IP Covert Timing Channels: An Initial Exploration

A network covert channel is a mechanism that can be used to leak information across a network in violation of a security policy and in a manner that can be dicult to detect. In this paper, we describe our implementation of a covert network timing channel, the subtle issues that arose in its design, and present performance data for the channel. We then use our implementation as the basis for our experiments in its detection. We show that the regularity of a timing channel can be used to dieren tiate it from other trac and present two methods of doing so and measures of their eciency . We also investigate mechanisms that attackers might use to disrupt the regularity of the timing channel, and demonstrate methods of detection that are eectiv e against them.

[1]  Ira S. Moskowitz,et al.  A network version of the Pump , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[2]  kc claffy,et al.  Application of sampling methodologies to network traffic characterization , 1993, SIGCOMM 1993.

[3]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.

[4]  Richard A. Kemmerer,et al.  Covert flow trees: a technique for identifying and analyzing covert storage channels , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Riccardo Gusella,et al.  Characterizing the Variability of Arrival Processes with Indexes of Dispersion , 1991, IEEE J. Sel. Areas Commun..

[6]  Vern Paxson,et al.  Empirically derived analytic models of wide-area TCP connections , 1994, TNET.

[7]  Kamran Ahsan,et al.  Covert Channel Analysis and Data Hiding in TCP/IP , 2002 .

[8]  Michael J. Fischer,et al.  The String-to-String Correction Problem , 1974, JACM.

[9]  Rachel Greenstadt,et al.  Covert Messaging through TCP Timestamps , 2002, Privacy Enhancing Technologies.

[10]  Martin Vetterli,et al.  Communication using phantoms: covert channels in the Internet , 2001, Proceedings. 2001 IEEE International Symposium on Information Theory (IEEE Cat. No.01CH37252).

[11]  Deepa Kundur,et al.  Practical Data Hiding in TCP/IP , 2002 .

[12]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[13]  Roland E. Best Phase-locked loops : design, simulation, and applications , 2003 .

[14]  John C. Wray,et al.  An analysis of covert timing channels , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[15]  Virgil D. Gligor,et al.  A Formal Method for the Identification of Covert Storage Channels in Source Code , 1987, 1987 IEEE Symposium on Security and Privacy.

[16]  Bruce E. Hajek,et al.  An information-theoretic and game-theoretic study of timing channels , 2002, IEEE Trans. Inf. Theory.

[17]  David R. Cox,et al.  The statistical analysis of series of events , 1966 .

[18]  Srinivasan Seshan,et al.  Analyzing stability in wide-area network performance , 1997, SIGMETRICS '97.

[19]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[20]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[21]  Mike Fisk,et al.  Eliminating Steganography in Internet Traffic with Active Wardens , 2002, Information Hiding.

[22]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.