Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

Algorithm 3.2 Inner marker code receiver algorithm CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS function receive(block) offset = 0 deletion_list[1...markers] = 0 last_deletion_list[1...markers] = 0 error_list[1...markers] = 0 assumed_deletions = EXPECTED_BLOCK_SIZE − sizeof(block) foreach error_threshold in 0...MAX_ERROR_THRESHOLD do foreach pos in 1...markers do index = (MARKER_SPACE + sizeof(MARKER))·pos + MARKER_SPACE − offset deletions = check_marker(index) if deletions > assumed_deletions − offset then deletions = 0 error_list[pos] = compute_errors(index) foreach i in 1...pos do total_errors = total_errors + error_list[i] if total_errors < error_threshold then deletion_list[pos] = deletions offset = offset + deletions else pos = max(0, pos − 1) while pos > 0 and deletion_list[pos] = 0 do pos = pos − 1 if deletion_list[pos] > 0 then deletion_list[pos] = deletion_list[pos] − 1 offset = offset − 1 index = (MARKER_SPACE + sizeof(MARKER))·pos + MARKER_SPACE − offset error_list[pos] = compute_errors(index) if assumed_deletions > offset then deletion_list[markers] = assumed_deletions − offset has_converged = check_convergence(deletion_list) if has_converged and deletion_list last_deletion_list then decode_block(block, deletion_list) last_deletion_list = deletion_list deletion(s) occurred and the RS decoder can only correct N−K 2 errors. There is a trade-off between the overhead of the inner marker code and the RS code. Since covert channels have a low bit rate we also explore another trade-off between code rate and decoding time. If the number of possible combinations of symbols with deletions is reasonably small the decoder can attempt to decode the received block for each possible combination. For example, if the symbol size is 8 bits and markers are spaced 16 bits apart the receiver needs to search through 2 MD combinations where MD is the number of markers with deletions. For each combination the receiver executes the RS 57
Algorithm 3.3 Block decoding algorithm CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS function decode_block(block, deletion_list) foreach pos in 1...markers do if deletion_list[pos] > 0 then block = insert(block, pos, deletion_list[pos]) corrected = rs_decode(block, deletion_list) send_crc = get_sender_crc(block) recv_crc = compute_crc(block) if corrected ≥ assumed_deletions and recv_crc = send_crc then // return valid block decoder 3 . A valid block is found if the RS decoder is able to correct all errors and the block checksum is valid. This ‘brute-force’ decoding increases the code rate and is feasible for a small number of symbols between markers and small deletion rates. Also, if the redundancy of the RS code is much higher than needed on average a solution is found well before all combinations have been tried. Our later analysis shows that the average number of bits decoded per second is still much higher than the maximum transmission rate. 3.5 Empirical evaluation First we analyse the error rate of the different modulation schemes without reliable trans- port. We emulate the covert channel using overt traffic from different trace files and measure the resulting bit error rates. Based on the channel model presented in Section 3.3 we then compute the channel capacities and transmission rates, and compare the different modulation schemes. We also investigate the burstiness of the errors. Later we evaluate the throughput of the channel using the techniques for reliable trans- port described in the previous section. We analyse the throughput achieved for large aggregates of overt traffic taken from traces as well as for single overt flows generated by specific applications in a testbed. We compare the throughput with the channel capacity. 3.5.1 Datasets and methodology The Covert Channels Evaluation Framework (CCHEF), described in Appendix A, can emulate the use of covert channels based on overt traffic from traces. This makes it possible to evaluate the TTL covert channel with large realistic traffic aggregates that are impossible to create in a testbed. The overt traffic was taken from the traces described in 3 The maximum number of tried combinations is limited to a configurable value. 58
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 19: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?