Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Algorithm 3.3 Block decoding algorithm<br />
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS<br />
function decode_block(block, deletion_list)<br />
foreach pos in 1...markers do<br />
if deletion_list[pos] > 0 then<br />
block = insert(block, pos, deletion_list[pos])<br />
corrected = rs_decode(block, deletion_list)<br />
send_crc = get_sender_crc(block)<br />
recv_crc = compute_crc(block)<br />
if corrected ≥ assumed_deletions and recv_crc = send_crc then<br />
// return valid block<br />
decoder 3 . A valid block is found if the RS decoder is able <strong>to</strong> correct all errors and the<br />
block checksum is valid.<br />
This ‘brute-force’ decoding increases the code rate and is feasible for a small number<br />
of symbols between markers and small deletion rates. Also, if the redundancy of the RS<br />
code is much higher than needed on average a solution is found well before all combina-<br />
tions have been tried. Our later analysis shows that the average number of bits decoded<br />
per second is still much higher than the maximum transmission rate.<br />
3.5 Empirical evaluation<br />
First we analyse the error rate of the different modulation schemes without reliable trans-<br />
port. We emulate the covert channel using overt traffic from different trace files and<br />
measure the resulting bit error rates. Based on the channel model presented in Section 3.3<br />
we then compute the channel capacities and transmission rates, and compare the different<br />
modulation schemes. We also investigate the burstiness of the errors.<br />
Later we evaluate the throughput of the channel using the techniques for reliable trans-<br />
port described in the previous section. We analyse the throughput achieved for large ag-<br />
gregates of overt traffic taken from traces as well as for single overt flows generated by<br />
specific applications in a testbed. We compare the throughput with the channel capacity.<br />
3.5.1 Datasets and methodology<br />
The <strong>Covert</strong> <strong>Channels</strong> Evaluation Framework (CCHEF), described in Appendix A, can<br />
emulate the use of covert channels based on overt traffic from traces. This makes it pos-<br />
sible <strong>to</strong> evaluate the TTL covert channel with large realistic traffic aggregates that are<br />
impossible <strong>to</strong> create in a testbed. The overt traffic was taken from the traces described in<br />
3 The maximum number of tried combinations is limited <strong>to</strong> a configurable value.<br />
58