covert channels, which have become a pervasive security threat to trusted distributed systems. Network covert chan- nels have been used by attackers to communicate with com- promised hosts, particularly in distributed denial of service attacks . Many tools exist for setting up network covert channels using a variety of protocols including TCP, IP, HTTP and ICMP [9, 10, 29, 31].
The data section of packets is the easiest place to convey covert information, due to its large size and because it is relatively unstructured compared to headers. Modifying the packet payload is outside the scope of this paper as it falls in the realm of steganography or watermarking. Our focus in this section is instead on storage channels in the packet headers and on timing channels.
Unused header fields that are either designed for future protocol improvements or in general go unchecked by fire- walls and network intrusion detection devices, may convey information in the form of a covert channel [2, 3, 10, 12, 29, 30]. The ID field (for unfragmented packets) in TCP and the option bits in IP have been used for storage channels . A smart attacker can even devise means to use some of the header fields that do fall under scrutiny, such as the IP checksum field . An effective way to eliminate most stor- age channels is through traffic normalizers [11, 17], which modify both incoming and outgoing packets by standard- izing fields that are unused or redundant. Unusual traffic patterns may also lead to discovery of storage channels. For example, multiple ping requests within a small time interval may indicate a storage channel in the ICMP protocol such as that used by Loki . In addition, covert storage chan- nels can sometimes be detected by observing variations in unused packet header fields .
Less attention has been placed on network timing chan- nels. These channels convey information through the arrival patterns of packets, rather than through the contents of the packets themselves. Network timing channels include packet sorting channels [2, 3], in which the order of packet arrival conveys information, and timing channels in which it is the reception or absence of packets within specific time intervals that carries significance. In our research we have focused on the latter type of timing channel.
To understand how these channels work, consider a dis- tributed MLS system which uses the TCP/IP protocol suite to provide the necessary communication between remote users of the system. For the sake of simplicity, we will as- sume that the two parties have information access levels of HIGH and LOW. We assume that the system is capable of securing all overt communication and further mechanisms such as a packet sanitizer are also employed, which remove all sensitive data from the message content when data is transferred from HIGH to LOW security levels. Our re- search addresses two questions: How can information be leaked using IP from a HIGH node to a LOW node? How can the system detect such leakage?
In terms of a client/server architecture, the covert channel can be set to leak information in either direction: server to client or client to server. In the first case, the server resides on a HIGH node running a form of malware. The client ini- tiates the covert communication by a connect request over a known port (e.g., FTP). The trojaned server recognizes the IP address of the client, and begins the covert commu- nication. Note that the server exhibits normal behavior on connection requests from all other clients. In the second
We shall not spend a large expense of time Before we reckon with your several loves, And make us even with you. My thanes and kinsmen , Henceforth be earls, the first that ever Scotland In such an honour named. What’s more to do, Which would be planted newly with the time, As calling home our exiled friends abroad ...
1 0 1 0
1 0 0 1
0 1 0 1
1 0 1 0
0 0 0 1
1 0 1 0 1 0 0 1
1 0 1 0 1 0 0 1
1 0 1 0
1 0 0 1
0 1 0 1
1 0 1 0
0 0 0 1
We shall not spend a large expense of time Before we reckon with your several loves, And make us even with you. My thanes and kinsmen, Henceforth be earls, the first that ever Scotland In such an honour named. What’s more to do, Which would be planted newly with the time, As calling home our exiled friends abroad ...
Figure 1: IP covert timing channel. The example text is first encoded with a coding scheme and then bit by bit sent to the receiving end. The message is rebuilt by decoding the bit stream.
case, malware in a client on a HIGH node initiates the con- nection. In this case, the server’s IP address is known to the malware. The server responds and the covert commu- nication is started, this time from client to server. Given our implementation experience (see Section 3), we conjec- ture that fewer hacker tools use timing channels because of the difficulties in synchronizing such channels and because of their reduced bandwidth as compared to storage channels. Network implementations of the pump  as well as tim- ing jammers , which act as intermediaries between net- works and modify packet inter-arrival times, are the prin- cipal defenses against timing channels. These defenses are aimed at stopping such channels rather than detecting them. An attacker who is aware of the existence of such counter- measures may intentionally decrease the bandwidth of the covert channel, reducing the effect of fluctuations in packet inter-arrival times on message accuracy. This ensures that the introduced timing discrepancies will be small compared to the length of each timing interval. Detection may also be more desirable than stopping covert channels because of the added benefits of locating compromised internal hosts as well as in blacklisting external IP addresses that are found to participate in the covert communication. Consequently, the focus of our research is to detect network timing channels.
IP COVERT TIMING CHANNEL IMPLEMENTATION
In a timing channel, the receiver and sender agree a pri- ori on a timing interval and the starting protocol (either a particular time or in response to a network event, such as the first packet sent). During each time interval the sender either transmits a single packet or maintains silence. The re- ceiver monitors each interval to determine whether a packet was received or not. The result is a binary code where a 1 represents the detection of packet in an interval and a 0 represents the absence of a packet (see Figure 1). Note that the raw data that flows across the channel is binary but the actual interpretation of the binary stream is up to the