Network covert channels: design, analysis, detection, and elimination

Indirect communication channels have been effectively employed in the communications world to bypass mechanisms that do not permit direct communication between unauthorized parties. Such covert channels emerge as a threat to information-sensitive systems in which leakage to unauthorized parties may be unacceptable (e.g., military systems). In this dissertation, we show that traffic analysis can counter traditional event-based covert channels, which do not employ any additional scheme to obfuscate the channel further. For these channels, we introduce effective noiseless and noisy covert channel detection mechanisms that capture the anomalous traffic patterns. However, because a motivated user can potentially hide the channel further, we introduce a new family of covert channels that do not produce such anomaly. These IP time-replay covert channels transmit covert messages by adjusting packet timings consistent with inter-arrival time sequences that are extracts from recently recorded normal sequences. Under certain assumptions and lowered data rates, these channels generate output sequences that are equal in distribution to normal sequences allowing them to by-pass traffic anomaly detection schemes that are based on distribution analysis. Additionally, we illustrate that these channels can potentially survive channel elimination schemes such as jammers and network data pumps with lowered data rates. Thus, we discuss two types of transformations on packet inter-arrival times to increase the efficacy of existing elimination schemes.

[1]  Claude E. Shannon,et al.  The Mathematical Theory of Communication , 1950 .

[2]  Richard W. Hamming,et al.  Error detecting and error correcting codes , 1950 .

[3]  D. Cox,et al.  The statistical analysis of series of events , 1966 .

[4]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[5]  Michael J. Fischer,et al.  The String-to-String Correction Problem , 1974, JACM.

[6]  Steven B. Lipner,et al.  A comment on the confinement problem , 1975, SOSP.

[7]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[8]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[9]  Marvin Schaefer,et al.  Program confinement in KVM/370 , 1977, ACM '77.

[10]  Bruno O. Shubert,et al.  Random variables and stochastic processes , 1979 .

[11]  Solomon W. Golomb,et al.  The limiting behavior of the Z-channel (Corresp.) , 1980, IEEE Trans. Inf. Theory.

[12]  Richard A. Kemmerer,et al.  Shared resource matrix methodology: an approach to identifying storage and timing channels , 1983, TOCS.

[13]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[14]  Barry D. Gold,et al.  KVM/370 in Retrospect , 1984, 1984 IEEE Symposium on Security and Privacy.

[15]  Harvey M. Deitel,et al.  An introduction to operating systems , 1984 .

[16]  Roland E. Best Phase-Locked Loops , 1984 .

[17]  John G. Proakis,et al.  Probability, random variables and stochastic processes , 1985, IEEE Trans. Acoust. Speech Signal Process..

[18]  C. Gray Girling,et al.  Covert Channels in LAN's , 1987, IEEE Transactions on Software Engineering.

[19]  Virgil D. Gligor,et al.  A bandwidth computation model for covert storage channels and its applications , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[20]  K. W. Eggers,et al.  Characterizing network covert storage channels , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[21]  Jonathan K. Millen Finite-state noiseless covert channels , 1989, Proceedings of the Computer Security Foundations Workshop II,.

[22]  Simon N. Foley A model for secure information flow , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[23]  L Robertson Introduction to operating systems , 1990 .

[24]  Virgil D. Gligor,et al.  Auditing the use of covert storage channels in secure systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[25]  Paul A. Karger,et al.  Storage channels in disk arm optimization , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[26]  Oliver Costich,et al.  Analysis of a storage channel in the two phase commit protocol , 1991, Proceedings Computer Security Foundations Workshop IV.

[27]  Riccardo Gusella,et al.  Characterizing the Variability of Arrival Processes with Indexes of Dispersion , 1991, IEEE J. Sel. Areas Commun..

[28]  Richard A. Kemmerer,et al.  Covert flow trees: a technique for identifying and analyzing covert storage channels , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[29]  Ira S. Moskowitz,et al.  Variable noise effects upon a simple timing channel , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[30]  Wei-Ming Hu,et al.  Reducing timing channels with fuzzy time , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[31]  John C. Wray An Analysis of Covert Timing Channels , 1992, J. Comput. Secur..

[32]  Ira S. Moskowitz,et al.  The channel capacity of a certain noisy timing channel , 1992, IEEE Trans. Inf. Theory.

[33]  A. Glavieux,et al.  Near Shannon limit error-correcting coding and decoding: Turbo-codes. 1 , 1993, Proceedings of ICC '93 - IEEE International Conference on Communications.

[34]  kc claffy,et al.  Application of sampling methodologies to network traffic characterization , 1993, SIGCOMM 1993.

[35]  James W. Gray On introducing noise into the bus-contention channel , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[36]  Ming Li,et al.  An Introduction to Kolmogorov Complexity and Its Applications , 2019, Texts in Computer Science.

[37]  James W. Gray,et al.  On analyzing the bus-contention channel under fuzzy time , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[38]  Ira S. Moskowitz,et al.  A pump for rapid, reliable, secure communication , 1993, CCS '93.

[39]  Jonathan T. Trostle Modelling a Fuzzy Time System , 1993, J. Comput. Secur..

[40]  Virgil D. Gligor,et al.  A guide to understanding covert channel analysis of trusted systems , 1993 .

