Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS<br />
If the overt traffic is TCP Alice and Bob could use TCP sequence numbers <strong>to</strong> mitigate<br />
the effects of packet loss and reordering. Alice has <strong>to</strong> s<strong>to</strong>re tuples of bits sent and TCP<br />
sequence numbers in a buffer. When she detects a TCP retransmission she must re-encode<br />
the bits sent previously. Bob needs <strong>to</strong> buffer received packets and put them in the right<br />
order, according <strong>to</strong> the TCP sequence numbers before decoding.<br />
3.6 Conclusions<br />
We analysed the characteristics of normal TTL variation from several traffic traces. We<br />
showed that normal TTL changes only occurred in less than 1% of packet pairs, but in<br />
2–6% of the flows. The large majority of flows with changes had only two different TTL<br />
values differing by one. This noise reduces the channel capacity, but on the other hand<br />
it improves the stealth of the channel. Without normal TTL variation the covert channel<br />
would be trivial <strong>to</strong> detect.<br />
We presented several novel improved modulation schemes. Our new schemes are<br />
stealthier and can be used with passive channels. Furthermore, they provide up <strong>to</strong> 5%<br />
higher capacities than previous schemes. However, even with the improved schemes the<br />
channel is still detectable, as we will show in <strong>Chapter</strong> 7.<br />
We then proposed an information-theoretic model for the channel that can be used <strong>to</strong><br />
determine the channel capacity based on errors caused by normal TTL variation, packet<br />
loss and packet reordering. The model is not limited <strong>to</strong> the TTL channel; it could be<br />
applied <strong>to</strong> direct s<strong>to</strong>rage channels in other IP header fields. We also developed techniques<br />
for reliable data transmission over the covert channel.<br />
Since the TTL noise distributions are complex and cannot be modelled easily we anal-<br />
ysed the error rates of the different modulation schemes by emulating the covert channel<br />
using overt traffic from traces. For a minimum TTL amplitude the average error rates<br />
across all traces vary between 1 −3 and 1 −2 . Larger amplitudes reduce the error rates but<br />
also reveal the covert channel, given the characteristics of normal TTL variation.<br />
Based on the channel model and the measured error rates we estimated the capacities<br />
and transmission rates. Without packet loss and reordering the capacity is over 0.9 bits<br />
per overt packet or packet pair. But it reduces quickly with increasing packet loss and<br />
reordering. The transmission rates range from tens of bits per second up <strong>to</strong> a few kilobits<br />
per second.<br />
We carried out several experiments <strong>to</strong> evaluate the throughput of the reliable transport<br />
technique. We emulated covert channels using overt traffic from traces and simulated<br />
packet loss and reordering. With a hybrid FEC+ARQ scheme we achieved throughputs<br />
of 60% or more of the capacity, with rates of up <strong>to</strong> several hundreds of bits per second.<br />
72