Liquid: A detection-resistant covert timing channel based on IPD shaping

Abstract Covert timing channels provide a way to surreptitiously leak information from an entity in a higher-security level to an entity in a lower level. The difficulty of detecting or eliminating such channels makes them a desirable choice for adversaries that value stealth over throughput. When one considers the possibility of such channels transmitting information across network boundaries, the threat becomes even more acute. A promising technique for detecting covert timing channels focuses on using entropy-based tests. This method is able to reliably detect known covert timing channels by using a combination of entropy and conditional entropy to detect anomalies in shape and regularity, respectively. This dual approach is intended to make entropy-based detection robust against both current and future channels. In this work, we show that entropy-based detection can be defeated by a channel that intelligently and adaptively manipulates the metrics used for detection. Specifically, we propose a new passive covert channel that uses a portion of the inter-packet delays in a compromised stream to smooth out the shape distortions detected by the entropy test. As a passive channel, it is not as prone to regularity-based detection as previously proposed active channels. We introduce a model for analyzing the effect of our techniques on the entropy of the channel and empirically investigate the accuracy of the model. In network experiments and simulation, we validate this model and demonstrate that the proposed channel successfully evades entropy-based detection and other known tests while maintaining reasonable throughput.

[1]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[2]  Ira S. Moskowitz,et al.  The Pump: a decade of covert fun , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[3]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[5]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[6]  Richard A. Kemmerer,et al.  A practical approach to identifying storage and timing channels: twenty years later , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[7]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[8]  Nikita Borisov,et al.  RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows , 2009, NDSS.

[9]  Mike Fisk,et al.  Eliminating Steganography in Internet Traffic with Active Wardens , 2002, Information Hiding.

[10]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[11]  Vincent H. Berk,et al.  Detection of Covert Channel Encoding in Network Packet Delays , 2005 .

[12]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.

[13]  R.M. Stillman Detecting IP covert timing channels by correlating packet timing with memory content , 2008, IEEE SoutheastCon 2008.

[14]  Wei-Ming Hu,et al.  Reducing timing channels with fuzzy time , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[15]  Ira S. Moskowitz,et al.  A pump for rapid, reliable, secure communication , 1993, CCS '93.

[16]  Vincent H. Berk,et al.  Covert Channel Detection Using Process Query Systems , 2005 .

[17]  Richard A. Kemmerer,et al.  Shared resource matrix methodology: an approach to identifying storage and timing channels , 1983, TOCS.

[18]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[19]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[20]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.