Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
Chapter 3 Time-to-live Covert Channels - CAIA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER 3. TIME-TO-LIVE COVERT CHANNELS<br />
<strong>Covert</strong> Bit 0 1 1 0 1<br />
Overt Packet 1 2 3 4 5<br />
MEI<br />
MED<br />
TTL+∆<br />
TTL<br />
TTL<br />
TTL-∆<br />
Figure 3.6: Comparison of mapped encoding schemes for an example series of covert bits<br />
Table 3.3: AMI encoding: current TTL based on covert bit and previous TTL<br />
<strong>Covert</strong> bit Previous TTL Current TTL<br />
0 TTL TTL<br />
0 TTL − ∆ TTL − ∆<br />
1 TTL TTL − ∆<br />
1 TTL − ∆ TTL<br />
Our last scheme is a differential encoding scheme similar <strong>to</strong> Alternate Mark Inversion<br />
(AMI) coding. Hence we refer <strong>to</strong> it as AMI scheme. It can be tuned <strong>to</strong>wards stealth<br />
or capacity by increasing/decreasing the amplitude of the signal, but it can encode only<br />
one bit per overt packet pair. It has the following advantages over DUB: TTL values are<br />
always decreased and the TTL values never change by more than one if ∆ = 1.<br />
The covert sender encodes a logical zero by repeating the last TTL value. A logical<br />
one is encoded by a TTL change, alternating between the two possible values (see Table<br />
3.3). The receiver decodes a constant TTL as logical zero and a TTL change as logical<br />
one. Figure 3.7 compares the DUB and AMI schemes.<br />
Decrementing the original TTL eliminates the wrap-arounds and the risk of packets<br />
stuck in routing loops. It is still very likely that packets reach their final destination<br />
since modern operating systems use initial TTL values of at least 64 [167, 168] and the<br />
maximum number of hops between two hosts in the Internet is typically less than 32<br />
[167]. Even with the maximum number of hops increasing in the future there is clearly<br />
enough headroom.<br />
Bit error probabilities can be computed for all schemes based on the distribution of<br />
TTL changes (see Appendix B.2). However, as we showed in Section 3.1 the TTL error<br />
distribution varies significantly between traces and cannot be easily modelled. Therefore,<br />
we use emulation <strong>to</strong> compute the actual error probabilities for each trace (see Section 3.5).<br />
3.2.3 Implementation considerations<br />
If the covert sender is a middleman and encodes covert data in<strong>to</strong> multiple overt traffic<br />
flows, for mapped and differential encoding it must encode in<strong>to</strong> each flow separately<br />
considering the original TTL values of each flow. Otherwise drastic changes of TTL<br />
46