[41]  Gustavus J. Simmons,et al.  Subliminal channels; past and present , 2010, Eur. Trans. Telecommun..

[42]  James W. Gray,et al.  Countermeasures and tradeoffs for a class of covert timing channels , 1994 .

[43]  I. S. Moskowitz,et al.  Covert channels-here to stay? , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[44]  Ira S. Moskowitz,et al.  Simple timing channels , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[45]  Catherine Rosenberg,et al.  New approach for tra c characterisation in ATM networks , 1995 .

[46]  H. Hirsh,et al.  DNA Sequence Classification Using Compression-Based Induction , 1995 .

[47]  Ira S. Moskowitz,et al.  A network version of the Pump , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[48]  Ira S. Moskowitz,et al.  A Data Pump for Communication , 1995 .

[49]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[50]  Theodore G. Handel,et al.  Hiding Data in the OSI Network Model , 1996, Information Hiding.

[51]  Myong H. Kang,et al.  An Implementation of the Pump: The Event Driven Pump. , 1996 .

[52]  Ira S. Moskowitz,et al.  An analysis of the timed Z-channel , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[53]  Gustavus J. Simmons,et al.  The history of subliminal channels , 1996, IEEE J. Sel. Areas Commun..

[54]  Ira S. Moskowitz,et al.  A Network Pump , 1996, IEEE Trans. Software Eng..

[55]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.

[56]  Myong H. Kang,et al.  Design and assurance strategy for the NRL pump , 1997, Proceedings 1997 High-Assurance Engineering Workshop.

[57]  Paul M. B. Vitányi,et al.  An Introduction to Kolmogorov Complexity and Its Applications , 1993, Graduate Texts in Computer Science.

[58]  Srinivasan Seshan,et al.  Analyzing stability in wide-area network performance , 1997, SIGMETRICS '97.

[59]  Kai Rannenberg Die Trusted Computer System Evaluation Criteria (TCSEC) , 1998 .

[60]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[61]  Shiuh-Pyng Shieh Estimating and Measuring Covert Channel Bandwidth in Multilevel Secure Operating Systems , 1999, J. Inf. Sci. Eng..

[62]  Markus G. Kuhn,et al.  Information hiding-a survey , 1999, Proc. IEEE.

[63]  Anthony Ephremides,et al.  Covert Information Transmission through the Use of Standard Collision Resolution Algorithms , 1999, Information Hiding.

[64]  Sang Hyuk Son,et al.  Correction to 'Integrating Security and Real-Time Requirements Using Covert Channel Capacity' , 2000, IEEE Trans. Knowl. Data Eng..

[65]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[66]  Deepa Kundur,et al.  Practical Data Hiding in TCP/IP , 2002 .

[67]  Mike Fisk,et al.  Eliminating Steganography in Internet Traffic with Active Wardens , 2002, Information Hiding.

[68]  Jean-Claude Geffroy,et al.  Error Detecting and Correcting Codes , 2002 .

[69]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[70]  Rachel Greenstadt,et al.  Covert Messaging through TCP Timestamps , 2002, Privacy Enhancing Technologies.

[71]  Kamran Ahsan,et al.  Covert Channel Analysis and Data Hiding in TCP/IP , 2002 .

[72]  Bruce E. Hajek,et al.  An information-theoretic and game-theoretic study of timing channels , 2002, IEEE Trans. Inf. Theory.

[73]  Loïc Hélouët,et al.  Covert channels detection in protocols using scenarios , 2003 .

[74]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[75]  Taeshik Shon,et al.  A Study on the Covert Channel Detection of TCP/IP Header Using Support Vector Machine , 2003, ICICS.

[76]  Matthias Bauer New covert channels in HTTP: adding unwitting Web browsers to anonymity sets , 2003, WPES '03.

[77]  HarrisTim,et al.  Xen and the art of virtualization , 2003 .

[78]  Dong Hoon Lee,et al.  Covert Channel Detection in the ICMP Payload Using Support Vector Machine , 2003, ISCIS.

[79]  Roland E. Best Phase-locked loops : design, simulation, and applications , 2003 .

[80]  Ming Li,et al.  Clustering by compression , 2003, IEEE International Symposium on Information Theory, 2003. Proceedings..

[81]  Bin Ma,et al.  The similarity metric , 2001, IEEE Transactions on Information Theory.

[82]  Changda Wang,et al.  Searching covert channels by identifying malicious subjects in the time domain , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[83]  Song Li,et al.  A network layer covert channel in ad-hoc wireless networks , 2004, 2004 First Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks, 2004. IEEE SECON 2004..

[84]  Joanna Rutkowska joanna The Implementation of Passive Covert Channels in the Linux Kernel , 2004 .

[85]  Eamonn J. Keogh,et al.  Towards parameter-free data mining , 2004, KDD.

[86]  Ronald de Wolf,et al.  Algorithmic Clustering of Music Based on String Compression , 2004, Computer Music Journal.

[87]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[88]  Carla E. Brodley,et al.  Compression and machine learning: a new perspective on feature space vectors , 2006, Data Compression Conference (DCC'06).

[89]  R. Crawshaw,et al.  2. Universal Declaration of Human Rights , 2008 .