Chapter 3 Time-to-live Covert Channels - CAIA

More documents

Recommendations

Info

CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS TTL to ‘wrap-around’ to a very low value in the 8-bit number space. It is then very likely that packets will be discarded before they reach their intended destination. DUB is problematic because there is no limit on how much TTL values are changed. Long series of zeros or ones lead to large decreases or increases including wrap-arounds. Regardless of the initial TTL value it is likely that some packets are discarded or packets could stay forever in the network during routing loops. The problem can be prevented by limiting the series length using run length encoding or scrambling. Still a warden could easily detect the channel because the modified flows likely have more than two distinct TTL values, which is uncommon for normal flows as discussed in Section 3.1. 3.2.2 New techniques We propose several new improved modulation schemes. Direct Encoding Decreasing (DED) directly encodes covert bits into TTLs, but the TTL values are always decreased. More than one bit can be encoded per packet, making the scheme tuneable towards capacity or stealth. The maximum number of bits that can be encoded per packet is: nmax = ⌊︀ log 2 (I − hmax) ⌋︀ , (3.1) where I is the original TTL at the covert sender, hmax is the upper bound on the number of hops between covert sender and overt receiver and ⌊.⌋ denotes the floor operation. The sender encodes covert information by setting the TTL to: TTLS = TTL − (︀ (LSB(TTL,nmax) − b) mod 2 nmax )︀ , (3.2) where LSB(TTL,nmax) is the integer value of the least significant nmax bits of the original TTL and b is the integer value of nmax bits of covert data. Assuming a packet traverses h hops the TTL at the receiver is TTLR = TTLS − h. The covert data is decoded as: b = LSB(TTLR + hR,nmax) , (3.3) where hR is the hop count known by the receiver and without channel errors hR = h. Mapped Encoding Decreasing (MED) encodes the covert information using two sym- bols: low-TTL signals a logical zero whereas high-TTL signals a logical one. Low- and high-TTL are two particular TTL values. The covert sender uses either the default initial TTL (if also the overt sender) or the lowest TTL of the intercepted packets (if a middleman) as high-TTL, and high-TTL minus one as low-TTL. The receiver decodes packets with the higher TTL as logical one and packets with the lower TTL as logical zero. Figure 3.6 compares the MED and MEI schemes. 45
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS Covert Bit 0 1 1 0 1 Overt Packet 1 2 3 4 5 MEI MED TTL+∆ TTL TTL TTL-∆ Figure 3.6: Comparison of mapped encoding schemes for an example series of covert bits Table 3.3: AMI encoding: current TTL based on covert bit and previous TTL Covert bit Previous TTL Current TTL 0 TTL TTL 0 TTL − ∆ TTL − ∆ 1 TTL TTL − ∆ 1 TTL − ∆ TTL Our last scheme is a differential encoding scheme similar to Alternate Mark Inversion (AMI) coding. Hence we refer to it as AMI scheme. It can be tuned towards stealth or capacity by increasing/decreasing the amplitude of the signal, but it can encode only one bit per overt packet pair. It has the following advantages over DUB: TTL values are always decreased and the TTL values never change by more than one if ∆ = 1. The covert sender encodes a logical zero by repeating the last TTL value. A logical one is encoded by a TTL change, alternating between the two possible values (see Table 3.3). The receiver decodes a constant TTL as logical zero and a TTL change as logical one. Figure 3.7 compares the DUB and AMI schemes. Decrementing the original TTL eliminates the wrap-arounds and the risk of packets stuck in routing loops. It is still very likely that packets reach their final destination since modern operating systems use initial TTL values of at least 64 [167, 168] and the maximum number of hops between two hosts in the Internet is typically less than 32 [167]. Even with the maximum number of hops increasing in the future there is clearly enough headroom. Bit error probabilities can be computed for all schemes based on the distribution of TTL changes (see Appendix B.2). However, as we showed in Section 3.1 the TTL error distribution varies significantly between traces and cannot be easily modelled. Therefore, we use emulation to compute the actual error probabilities for each trace (see Section 3.5). 3.2.3 Implementation considerations If the covert sender is a middleman and encodes covert data into multiple overt traffic flows, for mapped and differential encoding it must encode into each flow separately considering the original TTL values of each flow. Otherwise drastic changes of TTL 46
Page 1 and 2: Chapter 3 CHAPTER 3. TIME-TO-LIVE C
Page 3 and 4: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 5 and 6: Proportion ≤≤ x 1.0 0.8 0.6 0.4
Page 7: CHAPTER 3. TIME-TO-LIVE COVERT CHAN
Page 11 and 12: Capacity (bits/packet) 1.00 0.95 0.
Page 13 and 14: 0 1 1-p L 1-p L p L p L CHAPTER 3.
Page 21 and 22: Algorithm 3.3 Block decoding algori
Page 23 and 24: Error rate 1e−02 1e−04 1e−06
Page 27 and 28: Proportion ≤ x 1.0 0.8 0.6 0.4 0.
Page 29 and 30: Block corruption rate Block corrupt
Page 31 and 32: Throughput (bits/s) 60 50 40 30 20
Page 33 and 34: Throughput (bits/s) 200 150 100 50

Chapter 3 Time-to-live Covert Channels - CAIA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?