Yes. I used both header fields and delays as covert channels in the past since I know security professionals never looked for them. I derived them by just applying a standard, covert-channel analysis on the protocol. Others have described some methods publicly:
The oldest methods of finding stuff like this are Kemmerer's Shared Resource Matrix (1983) for storage channels and Wray's updated characterization (1991) that were used in DOD's security certification (TCSEC). They work for hardware, too, since it's how they found cache-based, timing channels in hardware hosting the VAX Security Kernel in 1992.
For transport, military-grade security often mandated fixed-size, fixed-rate transmission with error handling itself not able to leak stuff. Tricky on error part, inefficient other part. A primitive software defense is to clear the storage channels while throttling and randomizing the timing of delivery. Works best on non-real-time or already-slow configurations. Idea fit for store-and-forward messaging, which was preferred for high-assurance security. Another option from 1990's high security was to have a PCI card or something running a security kernel do the actual transfer from a labeled source. As in, the source can be as malicious as it wants with it unlikely to effect secure kernel. The kernel might prevent it, detect it, shut it down, or preserve logs for traceability. There was also the "force everything over link/network encryptor" concept to attempt to cheat. Leaves some metadata which can be mitigated or obfuscated by other means including prior transmission method.
Hope that helps. Current work uses models or languages to track shared resources for automatically detecting storage or timing channels among other things. I'll dig some out of my collection if anyone wants them.
Note: This is a great overview with plenty of terms you can use to find modern work. It's branching out in all these areas. Key words to use include "non-interference", "static analysis," "covert channels," "labels," "confidentiality," and "side channels."
Note: Used in Civitas secure voting app. Links to Sif and Fabric are down the page a bit.
Note 2: You should be noticing by now that the Cornell teams (a) are pretty awesome and (b) were way ahead of most on this stuff.
Deterministically Deterring Timing Attacks in Deterland (2016)
Note: Thanks to a few events, there are piles of work on hardware ranging from invididual components to whole chips. So, I'm just grabbing examples of different types. This one is on VM's in cloud.
Øzone: Efficient Execution with Zero Timing Leakage for Modern Microarchitectures (2017)
Note: Throwing an attempt in that's trying to avoid secure processors. Only read abstract since I just found it. I'm always skeptical if commodity chips are involved, though. Best I've seen are hardware I.P. that reuse optimized processors sort of sitting between their cores and the decoders or RAM. Plus, multicore without shared caches or multiprocessing with each core/chip a security domain.
So, there's some different things for you. Kemmerer and Wray are definitive, older works. Sabelfield and Myers best overview of new stuff. After Meltdown/Spectre, the rest is coming so fast I'm not even tracking it. I'm glad someone asked justifying an attempt at a survey. Found some good links. :)
