Covert channels are used for information transmission in a manner that is not intended for communication and is difficult to detect. We propose a technique to prevent the information leakage via IP covert timing channels by inter-packet delays normalization in the process of packets sending. Recommendations for using the counteraction methods and choosing parameters were given. The advantage of our approach is that the covert channel is eliminated or limited preliminary, whereas state of the art methods focus on detecting active IP covert channels that may be insecure.
Information in covert timing channel can be encoded by varying packets transfer rates (or inter-packet times) [
Сovert channels in networks
Interpacket times
Channel doesn t pose a threat
Not take action
· Possibility to create a covert channel · Possible damage (covert channel capacity)
Channel poses a threat
The identification problem is to find the potential covert channels that can be realized in the analyzed system. The second step is the analysis of identified channels to assess the threat level of each covert channel. If channel poses a threat to the protected system the following measures can be applied: elimination, limiting, detection. Ideally covert channels should be identified and removed during the design phase. Covert channels in networks can be eliminated by traffic encryption and normalization (protocol headers, packet lengths, inter-packet times). If a channel cannot be eliminated its capacity should be
Image Processing, Geoinformation Technology and Information Security / K. Kogos, A. Sokolov
reduced by using limiting techniques [
The rest of the paper is organized as follows. First, we give an overview of existing methods of covert channels construction and counteraction in Chapter 2. In Chapter 3, we introduce recommendations on the choice of parameters of covert channel elimination method. In Chapter 4, we consider two ways to limit covert channels capacity. In Chapter 5, we provide experimental results to demonstrate counteraction methods effect on network performance. Our conclusions are presented in Chapter 6.
Covert information can be encoded by varying packet rates or inter-packet times. The covert sender varies packet rate
between two (binary channel) or more packet rates each time interval. The receiver decodes the covert information by measuring
the rate in each time interval. The sender and receiver need a mechanism for synchronization of the time intervals. Timing
channel where the sender either transmits or stays silent in each time interval (on/off channel) is a special case of binary channel
[
Authors of [
Covert timing channel can be organized through packet sorting [
Admissible covert channel capacity depends on the kind of protected information and on the amount of leaked information,
which is critical. TCSEC assumes that covert channels with maximum bandwidths of less than 1 bit per second are acceptable in
most application environments [
Capacity of covert timing channels in networks can be limited by adding random delays to the packets. Fig. 3 shows the
framework of using traffic control module [
Sender
Process
Modulate
Trusted components
Traffic controller
OS kernel Network devices
Receiver Eavesdrop
Network
Image Processing, Geoinformation Technology and Information Security / K. Kogos, A. Sokolov
For each network connection, traffic control module maintains some information (network address, port number, connection type, previous packet's outgoing time, etc.). When an application sends out a packet, traffic controller will intercept the packet, look up the network connection information and add a random delay to the packet (fixed delays could be easy filtered by covert channel users). Delay of nth packet will be calculated according to the formula:
Tn f (tn , k) Rand (k) tn , (1) where tn denotes the time interval between current and previous packet-sending request, k is a configurable parameter (0 k 1), Rand(k) function generates a random number ranged from 0 to k. Hence, Tn will be a random value from 0 and up to k tn . Experimental results shows that the covert communication achieved nearly 100% encode/decode correctness when traffic control was disabled. With the traffic control enabled, the error rate rapidly raised to about 50%.
Gateway is often used to prevent the data transmission from higher security level to lower. Gateway is located between the sender with low security level and receiver with high security level (Fig. 4). When the gateway receives a packet from low it stores it into a buffer and sends an acknowledgment (ACK) to low. Then it transmits the packet to high and waits for an ACK. If the ACK is received the gateway removes the packet from the buffer.
However, when the buffer is full the gateway must wait for high to acknowledge a received packet until another packet from
low can be stored in the buffer. The time of sending an ACK to low is directly related to the time of receiving an ACK from
high. High can ensure the buffer is always filled and vary the rate of its ACKs. In this manner, he can exploit the covert channel.
The PUMP model reduces this covert channel capacity [
Gateway Low
ACK
ACK
Network covert timing channels can be eliminated only by normalizing inter-packet times. But this measure reduces the communication channel bandwidth. Method parameters must be correctly selected to minimize the negative impact on network performance.
Inter-packet times normalization makes it necessary to delay the transmission of packets and generate dummy packets. It reduces the network performance. So, method of covert channels elimination should be used only if the leakage of a very small amount information is unacceptable. Parameters of inter-packet times normalization method must be correctly selected to minimize the negative impact on communication channel capacity.
Input data for the calculation of the best inter-packet time value kt can include: 1. empirical distribution of inter-packet time over a long period of time, 2. maximum acceptable packet queue delay lt, 3. equal to the allowable part of packets which may be delayed for a time greater than lt.
Following conditions must be met when inter-packet times normalization to kt is performed: 1. communication channel bandwidth is not less than the set value, 2. percentage of packets which are delayed for a time greater than lt is not more than , 3. number of dummy packets is minimal.
One of the following values can be used instead of and lt: 1. maximum allowable average packet delay davgt, 2. maximum acceptable part of dummy packets.
Suppose we have a distribution of inter-packet time (Fig. 5). The minimum value of the inter-packet interval is equal to t and maximum equal to mt. . . .
mt
T
Let the inter-packet times are normalized to kt. The device processes packets for an infinitely small time and its queue is empty at the moment. When two packets with at interval arrive to the device, there will be the following. The second packet at at will be delayed for kt at , if at kt . The second packet will be delayed for kt 1 kt kt at kt kt at and at kt
1 dummy packets will be generated and sent by the device, if at kt .
