Description: Normalization techniques in today's firewalls can be shown to virtually eliminate the potential of sending hidden information in IP packet headers, a classic example of a covert storage channel. Yet with the myriad of packets traversing the web, the exact arrival times of packets are overlooked. Whilst this timing is typically transparent to applications above the IP layer, by manipulating and observing the pattern of packet arrival times a timing covert channel can be created with arbitrary packets. Our project explores both the techniques involved in establishing reliable timing channels as well as detecting or impeding them.
Collaborators: Clay Shields, Georgetown University
Authors: S. Cabuk, C. E. Brodley and C. Shields
ACM Transactions on Information and System Security
Abstract: A covert channel can occur when an attacker finds and exploits a shared resource that is not designed to be a communication mechanism. A network covert channel operates by altering the timing of otherwise legitimate network traffic so that the arrival times of packets encode confidential data that an attacker wants to exfiltrate from a secure area from which she has no other means of communication. In this paper, we present the first public implementation of an IP covert channel, discuss the subtle issues that arose in its design, and present a discussion on its efficacy. We then show that an IP covert channel can be differentiated from legitimate channels and present new detection measures that provide detection rates over 95%. We next take the simple step an attacker would of adding noise to the channel to attempt to conceal the covert communication. For these noisy IP covert timing channels, we show that our online detection measures can fail to identify the covert channel for noise levels higher than 10%. We then provide effective offline search mechanisms that identify the noisy channels.
Authors: Scabuk, C., Brodley, C. E., and Shields, T. C.
ACM Conference on Computer and Communications Security
Abstract: A network covert channel is a mechanism that can be used to leak information across a network in violation of a security policy and in a manner that can be difficult to detect. In this paper, we describe our implementation of a covert network timing channel, discuss the subtle issues that arose in its design, and present performance data for the channel. We then use our implementation as the basis for our experiments in its detection. We show that the regularity of a timing channel can be used to differentiate it from other traffic and present two methods of doing so and measures of their efficiency. We also
investigate mechanisms that attackers might use to disrupt the regularity of the timing channel, and demonstrate methods of detection that are effective against them.