Serdar Cabuk Electrical and Computer Engineering Purdue University
Carla E. Brodley Department of Computer Science Tufts University
Clay Shields Department of Computer Science Georgetown University
IP Covert Timing Channels: Design and Detection
A network covert channel is a mechanism that can be used to leak information across a network in violation of a secu- rity policy and in a manner that can be difficult to detect. In this paper, we describe our implementation of a covert network timing channel, discuss the subtle issues that arose in its design, and present performance data for the chan- nel. We then use our implementation as the basis for our experiments in its detection. We show that the regularity of a timing channel can be used to differentiate it from other traffic and present two methods of doing so and measures of their efficiency. We also investigate mechanisms that at- tackers might use to disrupt the regularity of the timing channel, and demonstrate methods of detection that are ef- fective against them.
Categories and Subject Descriptors
C.2.0 [Computer-Communication Networks]: eral—Security and Protection;
D.4.6 [Security and Protection]: [Information flow con- trols]; K.6.5 [Security and Protection ]: [Unauthorized access]
one process and the direct or indirect reading of the stor- age location by another process” . A timing channel involves a sender process that “signals information to an- other by modulating its own use of system resources (e.g., CPU time) in such a way that this manipulation affects the real response time observed by the second process” . This classification can be taken further by identifying hy- brid channels in which the timing and storage information are used together, and counting channels  in which the number of events come into play instead of the occurrence of a single event.
Detecting and preventing covert channels is particularly important for multi-level security (MLS) systems in which processes working with classified information may leak in- formation to processes with a lower classification level via the use of shared resources . Indeed, the evaluation crite- ria for trusted computer systems includes the requirement to analyze covert channels  in terms of their bandwidth and to develop policies to monitor and maintain their bandwidth below maximum acceptable levels. In this paper, we focus on the analysis and detection of covert timing channels in the TCP/IP protocol suite. Although some work has been done on timing channel analysis in general, little attention has been paid to channels in IP. Note that the Trusted Computer System Evaluation Criteria (TCSEC ) requires storage channel analysis for a class B2 system, and timing channel analysis for higher classes.
Network covert channels, TCP/IP, covert timing channels, detection
In this initial exploration, we first present a design of an IP timing channel and provide the details of its implemen- tation. While simple in concept, there proved to be some non-obvious issues in designing the software. We then look at the detection problem and present a set of methods for de- tecting IP timing channels based on analysis of traffic flows.
A covert channel is a mechanism that can be used to vi- olate a security policy by allowing information to leak to an unauthorized process . Two types of covert channels exist: storage and timing channels. A storage channel “in- volves the direct or indirect writing of a storage location by
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CCS’04, October 25-29, 2004, Washington, DC, USA. Copyright 2004 ACM 1-58113-961-6/04/0010 ...$5.00.
In the following section, we provide background informa- tion on covert channels. We present our IP covert timing channel design and implementation in Section 3 and point out some difficulties in implementing synchronous timing channels in asynchronous environments where no global ref- erence clock exists. We present the results of an empirical study evaluating the performance of our channel. In Sec- tion 4 we present our proposed detection method and an empirical evaluation of its ability to detect IP timing chan- nels. We conclude with directions for future work in Sec- tion 5.
NETWORK COVERT CHANNELS
While initial research in covert channels focused on sin- gle systems [23, 27, 32, 34], our focus here is on network