The capacity of a packet length covert channel.pdf A covert channel is a communication channel which is not intended for information transfer at all, such as the service program's effect on the system load [1]. At present the most popular covert channels are in packet networks because of some features available in the TCP/IP protocol suite. There is a number of undetectable packet length covert channels in IP networks that may be constructed even if an encryption is used at any OSI model level. This paper describes a technique to estimate and limit the capacity of such covert channels using dummy packets generation. The design of the considered network covert channel and of a counteraction technique is as follows. Let the lengths of transferred packets have the natural values from Zfix to Zfix + L; {L0, Li} is a partition of the set N1flx+L \ where |L01 = |Li|, N stands for the set of positive integers from 1 to a. Further, we consider a method to build a binary covert channel. In order to transfer «0» the sender communicates a packet of a length of l G L0, to transfer «1» the sender communicates a packet of the length l G Li. It is obvious that the capacity of such channel without counteraction is equal to 1 bit per packet. To build such a covert channel the sender must have the following possibilities: to modify lengths of transmitted packets, to form packets of an undefined length, to buffer packets to be sent and to transfer them at a specified moment. The authors propose a technique to limit the capacity of covert channel based on traffic padding. After k data packets have been sent, a random length dummy packet is created where k is the parameter of a counteraction tool. Let ^ be the capacity of a communication channel, then a counteraction tool decreases the capacity of a communication channel to k^/(k + 1). After dummy packet receiving, the mismatch between the hidden sender and the hidden receiver takes place. To negotiate this fact SOF packets [2] are utilized after T - 1 packets transferring within the covert channel. The receiver fixes T - 1 packets gained after SOF packet and waits for the next SOF packet. Thus T is the covert channel parameter which estimates the synchronization frequency. As the identification of bits received after the mismatch happened is wrong, in order to build the covert channel the inequality T < k + 1 is required. The corresponding choice of parameters is explained in Fig. 1. Message sent: 0100101 100 Message received: 00001 1 1 100 SOF «. «In SOF «0» oflw SOF ftl» *ft* SOF «]» «I» SOF «О* «оО» CJ Dummy packct «0» C3 (lummy patliei «0* Dummy packel nl* Fig. 1. The scheme of data transfer in the covert channel (T = 3, k = 5). The capacity C of the investigated covert channel is C = max I(X,Y) where I(X,Y) is X the mutual information of random variables X and Y describing respectively the input and output data of the channel properly. Since each T-th packet sent via the covert channel is not a data packet but is a synchronization one, the mutual information can be calculated using the following formula: T1 I (X, Y) = I*(X, Y), where I*(X,Y) = H(Y) - H(Y |X) is a mutual information of random variables describing the input and output data of the covert channel without synchronization. The sizes of sets L0 and L1 are equal and lengths of dummy packets passing through the covert channel are chosen randomly and equiprobable. Therefore, H(Y) = 1. Since the values of conditional probabilities p(ylx) for x,y G {0,1} depend on the number of packets sent via a covert channel from the moment of synchronization to the moment of a dummy packet receiving, the mutual information I * (X, Y) can be found using the following formula: k - (T - 1)+ (1 - Hi(Y|X)) I *(X,Y) =-^=0--where Hi(Y\X) is the conditional entropy of Y compared to X evaluated when i packets are received between the synchronization and dummy packet arrival moments. Then the approximate value of the mutual information for X and Y is I(XY)« T - 1 (T - 1)2 ■ (2T - 3)(T - 1) log 2T - 3 (T - 2)(T - 1) ( , ) ~ Ф 7„Ф + О 1..T g2 T kT 2kT 02 T - 1 2kT ln2 Note, that if k is a continuous variable, k E [T; then I(X,Y) « A(T)/k + B(T) is a hyperbola as a function of k where A(T) = (T - 1)2 + (2T - 3)(T - 1) 2T - 3 (T - 2)(T - 1) T 2T 02 T - 1 2T ln 2 is negative strictly decreasing, B(T) = (T- 1)/T is positive strictly increasing, and they are functions of T. To build a covert channel the parameter T is chosen to maximize I(X, Y). For example when k E {2, 3, 4} the parameter T should be equal to 2, when k E {5,6, 7, 8} the parameter T should be equal to 3 and when k E {9,10,11,12,13,14} the parameter T should be equal to 4. Graphs for function I(X, Y) of k and T = 2, 3, 4, 5 are illustrated in Fig. 2. Fig. 2. Graphs for I(X, Y) as the function of k and T = 2, 3,4,5. Let vmax be the value of the covert channel capacity such that the functioning of the covert channel with a capacity less than vmax has no influence upon security. Then a value T0 can be defined satisfying the following inequalities: vmax - Cmin (T0) > ^ Cmin (T0) > Cmin(T)> for every T ^ 2, T = T0 where Cmin(T) is the capacity of the covert channel when the value k is taken the smallest for each fixed value T. B(To) In fact, the parameter of counteraction tool k can be computed as k = - LVmax - A(T0) The results of the work are useful for constructing secure IP networks. The authors have suggested a technique to select the parameter of the counteraction tool when an allowable covert channel capacity is given. The novelty of the method is that the capacity of the covert channel is limited in contrast to the other approaches which detect and destroy the active covert channels. The topic of the further work is to research the techniques to limit the packet length covert channel capacity by random increasing the lengths of packets before sending them.

Скачать электронную версию публикации