Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

Algorithm 3.1 Outer marker code receiver algorithm CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS function receive(bits) foreach bit in bits do recv_buffer = append(recv_buffer, bit) if sizeof(recv_buffer) ≥ sizeof(PREAMBLE) + MAX_OFFSET then foreach offset in 1...MAX_OFFSET do diff[offset] = difference(recv_block[offset], PREAMBLE) min_diff = min(diff) min_off = minarg(diff) if min_off = 0 and min_diff ≤ MAX_ERRORS and sizeof(recv_buffer) ≥ (EXPECTED_BLOCK_SIZE − ∆) then // return data block before preamble (if any) // remove bits from recv_buffer and continue Ratzer’s approach assumes that sender and receiver are synchronised at the beginning and approximate bit error rates are known to carry out the probabilistic re-synchronisation. The complexity of the algorithm is N 2 in time and space where N is the number of bits per block, although in practice one can often further limit the search space. Because of these limitations we developed a scheme that follows a slightly different approach. Our scheme does not necessitate an initial synchronisation of sender and receiver (not always practical) or the prior knowledge of bit error rates (generally unknown). Furthermore, the complexity of our algorithm is only M 2 in time and M in space where M is the number of markers per block (usually M ≪ N). Our novel scheme is a hierarchical marker scheme that uses two layers of markers. The sender divides the covert data into blocks. An outer marker, which acts as preamble, is sent prior to each block. The receiver detects the start of a block if the bit sequence received is similar to the preamble. The preamble must be long enough to differentiate between preambles with bit errors and block data. The sender algorithm is trivial and consists only of putting the preamble at the start of each block. Algorithm 3.1 shows the receiver algorithm for the outer marker code. The receiver appends every received bit to a temporary buffer. When there are enough bits in the buffer it computes the number of bits that differ between the received bit sequence and the pre-defined preamble for a number of offsets. If a bit sequence is detected with a difference smaller than a pre-defined threshold, differences for larger offsets are higher and the total number of bits received so far is over a minimum expected size the receiver assumes a preamble has been found. The outer marker code enables the receiver to synchronise the start of blocks. The receiver then also knows approximately how many deletions occurred in a block including the preamble. To detect the locations of the deletions inside the block an inner marker code is used. If very few preamble bits are incorrectly identified as data bits the receiver 55
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS underestimates the true number of deletions. Hence the inner marker code receiver algorithm is executed multiple times with increasing number of assumed deletions 1 . Ratzer showed that deterministic markers perform equal or better than random markers for channels with insertion/deletion rates of less than 1% [180]. We use deterministic markers as in his work. A marker is a number of zeros followed by a one, for example “001”. The sender algorithm uses an RS encoder to compute error correction data over header and payload, and then inserts an m bit marker after each n bits. The receiver first tries to identify the positions of the deletions. The algorithm per- forms a search for a plausible marker sequence with the known number of deletions in the block as constraint (see Algorithm 3.2). The bits at every assumed marker position are checked and the number of missing bits is computed. For example, if the used marker is “001” and the bits checked are “010” then one bit has been deleted between the last and the current marker. Since marker bits can be corrupted themselves the number of deleted bits computed is possibly incorrect. Hence for each marker the algorithm also computes the number of possible bit errors. For example, if the assumed marker is “010” the bit preceding this sequence must be a zero otherwise a marker bit was deleted or substituted. The variable offset keeps track of the total number of deletions identified so far. As long as the number of errors (total_errors) is below a threshold (error_threshold) the number of deletions for the current marker (deletions) is set as indicated by the assumed marker. However, since there cannot be more deletions than indicated by the outer marker code, deletions and the error are adjusted if the maximum is exceeded. If the error exceeds the threshold the algorithm backtracks assuming that mistakes were made. It backtracks to the previous marker with at least one assumed deletion, subtracts one and then resumes the forward search. How aggressively the algorithm backtracks depends on error_threshold. The search is executed multiple times with error_threshold varying from zero to the maximum value MAX_ERROR_THRESHOLD. We found the choice of MAX_ERROR_THRESHOLD is not very critical for deletion rates of 1% or less, as long as it is not chosen too small 2 . After each search the receiver attempts to decode the block, unless the search produced the same solution as before or the algorithm failed to converge. Dummy bits are inserted at the identified positions of deletions and the RS code is used to correct the dummy bits and other substitution errors (see Algorithm 3.3). RS codes correct errors on a per-symbol basis. This means when inserting dummy bits it does not matter where inside a symbol they are inserted. If the space between markers is only one symbol the RS decoder can correct the maximum N − K symbols. However, if the space between markers is multiple symbols it is unknown in which symbol(s) the 1 In the experiments we assumed a maximum of two such bit insertions. 2 We set MAX_ERROR_THRESHOLD=5 in all experiments. 56
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 17: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

Create successful ePaper yourself

Delete template?

Save as template?