X hits on this document

PDF document

IP Covert Timing Channels: Design and Detection - page 4 / 10

39 views

0 shares

0 downloads

0 comments

4 / 10

1

1

0

0

1

1

0

0

0

1

1

0

0

0

1

1

0

0

1

1

0

0

1

1

1

1

0

0

1

1

0

0

0

0

0

0

0

0

1

1

SENDER

RECEIVER

1 0 1 0 1 0 0 1

1 0 1 0 0 1 0 1

SENDER

RECEIVER

1 0 1 0 1 0 0 1

1 0 1 0

0 1 0 0

1 0 1 0

1 0 0 1

0 1 0 1

1 0 1 0

0 0 0 1

delay

(a)

1 0 1 0

0 1 0 0

1 0 1 0

1 1 0 1

0 0 0 0

new delay

(b)

Figure 2: The synchronization problem in the IP covert timing channel. (a) A temporary change in network conditions causing the channel to enter the error state temporarily after the fourth bit. (b) A longer-term change in network conditions causing the channel to enter the error state and stay there.

3.4

Synchronization

In a covert timing channel, all information transmitted is based entirely on the arrival time of packets at the receiver. Because the sender and receiver may operate with different clocks, it becomes a challenge to implement end-to-end syn- chronization, particularly in a one-way channel. Jitter can cause packets to be recorded as arriving in a time period before or after the intended one, as shown in Figure 2(a).

While some error from jitter can be corrected with error- correcting codes, longer-term changes that occur in the mid- dle of a transmission might cause an entire series of trans- mission to be shifted (Figure 2(b)). Clearly this problem can be solved by simply making the timing interval much larger than any expected network or processing delays, but this reduces the bandwidth of the channel. In this section, we describe techniques we used to help maintain synchro- nization.

3.4.1 Start of frame (SOF):

As a precaution against low levels of jitter in the network, each packet is sent in the middle of the timing interval. Moreover, upon receipt of every SOF packet, the receiver aligns itself with the newly received SOF by assuming that the SOF arrived exactly in the middle of the timing interval. This aligns the sender and receiver timing windows and in turn helps maintain synchronization.

3.4.2 Silent intervals:

We enhance the previous scheme by introducing silent in- tervals between frames. During a silent interval no packet transfer occurs between sender and receiver. We assume that the parties have previously determined the length of the silent interval. This interval can either be a default value or the covert channel itself can be initially used to send this value before the actual data transfer begins. The sender can enter the silent state any time during the transmission. Note that the sender has no way of knowing whether the receiver received the covert bits correctly or not. Therefore, it is up to the sender to observe the changing network condi- tions and make the decision when to pause the transmission.

As an example, a sudden change in the RTT between the sender and the receiver might be a good signal for enter- ing the silent state. On the other end, the receiver simply waits for the arrival of the SOF packet and takes no action. A simpler option is to enter the silent state periodically to clear the channel. This method increases channel accuracy at the expense of transmission rate. We investigate this tradeoff between channel accuracy and transmission time in Section 3.5.

3.4.3 Interval adjusting:

Rather than slow down the transmission by introducing silent periods in which no transfer occurs, the channel can adapt to the changes gradually as the network conditions change. In our interval adjusting scheme, the receiver closely monitors the time each packet arrives and compares it to the projected ideal case (the expected arrival time of the next packet) based on the current timing interval. Comparing the two, a delta is computed, which is the deviation between the ideal and actual times. The receiver then simply adds this value to its timing interval and adjusts its clock for the next arriving packet. Note that delta can be positive or negative, depending on whether the packet arrived early or late. This scheme is most useful when there is an incremental change in the network conditions that persists for longer than the lifetime of a single packet. It can however lead to errors if the change in the network delay is greater than 50% of the timing interval (e.g., adjust to an incorrect timing in- terval). As a precaution, we restrict the magnitude of each adjustment to be less than 10% of the difference between two consecutive intervals.

3.4.4 Phase locked loop (PLL):

A more promising solution for combating errors caused by variable network delays is to make interval adjustment more responsive to changes in delay. A phase-locked loop (PLL) is a popular method in communications used for bit and symbol synchronization. A PLL is a closed-loop feedback control circuit that is designed to track or synchronize an output signal with an input signal in frequency and phase

181

Document info
Document views39
Page views39
Page last viewedSat Jan 21 09:43:05 UTC 2017
Pages10
Paragraphs840
Words9153

Comments