1 quasi-anonymous channels ira s. moskowitz --- nrl richard e. newman --- uf paul f. syverson ---...
TRANSCRIPT
1
Quasi-Anonymous Channels
Ira S. Moskowitz --- NRL
Richard E. Newman --- UF
Paul F. Syverson --- NRL
Center for High Assurance Computer Systems Code 5540Naval Research LaboratoryWashington, DC 20375http://chacs.nrl.navy.mil [email protected]
CNIS, Uniondale, NY Dec 2003
2
Anonymity
Interest is in hiding who is sending what to whom.
How does one measure anonymity?
Is there perfect anonymity?
3
Covert ChannelsA communication channel that exists, contrary
to system design, in a computer system or network
Typically in the realm of MLS systems
Classically measure threat by capacity
4
Quasi-Anonymous Channels
Less than perfect anonymity = quasi-anonymity
Quasi-anonymity allows covert channel =
quasi-anonymous channel
Quasi-anonymous channel is
(1) Illegal communication channel in its own right
(2) A way of measuring anonymity
5
BACKGROUND MIXesA MIX is a device intended to hide
source/message/destination associations.A MIX can use crypto, delay, shuffling,
padding, etc. to accomplish this.Others have studied ways to “beat the MIX”--active attacks to flush the MIX.--passive attacks may study probabilities.
MIX may successfully hide what, but does it always hide who/whom?
6
Prior measures of anonymity
• AT&T Crowds-degree of anonymity, pfoward message– Not MIX based
• Dresden: Anonymity (set of senders) Set size N, log(N) – Does not include observations by Eve
• Cambridge: effective size, assign probs to senders between – and log(N)– We show (later): maximal entropy (most noise) does not assure anonymity
• K.U. Leuven: normalize above
• We want something that measures before & afterThat is Shannon’s information theory
7
Our Scenario WPES 2003
MIX Firewalls separating 2 enclaves.
Enclave 1 Enclave 2
Eve
Alice& Cluelessi
Timed MIX, total flush per tick
Eve: counts # message per tick – perfect sync, knows # Cluelessi
Cluelessi are IID, p = probability that Cluelessi does not send a message
Alice is clueless w.r.t to Cluelessi
overt channel --- anonymous?
covert channel
MIX
MIX
8
NRL Covert Channel Analysis Lab
• John McDermott & Bruce Montrose
• Actual network set-up to exploit these quasi-anonymous channels
• First attempt: detect gross changes in traffic volume
• Future work may be a more fine-tuned detection of the mathematical channels discussed here
9
Toy Scenario – only Clueless1
Alice can: not send a message (0), or send (0c)
Only two input symbols to the (covert) channel
What does Eve see? {0,1,2}
0
1
2
0
0c
AliceEve
p
p
q
q
10
Discrete Memoryless Channel
0 1 2
0 p q 0
0c 0 p q
X Yanonymizingnetwork
X
Y
X is the random variable representingAlice, the transmitter to the ccX has a prob distP(X=0) = xP(X=0c) = 1-x
Y represents Eveprob dist derived from X and channel matrix
11
In general P(X = xi) = p(xi), similarly p(yk)
Entropy of XH(X) = – ∑i p(xi)log[p(xi)]
Conditional EntropyH(X|Y) = – ∑kp(yk) ∑ip(xi|yk)log[p(xi|yk)]
Mutual information I(X,Y) = H(X) – H(Y|X) = H(Y) – H(Y|X) (we use the latter)
Capacity is the maximum over dist X of IFor toy scenarioC =
max x{–( pxlogpx +[qx+p(1–x)]log[qx+p(1–x)] +q(1–x)logq(1 – x) ) – h(p) }
where h(p) = – { plogp + (1–p)log(1–p) }
12
13
General Scenario N Cluelessi
0
1
N
N+1
0
0c
pN
qN
NpN-1q
NqN-1p
qN
pN ...
14
15
Note
• Highest capacity when very low or very high clueless traffic
• Capacity (of p) bounded below by C(0.5) x=.5
thus even at maximal entropy, not anonymous
• Capacity monotonically decreases to 0 with N• C(p) is a continuous function of p• Alice’s optimal bias is function of p, and is
always near 0.5
16
Comments
1. Lack of anonymity leads to comm. channel
2. Use this quasi-anonymous channel to measure the anonymity
17
Other MIX scenarios
• Exit only MIX firewall
• Instead of timed MIX could be:
• Threshold (Chaum) MIX, Pool MIX
18
Other quasi-anonymous channels
• Previous ex. was storage channel in a timed MIX• Can also have timing channel (threshold MIX).
Much more complicated:Threshold MIX, MIX flushes when K messages have arrived.If Alice is only sender, and can send message to MIX every tSymbols Alice can send noiselessly to Eve:Kt, Kt+1, Kt+2, …Other senders add noise, so capacity is less
Desire a method of taking timing control away from Alice, without hurting performance
• Capacity is not always the correct measure---might want just mutual info, or number of bits passed
19
When is capacity not good? COMPASS’94
Shannon’s alternate def of capacity for noiseless channel
C = limn→ sup { [ log |Sn| ] / n } bits per t
1 bit, 1 t by the M th transmission
1 bit, 2t there are 2M different symbols
1 bit, 4 t total time = 1+2+4 + …2M-1
1 bit, 8 t so n = 2M -1, Sn = 2M
etc. C = limM→ { M / (2M-1) } = 0
20
NRL Pump 1993 Kang & Moskowitz
– secure message passing from a Low user/process to a High user/process, while maximizing system performance and minimizing the covert channel capacity
Pump(buffer)
messagesmessages
ACKsStatisticallyModulated ACKs
LOW SIDELAN
HIGH SIDELAN
21
Use Pump theory for MIXPump MIX
Pump MIX would keep history of senders
Can delay certain messages to keep a sender from manipulating flush time-would also give a fairness criterion
22
Conclusions
• Have illustrated how supposedly anonymous communication may leak info. through a quasi-anonymous channel
• Dual use to also measure anonymity
• Illustrated various anonymity architectures and possible quasi-anonymous solutions
• We are working on solution with Pump-type approach