So, when n+1 packets with a1t, a2t,..., ant intervals come to the device, delay of the (i+1)th packet is equal to where d0t 0 and Ndi is a number of dummy packets sent after receiving the ith packet (during the ait): The smaller the inter-packet time kt, the less packet queue delay and the greater the number of dummy packets. Let the inter-packet time is a discrete random variable obeying the distribution law in Table 1.
dit di1t (Ndi 1)kt ait , Nфi ait ktdi1t 1 . 2t p2 … … (m – 1)t pm - 1 mt pm n where Nd is a number of dummy packets sent during the ait after receiving the first packet.
i1
The inter-packet time after normalization should not exceed the average value in the initial distribution to avoid the constant increase in queue length. That is, the following inequality must be satisfied: where E ( ) is the expected value of a variable .
Image Processing, Geoinformation Technology and Information Security / K. Kogos, A. Sokolov
One should choose a value of kt for witch this probability is not greater than . Furthermore, the value of probability should be as close to as possible to minimize the amount of dummy packets. In choosing the value of kt based on the maximum acceptable part of dummy packets ( Nd ) one should select the minimum suitable kt value to minimize packet delays.
n Nd We consider two use cases of communication channel: 1. file transfer only, 2. real-time data transfer (e.g. VoIP, Skype).
The maximum packet queue delay is not too important, if the channel is not being used for real-time data transmission.
Allowable average packet delay or acceptable percentage of dummy packets should be used as input data in this case. If you use
a channel for real-time data transfer, it is essential to ensure good communication quality. Therefore, the inter-packet time kt
should be calculated based on the maximum acceptable packet delay. For example, packet jitter should not exceed 30
milliseconds to provide an acceptable quality of a Skype call [
If a non-zero covert channel capacity is allowed one can use partial inter-packet times normalization. Such methods have less negative impact on the communication channel.
Let two values of inter-packet times after traffic normalization be allowed: k1t and k2t. Inter-packet time equal to k1t will be observed at the output if the queue is not empty in k1t after sending the last packet. If the queue is empty at this moment the inter packet time equal to k2t will appear at the output. It will be a dummy packet if the queue also is empty in k2t after sending the last packet.
Violator can affect the inter-packet times by passing packets to the channel and use covert channel. Let the random variable X take the values 0 or 1 in accordance with the inter-packet times (k1t or k2t) at the output. p is the probability of observing packets with an interval equal to k1t. Then entropy of X is equal to:
The average time between two consecutive outgoing packets is pk1t (1 p)k2t . So, capacity of covert timing channel that can be built is: (6) (7) (8) H ( X ) p log2 p (1 p) log2 (1 p) .
C p log2 p (1 p) log2 (1 p) pk1t (1 p)k2t
, where (1 p)k1t pk2t holds.
It is possible to use more than two values of inter-packet delays.
T NT Nq
k2t ,
Let there are two inter-packet delays: k1t and k2t ( k1t k2t ) which correspond to two fixed packet transfer rates. During each interval T inter-packet times are fixed and equal to k1t or k2t (packets are transmitted at a constant rate). Rate can change or remain the same at the time points T i (i = 1, 2,…). Selected transfer rate depends on the number of packets received at the last part of the T and the number of packets in the queue. Lower rate (which correspond to k2t) will be set at the time T j if where NT is the number of packets received during the time interval ( T j T , T j ); Nq is the amount of packets in the queue at the moment. Otherwise, a high data transfer rate will be established.
When using this method, covert channel capacity is: С log2 r ,
T T log2 r
Ca
. where r is the number of transfer rates. In this case r = 2.
Parameter T should be chosen depending on the predetermined allowable capacity of covert channel Ca.
This chapter provides experimental results to demonstrate the effect of inter-packet times normalization on network performance. Two use cases of network are reviewed: file transfer only and real-time data transfer. For each of these cases we have two empirical distribution of inter-packet time (under high and low network load). The best values of inter-packet time was calculated for several input data sets.
(9) (10)
lt, sec. 0.005 0.010 0.020 p(T) lt, sec. 0.005 0.010 0.020 T, sec.
Nd n Nd
T, sec.
Nd n Nd 0.92 0.85 0.71
The following dependencies were identified using a covert channel limit method that allows two packet transfer rates (Fig. 10, 11).
Three techniques of inter-packet delays normalization were applied under the same conditions. The requirement for the average packet delay was specified. The parameters of each method have been calculated to ensure a minimum effect on the communication channel performance. The values of the covert channel capacity and part of dummy packets are shown in the Table 8.
Inter-packet times normalization makes it necessary to delay the transmission of packets and generate dummy packets. Parameters of inter-packet times normalization method must be correctly selected to minimize the negative impact on communication channel capacity. Channel performance requirements may be different. They depend on how you use the channel. The results also show that the packet delays and the number of dummy packets are strongly depend on the communication channel load.
Image Processing, Geoinformation Technology and Information Security / K. Kogos, A. Sokolov
Complete normalization of inter-packet delays is only way to eliminate covert timing channels. However, this measure greatly reduces the communication channel capacity and should be used only if the leakage of a very small amount information is unacceptable. In other case, one can use methods of partial inter-packet times normalization which limit covert channel capacity.