Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

Code rate 1.0 0.8 0.6 0.4 0.2 0.0 1e−04 0.001 0.01 CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS 0 2000 4000 6000 8000 Data block size (bits) Figure 3.11: Code rates for ARQ schemes for different data block sizes and bit error rates where N is the block size in bits, H is the number of header bits and T (︀ pE, ˆpB, N )︀ is the average number of (re)transmissions depending on N, the overall bit error rate pE and a target block corruption rate ˆpB (see Appendix B.6). Figure 3.11 depicts the code rates for a very low bit error rate (e.g. wired commu- nications) and typical bit error rates of the TTL covert channel without overt packet loss and reordering, depending on the data size (N − H) for a target block corruption rate of 1% and H = 56 (sequence number, checksum and corrupted block indicator). The dashed 1e−09 lines show the theoretical channel capacities for the same bit error rates. For very low bit error rates and larger block sizes ARQ code rates are close to the channel capacity. However, for higher error rates the code rates are significantly reduced. For example, for typical error rates on the TTL channel between 1 −4 and 1 −3 the code rate reduces to between 0.6 and 0.3 although the channel capacity is close to 0.99. Therefore, FEC needs to be employed as it reduces the block corruption rate to acceptable levels with higher code rates. However, since the channel errors are bursty (see Section 3.5.4), it is not very efficient to reduce the block error rate to zero with FEC alone. We construct FEC-based schemes on top of which standard ARQ mechanisms can be used. 3.4.2 Non-deletion channels For non-deletion channels we use an existing error correcting code. Similar to the Cyclic Redundancy Check (CRC) based framing of Asynchronous Transfer Mode (ATM), we also use the code for identifying blocks in the received data. We decided to use Reed-Solomon (RS) codes because they are well understood and fast implementations are readily available. RS codes are widely used, for example by 53
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS Digital Subscriber Line (DSL) and WiMax as well as on CDs, DVDs, and blue-ray discs. Furthermore, RS codes are suitable for channels with bursty errors. RS codes are block codes. A (N,K) RS code has blocks of N symbols, with N − K RS symbols appended to every K payload symbols. The maximum N depends on the size of the symbols in bits M (N ≤ 2 M − 1). An RS decoder can correct 2E + S ≤ N − K errors where E are erasures (symbols with bit errors of known position) and S are substitutions (symbols with bit errors of unknown position). The sender divides the covert data into blocks. Each block has a header with an 8-bit sequence number, which enables the receiver to identify blocks lost due to corruption. The header also contains a 32-bit CRC (CRC32) checksum computed over the header fields and data, because the RS decoder we use [177] is not able to reliably indicate if all errors were corrected in a received block. The RS encoder computes the error correction data over the sequence number, checksum and covert data, and appends it to the block. The receiver decodes blocks from the received bit stream as follows. For every new bit received it checks if N symbols are in the buffer already. If that is the case it attempts to decode a block using the RS decoder, and computes the CRC32 checksum over the corrected header and covert data. If the checksum matches the sender’s checksum the received block is valid. Otherwise the receiver removes the oldest bit from the buffer and waits for the next bit. Our protocol does not require synchronisation at the start. Any blocks sent by Alice before Bob started receiving are obviously lost, but Bob will start receiving data once the first complete block has been received. We chose CRC32 as checksum because it provides better or equal error detection than other existing 32-bit checksums [178]. At very high error rates CRC32 may be too weak, but we assume that typically our scheme is used with lower error rates. Otherwise better checksums could be used at the expense of more computational or header overhead. 3.4.3 Deletion channels A simple error-correction code is insufficient for channels with deletions because every deletion causes possible substitution errors in all following bits. Thus a decoder first has to identify where the deletions occurred and insert dummy bits. Then an existing error correcting code can be used to correct the errors caused by substitutions and dummy bits. Ratzer developed an encoding scheme based on marker codes and Low Density Parity Check (LDPC) codes [179]. Marker codes insert sequences of known bits, so-called markers, at regular positions into the stream of payload bits. In Ratzer’s scheme the inner marker code is used for re-synchronisation and the remaining substitution errors are then corrected by the outer LDPC code. He proposed probabilistic re-synchronisation (also referred to as sum-product algorithm). 54
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 15: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

Create successful ePaper yourself

Delete template?

Save as template?