Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS Table 3.4: Channel capacity based on overt traffic UDP w/o seq numbers UDP with seq numbers TCP Single flow Equation 3.8 Equation 3.10 Equation 3.12 Multiple flow Equation 3.8 Equation 3.11 Equation 3.13 When encoding into single flows with available sequence numbers packet reordering does not cause errors (pR = 0) and the capacity of the TTL covert channel is: C = (1 − pL)(1 − H (pN)) . (3.10) However, if covert data is encoded in multiple simultaneous flows there may be reordering of packets between flows that cannot be detected, since sequence numbers work only on a per-flow basis. Assuming no abrupt flow ends the capacity is: C = (1 − pL)(1 − H (pR (1 − pN) + pN (1 − pR))) . (3.11) If the overt traffic has sequence numbers and is based on a reliable transport protocol (pR = 0, pL = 0) we model the channel as BSC and the capacity is: C = 1 − H (pN) . (3.12) Again, when encoding in multiple flows and assuming no deletions caused by abrupt ends of TCP flows, the capacity reduces to: C = 1 − H (pR (1 − pN) + pN (1 − pR)) . (3.13) Table 3.4 summarises the channel capacity based on single vs. multiple flow encoding for the unreliable UDP and reliable TCP transport protocols. The capacity C is always in bits per overt packet or packet pair (bits per symbol). If fS is the average frequency of packets or pairs per second the maximum transmission rate R in bits per second is: R = C · 1 fS . (3.14) For differential schemes packet loss does not only cause deletions or erasures but also substitution errors in each bit following a deletion/erasure. For example, if the AMI scheme is used to send the bit sequence “1111” in five overt packets and the third packet is lost the received bit sequence is “101”. The probability of the additional substitution errors depends on the modulation scheme. Considering all sequences of three bits it is easy to show that for AMI the probability is 1 2 pL for uniform covert data. We model this error as another BSC and replace pR above with the error rate ˜pR of the combined BSC: 51
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS ˜pR = pR (︂ 1 − pL 2 3.4 Reliable data transport )︂ + pL 2 (1 − pR) . (3.15) The maximum transmission rates based on the channel capacity can only be achieved with optimal encoding schemes. Here we first discuss encoding strategies and then present two schemes for reliable data transmission. Our motivation is to demonstrate and evaluate a reliable data transport over the TTL channel, which has a complex non-stationary bit error distribution (see Section 3.5). Many previous results for error correction schemes capable of handling deletions assumed a simple stationary uniform random error distribution. We develop two different schemes: one for channels with deletions due to overt packet loss and one for channels without deletions. No deletions occur if there is no packet loss or if packet loss can be detected by the receiver, for example by using TCP sequence numbers. Our schemes are not limited to the TTL channel. As we show in Chapter 4, they can be used for other noisy covert channels as well. 3.4.1 Channel coding techniques In general there are two types of techniques available for providing reliable data transport. In Forward Error Correction (FEC) schemes the sender adds redundancy that is used by the receiver to detect and correct errors. In Automatic Repeat Request (ARQ) schemes the sender retransmits data that the receiver has not received correctly previously. ARQ schemes require bidirectional communication since the receiver has to inform the sender about the corrupted or lost data. Hybrid approaches are also possible. ARQ schemes require a sequence number and a checksum for each data block, so that the receiver can detect corrupted or lost blocks and inform the sender. FEC schemes add error correction information to each block. If the FEC decoder can determine reliably if a block has been decoded correctly an additional checksum is not needed, but sequence numbers are still required to identify undecodable blocks. The efficiency of different techniques can be compared based on the code rate, which states the fraction of the transmitted payload data that is non-redundant. The code rate of a selective repeat ARQ scheme is: (N − H) N 1 T (︀ pE, ˆpB, N )︀ , (3.16) 52
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

Create successful ePaper yourself

Delete template?

Save as template?