Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS Covert Bit 0 1 1 0 1 Overt Packet 1 2 3 4 5 6 DUB AMI TTL+∆ TTL TTL-∆ TTL TTL-∆ Figure 3.7: Comparison of differential encoding schemes for an example series of covert bits values would reveal the covert channel. This also means covert sender and receiver need to maintain per-flow state. Mapped encoding schemes are problematic in this scenario, because usually the receiver does not know the per-flow mapping of bits to TTL values a-priori. However, the receiver must know the mapping prior to decoding. For short flows the receiver may not be able to learn the mapping before a flow ends. If the overt traffic consists of many short flows, which is typical for aggregate Internet traffic, a high error rate is likely. For binary channels it is sufficient to learn the TTL value for either bit. Therefore the problem is mitigated by sending one special logical zero at the start of each flow. The receiver uses this bit to learn the mapping and then silently drops it. We refer to the modified mapped encoding schemes as MEI0 and MED0. No flow state is necessary for direct encoding schemes. However, they require that the receiver knows or periodically measures the number of hops between covert sender and receiver. Alternatively, the receiver could guess the hop count assuming it can determine whether the decoded information is valid (e.g. using checksums). 3.3 Channel capacity We now propose an information-theoretic model for the TTL channel and derive the channel capacity. The capacity is the maximum rate at which communication with arbitrary small error is possible [22]. Our model is not limited to the TTL channel, but could be used for other storage channels in the IP protocol. We model the TTL covert channel as discrete memoryless channel assuming the current output of the channel only depends on the current input and the error, but not on previous input. We assume a binary channel with one bit of covert data encoded per packet (direct, mapped) or packet pair (differential). We assume the covert data is uniform random (same probability for zeros and ones), which is the case if Alice uses encryption. The capacity of a channel is affected by channel errors. There are three possible sources of errors for the TTL covert channel: • bit substitution errors caused by normal TTL variation, 47
Capacity (bits/packet) 1.00 0.95 0.90 0.85 CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS MED BSC MED BAC(1/5) MED BAC(1/10) MED BAC(1/50) MED BAC(1/100) 1 2 3 4 5 6 Amplitude A AMI BSC AMI BAC(1/5) AMI BAC(1/10) AMI BAC(1/50) AMI BAC(1/100) Figure 3.8: Capacity of BSC and BAC with varying degree of asymmetry for the MED and AMI modulation schemes (average error rate across all traces) • deletions of bits caused by loss of overt packets and • bit substitution errors caused by reordering of overt packets. The noise caused by modification of the TTL field on the path between covert sender and receiver and path changes (see Section 3.1) causes bit substitutions on the channel. Whether the TTL noise is symmetric or asymmetric depends on the modulation technique and the error probability distribution. We model the channel with only TTL noise either as binary symmetric channel (BSC) [22] or binary asymmetric channel (BAC) [169]. The BSC is a channel with two input/output symbols where each input symbol is changed to the other with error probability p. The BAC has two input/output symbols where the first symbol is changed to the second with probability a and the second symbol is changed to the first with probability b. However, the capacity difference of BSC and BAC is small even for larger asymmetries given the typically relatively small TTL error rates. The overall error rate of BAC and BSC is identical when p = a+b 2 . If x defines the degree of asymmetry then a = 2p · x and b = 2p(1 − x). Figure 3.8 shows an example of the capacity of BSC and BAC with varying x for the MED and AMI modulation schemes averaged across all traces (see Section 3.5.2). The capacity difference between BSC and BAC is less than 0.03 bits per overt packet or packet pair, even for higher asymmetries than observed across all experiments. Also, the capacity of the BSC is always a lower bound for the capacity of the BAC. Therefore, we use the simpler BSC. How to model the impact of packet loss and reordering on the channel depends on whether the overt traffic supports the detection and/or correction of packet loss and reordering (e.g. retransmissions), assuming the related protocol information (e.g. sequence 48
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 9: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?