. We develop Maude-HCS, an executable modeling and analysis framework that provides a principled and executable foundation for reasoning about undetectability-performance tradeoffs in complex HCS designs. Maude-HCS allows designers to specify protocol behavior, adversary observables, and environmental assumptions, and to generate Monte Carlo samples from the induced trace distributions. We show that Maude-HCS can be used to audit claims of undetectability by estimating the true and false positive rates of a statistical test and converting these estimates into lower bounds on undetectability measures such as KL divergence. This enables systematic evaluation of detectability and its tradeoffs with performance under explicitly stated modeling assumptions. Finally, we evaluate Maude-HCS on tunneling-based HCS instantiations and validate model predictions against measurements from a physical testbed. For passive adversaries observing timing and traffic statistics, we quantify how undetectability and performance vary with protocol configuration, background traffic, and network loss, and demonstrate strong semantic alignment between model-based guarantees and empirical results.