PHY Covert Channels: Can you see the Idles?

Network covert timing channels embed secret messages in legitimate packets by modulating interpacket delays. Unfortunately, such channels are normally implemented in higher network layers (layer 3 or above) and easily detected or prevented. However, access to the physical layer of a network stack allows for timing channels that are virtually invisible: Sub-microsecond modulations that are undetectable by software endhosts. Therefore, covert timing channels implemented in the physical layer can be a serious threat to the security of a system or a network. In fact, we empirically demonstrate an effective covert timing channel over nine routing hops and thousands of miles over the Internet (the National Lambda Rail). Our covert timing channel works with cross traffic, less than 10% bit error rate, which can be masked by forward error correction, and a covert rate of 81 kilobits per second. Key to our approach is access and control over every bit in the physical layer of a 10 Gigabit network stack (a bit is 100 picoseconds wide at 10 gigabit per seconds), which allows us to modulate and interpret interpacket spacings at sub-microsecond scale. We discuss when and how a timing channel in the physical layer works, how hard it is to detect such a channel, and what is required to do so.

[1]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[2]  M A Padlipsky,et al.  Limitations of End-to-End Encryption in Secure Computer Networks , 1978 .

[3]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[4]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[5]  Kenneth P. Birman,et al.  Exact temporal characterization of 10 Gbps optical wide-area network , 2010, IMC '10.

[6]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[7]  Sangjin Han,et al.  PacketShader: a GPU-accelerated software router , 2010, SIGCOMM '10.

[8]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[9]  Stefan Katzenbeisser,et al.  Hide and Seek in Time - Robust Covert Timing Channels , 2009, ESORICS.

[10]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[11]  Bruce E. Hajek,et al.  An information-theoretic and game-theoretic study of timing channels , 2002, IEEE Trans. Inf. Theory.

[12]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.

[13]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[14]  Stefan Katzenbeisser,et al.  Robust and Undetectable Steganographic Timing Channels for i.i.d. Traffic , 2010, Information Hiding.

[15]  David Watson,et al.  Transport and application protocol scrubbing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[16]  Deepa Kundur,et al.  Practical Internet Steganography : Data Hiding in IP , 2003 .

[17]  Mike Fisk,et al.  Eliminating Steganography in Internet Traffic with Active Wardens , 2002, Information Hiding.

[18]  Ao Tang,et al.  Packet clustering introduced by routers: Modeling, analysis and experiments , 2014, 2014 48th Annual Conference on Information Sciences and Systems (CISS).

[19]  Luigi Rizzo,et al.  netmap: A Novel Framework for Fast Packet I/O , 2012, USENIX ATC.

[20]  Joanna Rutkowska joanna The Implementation of Passive Covert Channels in the Linux Kernel , 2004 .

[21]  Hakim Weatherspoon,et al.  NetSlices: Scalable multi-core packet processing in user-space , 2012, 2012 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[22]  Jim Kurose,et al.  Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement 2004, Taormina, Sicily, Italy, October 25-27, 2004 , 2004 .

[23]  Hakim Weatherspoon,et al.  SoNIC: Precise Realtime Software Access and Control of Wired Networks , 2013, NSDI.

[24]  Vincent H. Berk,et al.  Detection of Covert Channel Encoding in Network Packet Delays , 2005 .

[25]  Katerina J. Argyraki,et al.  RouteBricks: exploiting parallelism to scale software routers , 2009, SOSP '09.

[26]  Steven Gianvecchio,et al.  Detecting covert timing channels: an entropy-based approach , 2007, CCS '07.