Implementing a Covert Timing Channel Based on Mimic Function

Covert timing channel is a mechanism that can be exploited by an attacker to conceal secrets in timing intervals of transmitted packets. With the development of detection techniques against such channel, it has become increasingly difficult to exploit a practical covert timing channel that is both detection-resistant and of high capacity. In this paper, we introduce a new type of covert timing channel. Our novel encoding technique uses mimic functions as the basis to accomplish the mimicry of legitimate traffic behaviors. We also design and implement a mimicry framework for automatically creating this new type of covert timing channel. In the end, we utilize the state-of-the-art detection tests to validate the effectiveness of our mimicry approach. The experimental results show that the created covert timing channel can successfully evade the detection tests while achieving a considerable channel capacity.

[1]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[2]  Steven Gianvecchio,et al.  Mimimorphism: a new approach to binary code obfuscation , 2010, CCS '10.

[3]  Ingemar J. Cox,et al.  Digital Watermarking and Steganography , 2014 .

[4]  C. Gray Girling,et al.  Covert Channels in LAN's , 1987, IEEE Transactions on Software Engineering.

[5]  Ton Kalker,et al.  Chapter 12 – Steganography , 2008 .

[6]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[7]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[8]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[9]  Peter Wayner,et al.  Mimic Functions , 1992, Cryptologia.

[10]  Nikita Borisov,et al.  Cirripede: circumvention infrastructure using router redirection with plausible deniability , 2011, CCS '11.

[11]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[13]  Matthew K. Wright,et al.  Liquid: A detection-resistant covert timing channel based on IPD shaping , 2011, Comput. Networks.

[14]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[15]  Saurabh Bagchi,et al.  TCP/IP Timing Channels: Theory to Implementation , 2009, IEEE INFOCOM 2009.

[16]  Shuai Li,et al.  Facet: Streaming over Videoconferencing for Censorship Circumvention , 2014, WPES.

[17]  Matthew K. Wright,et al.  Mimic: An active covert channel that evades regularity-based detection , 2013, Comput. Networks.

[18]  David H. Douglas,et al.  ALGORITHMS FOR THE REDUCTION OF THE NUMBER OF POINTS REQUIRED TO REPRESENT A DIGITIZED LINE OR ITS CARICATURE , 1973 .

[19]  Radu Sion,et al.  Natural Language Watermarking and Tamperproofing , 2002, Information Hiding.

[20]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[21]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[22]  Thomas K. Peucker,et al.  2. Algorithms for the Reduction of the Number of Points Required to Represent a Digitized Line or its Caricature , 2011 .

[23]  Thomas M. Cover,et al.  Elements of Information Theory: Cover/Elements of Information Theory, Second Edition , 2005 .