Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

Capacity percentage Throughput (bits/s) 200 150 100 50 0 ● ● CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS ● ● ● ● scp A−>B scp B−>A Q3 A−>B Q3 B−>A ● ● 0.0 0.2 0.4 0.6 0.8 1.0 Packet reorder rate SSH A−>B SSH B−>A Figure 3.27: Throughput depending on the packet reordering rate with 0.1% TTL error rate and 0.1% packet loss rate 100 80 60 40 20 0 e=0, l=0,r=0 e=1e−3, l=0,r=0 e=0.1, l=0,r=0 e=1, l=0,r=0 e=0.1, l=0.1,r=0 e=0.1, l=0.5,r=0 TTL error (e), packet loss (l) and reordering (r) (%) ● ● scp Q3 SSH e=0.1, e=0.1, e=0.1, e=0.1, l=1.0,r=0 l=0.1,r=0.1 l=0.1,r=0.5 l=0.1,r=1.0 Figure 3.28: Percentage of capacity reached for the different applications and the different TTL error, packet loss and reordering rates averaged over both directions is very small and incomplete blocks at the end of experiments do not count (rounding errors). Overall, the reliable transport protocol achieves at least 50% of the capacity, except in the case of high packet reordering. Again, the results show that our reliable transport technique is more efficient for loss than reordering. The percentage of the capacity reached is 10–14% lower than in the trace file experiments due to the smaller code sizes and the higher redundancy. The smaller code size alone reduces the code rate by 5–6% given the overhead of the fixed header. The throughput is still in the order of tens of bits per second for applications with higher packet rates, such as scp or Q3 client-to-server traffic. We also investigated the variability of the covert bit rate over time (see Appendix B.10). For Q3 and SSH it is almost constant, even with packet loss and reordering. For scp the rate is relatively constant without packet loss, but with packet loss it fluctuates. 71
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS If the overt traffic is TCP Alice and Bob could use TCP sequence numbers to mitigate the effects of packet loss and reordering. Alice has to store tuples of bits sent and TCP sequence numbers in a buffer. When she detects a TCP retransmission she must re-encode the bits sent previously. Bob needs to buffer received packets and put them in the right order, according to the TCP sequence numbers before decoding. 3.6 Conclusions We analysed the characteristics of normal TTL variation from several traffic traces. We showed that normal TTL changes only occurred in less than 1% of packet pairs, but in 2–6% of the flows. The large majority of flows with changes had only two different TTL values differing by one. This noise reduces the channel capacity, but on the other hand it improves the stealth of the channel. Without normal TTL variation the covert channel would be trivial to detect. We presented several novel improved modulation schemes. Our new schemes are stealthier and can be used with passive channels. Furthermore, they provide up to 5% higher capacities than previous schemes. However, even with the improved schemes the channel is still detectable, as we will show in Chapter 7. We then proposed an information-theoretic model for the channel that can be used to determine the channel capacity based on errors caused by normal TTL variation, packet loss and packet reordering. The model is not limited to the TTL channel; it could be applied to direct storage channels in other IP header fields. We also developed techniques for reliable data transmission over the covert channel. Since the TTL noise distributions are complex and cannot be modelled easily we analysed the error rates of the different modulation schemes by emulating the covert channel using overt traffic from traces. For a minimum TTL amplitude the average error rates across all traces vary between 1 −3 and 1 −2 . Larger amplitudes reduce the error rates but also reveal the covert channel, given the characteristics of normal TTL variation. Based on the channel model and the measured error rates we estimated the capacities and transmission rates. Without packet loss and reordering the capacity is over 0.9 bits per overt packet or packet pair. But it reduces quickly with increasing packet loss and reordering. The transmission rates range from tens of bits per second up to a few kilobits per second. We carried out several experiments to evaluate the throughput of the reliable transport technique. We emulated covert channels using overt traffic from traces and simulated packet loss and reordering. With a hybrid FEC+ARQ scheme we achieved throughputs of 60% or more of the capacity, with rates of up to several hundreds of bits per second. 72
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?