anonymity and covert channels in simple, timed mix-firewalls
DESCRIPTION
Anonymity and Covert Channels in Simple, Timed Mix-firewalls. Richard E. Newman --- UF Vipan R. Nalla -- UF Ira S. Moskowitz --- NRL. {nemo,vreddy}@cise.ufl.edu, [email protected] http://chacs.nrl.navy.mil. Motivation. Anonymity --- Linkages – sender/message/recipient - PowerPoint PPT PresentationTRANSCRIPT
1
Anonymity and Covert Channels in Simple, Timed
Mix-firewalls
Richard E. Newman --- UF
Vipan R. Nalla -- UF
Ira S. Moskowitz --- NRL
{nemo,vreddy}@cise.ufl.edu, [email protected]://chacs.nrl.navy.mil
2
Motivation
Anonymity --- Linkages – sender/message/recipient
optional desire or mandated necessity?
Hide who is sending what to whom.
What – covered by crypto.
Who/which/whom – covered by Mix networks.
Even if one cannot associate a particular message with a sender, it is still possible to leak information from sender to observer – covert channel.
3
Mixes
A Mix is a device intended to hide source/message/destination associations.
A Mix can use crypto, delay, shuffling, padding, etc. to accomplish this.
Others have studied ways to “beat the Mix”
--active attacks to flush the Mix.
--passive attacks may study probabilities.
4
Prior measures of anonymity
• AT&T Crowds-degree of anonymity, pfoward message– Not Mix-based
• Dresden: Anonymity (set of senders) Set size N, log(N) – Does not include observations by Eve
• Cambridge: effective size, assign probs to senders between 0 and log(N)– We show (later): maximal entropy (most noise) does not assure anonymity
• K.U. Leuven: normalize above
• We want something that measures before & afterThat is Shannon’s information theory
5
Aim of this Work
• We wish to provide another tool better to understand and to measure anonymity
• Limits of anonymity
• Application of classical techniques
• Follows WPES, CNIS work
6
Covert Channels
A communication channel that exists, contrary to system design, in a computer system or network
Typically in the realm of MLS systems: non-interference
Classically measure threat by capacity
7
Quasi-Anonymous Channels
Less than perfect anonymity = quasi-anonymity
Quasi-anonymity allows covert channel =
quasi-anonymous channel
Quasi-anonymous channel is
(1) Illegal communication channel in its own right
(2) A way of measuring anonymity
8
NRL Covert Channel Analysis Lab
• John McDermott & Bruce Montrose
• Actual network set-up to exploit these quasi-anonymous channels
• First attempt: detect gross changes in traffic volume
• Future work may be a more fine-tuned detection of the mathematical channels discussed here
9
Our Earlier Scenario WPES 2003
Mix Firewalls separating 2 enclaves.
Enclave 1 Enclave 2
Eve
Alice& Cluelessi
Timed Mix, total flush per tick
Eve: counts # message per tick – perfect sync, knows # Cluelessi
Cluelessi are IID, p = probability that Cluelessi does not send a message
Alice is clueless w.r.t to Cluelessi
overt channel --- anonymous
covert channel
10
This System Model
• Alice (malicious insider) and N other senders (Cluelessi’s, 1=1,…,N)
• M observable destinations (Rj, j=1,…,M)• “Nobody” destination R0
• Each tick, each sender can send a message (to a destination Rj) or not (“send” to R0)
• Cluelessi are i.i.d.• Eve sees message counts to Rj’s each tick
11
Multiple Receiver Model
Alice
CluelessN
Clueless1
[Nobody = R0]
R1Clueless2
Eve
Mix-firewall
RN
R2
…
……
12
Toy Scenario – N=1, M=1
Alice can: not send a message (0), or send (1)
Only two input symbols to the (covert) channel
What does Eve see? 0,1, or 2 messages.
