Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

Original: Reordered: CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS 1 2 3 4 5 6 7 8 d b 1 2 4 3 5 6 7 9 Figure 3.9: Packet reordering model parameters for an example series of packets numbers) is accessible for covert sender and receiver. It also depends on whether the channel is encoded into one or multiple overt flows. If the protocol has no sequence numbers (e.g. UDP), the covert receiver does not know which bits were lost on the channel. Hence we model packet loss as a binary deletion channel [22]. If the protocol has sequence numbers (e.g. RTP or TCP) the covert receiver knows which packets were lost, and we model this case as binary erasure channel [22]. If the protocol uses retransmissions, such as TCP, for a single overt flow all packets are eventually (re)transmitted and consequently there are no erasures. However, if covert data is encoded into multiple flows deletions may still occur. There is no guarantee that a TCP flow ends with a proper teardown sequence and there may be packets at the end of flows seen only by the covert sender but not the receiver. Packet reordering results in substitution errors if the overt traffic has no sequence numbers allowing the covert receiver to process the received packets in the correct order or if the covert channel is encoded in multiple simultaneous flows. We model packet reordering as BSC. For the BSC we need to express packet reordering as error probability. However, this does not preclude the use of a more elaborate model for packet reordering. We use the model proposed by Feng et al. that characterises reordering based on [170]: • average number of packets between reordering events r, • average reordering delay in packets d and • average reordering block size in packets b. Figure 3.9 shows an example sequence of reordered packets and the corresponding model parameters. For mapped and direct encoding schemes only bits in packets that are reordered are affected. However, for differential schemes any packet pair is affected where at least one packet is reordered, meaning there are two more potential bit errors per reordering event. Assuming uniform covert data on average every second reordered bit is wrong. Then the average error probability is: ⎧ ⎪⎨ pR = ⎪⎩ 1 d+b 2 d+b+r , mapped,direct 1 d+b+2 2 d+b+r , differential 49 r 9 8 . (3.4)
0 1 1-p L 1-p L p L p L CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS 0 ?/_ 1 p R p R 1-p R 1-p R p N p N 1-p N 1-p N Packet loss Packet reordering TTL Noise Figure 3.10: TTL channel model We model the overall channel as a cascade of the three separate channels where the leftmost channel is either a deletion channel with a symbol lost indicated by a “_” or an erasure channel with an unknown symbol value indicated by a “?” (see Figure 3.10). In the remainder of the section we derive the capacity of the overall channel. The capacity of the BSC is [22]: 0 1 C = 1 − H (p) = 1 + p · log 2 (p) + (1 − p) · log 2 (1 − p) , (3.5) where H(.) is the binary entropy. The two cascaded BSCs with error probabilities pR and pN can be replaced by a single BSC with error probability: pRN = pR (1 − pN) + pN (1 − pR) . (3.6) The exact capacity of (cascaded) deletion channels is not known, but various lower and upper bounds exist [171, 172, 173, 20, 174]. Diggavi and Grossglauser proved a lower bound of the capacity of a combined deletion/substitution channel depending on the probabilities for deletions pd and substitutions pe [175]: C ≥ max {︀ 0,1 − [︀ H (pd) + (1 − pd) H (pe) ]︀}︀ . (3.7) This bound is tighter than the more general lower bounds for the capacity of deletion/insertion/substitution channels given by Gallager and Zigangirov [171, 172, 173]. This means in any case the lower bound of the capacity of the TTL covert channel is: C ≥ max {︀ 0,1 − [︀ H (pL) + (1 − pL) H (pR (1 − pN) + pN (1 − pR)) ]︀}︀ . (3.8) If the overt traffic has sequence numbers we model packet loss as erasures. Depending on the probability of erasures ε and substitutions pe the cascade of erasure and BSC channel has a channel capacity of [176]: C = (1 − ε)(1 − H (pe)) . (3.9) 50 0 1
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 11: Capacity (bits/packet) 1.00 0.95 0.
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?