0
1
2
0
1
AliceEve
p
p
q
q
13
Discrete Memoryless Channel
0 1 2
0 p q 0
1 0 p q
X Yanonymizingnetwork
X
Y
X is the random variable representingAlice, the transmitter to the ccX has a prob distP(X=0) = xP(X=1) = 1-x
Y represents Eveprob dist derived from X and channel matrix
14
Channel Capacity
In general P(X = xi) = p(xi), similarly p(yk)
H(X) = -∑i p(xi)log[p(xi)] Entropy of X
H(X|Y) = -∑kp(yk) ∑ip(xi|yk)log[p(xi|yk)]
Mutual information I(X,Y) = H(X) – H(X|Y) = H(Y)-H(Y|X)
Capacity is the maximum over dist X of I
15
Capacity for Toy Scenario
C = max x { -( pxlogpx +[qx+p(1-x)]log[qx+p(1-x)] +q(1-x)logq(1-x) )
–h(p) }
where h(p) = -{ p logp + (1-p) log(1-p) }
16
Capacity and optimal x vs. p
17
Earlier Scenario: 1 Receiver,N Cluelessi
0
1
N
N+1
0
1
pN
qN
NpN-1q
NqN-1p
qN
pN ...
18
Capacity vs. N (M=1)
19
Observations
• Highest capacity when very low or very high clueless traffic
• Capacity (of p) bounded below by C(0.5) x=.5
thus even at maximal entropy, not anonymous
• Capacity monotonically decreases to 0 with N• C(p) is a continuous function of p• Alice’s optimal bias is function of p, and is
always near 0.5
20
Comments
1. Lack of anonymity leads to comm. channel
2. Use this quasi-anonymous channel to measure the anonymity
3. Capacity is not always the correct measure---might want just mutual info, or number of bits passed
21
New Results
• Analysis for M>1 receivers
• Numerical (but not theoretical) results show best for Clueless to be uniform
• Numerical results for Clueless uniform over actual receivers (not R0)
• Numerical results for Alice uniform over actual receivers (not R0)
• Best for Alice to be uniform
22
Earlier Scenario Revisited:1 Receiver, N Cluelessi
<N+1,0>
<N,1>
<1,N>
<0,N+1>
0
1
pN
qN
NpN-1q
NqN-1p
qN
pN ...
23
M=2 Receivers, N=1 Cluelessi
<2,0,0>
<1,1,0>
<0,1,1>
<0,0,2>
0
2
p
q/2
1
<1,0,1>
<0,2,0>
q/2
pq/2
q/2
q/2
q/2
p
24
Channel Matrix for N=1, M=2
<2,0,0><1,1,0><1,0,1><0,2,0><0,1,1><0,0,2>
p q/2 q/2 0 0 0
0 p 0 q/2 q/2 0
0 0 p 0 q/2 q/2M1,2 = ( )
(Note: typo in pre-proceedings section 3.2, M0.2[i,j]=Pr(ej|A=i), not A=ai)
25
Capacity for N=1,M=2
C = max A I(A,E)
= max x1,x2 - {px0logpx0
+[qx0/2+p(x1)]log[qx0/2+p(x1)]
+[qx0/2+p(x2)]log[qx0/2+p(x2)]
+[qx1/2]log[qx1/2]
+[qx1/2+ qx2/2]log[qx1/2+ qx2/2]
+[qx2/2]log[qx2/2]
–h2(p) }
where h2(p) = -(1-p) log (1-p)/2 – p log p
26
Capacity LB vs. p (N=1-4,M=2)
27
Mutual Info vs. X0, N=1, M=2
28
Mutual Info vs. p, N=2, M=2
29
Best x0 vs. p for M=3,N=1-4
30
Effect of Suboptimal x0 (M=3)
31
Capacity LB vs. p (N=1, M=1-5)
32
Capacity (N,M)
33
Equivalent Sender Group Size
34
Conclusions1. Highest capacity when very low or very
high clueless traffic2. Multiple receivers induces asymmetry for
clueless sending vs. not sending3. Capacity monotonically decreases to 0
with N4. Capacity monotonically increases with M,
bounded by log(M+1)5. Alice’s optimal bias is function of p, and
is always near 1/(M+1)
35
Future Work
• Relax IID assumption on Cluelessi
• More realistic distributions for Cluelessi
• If Alice has knowledge of Cluelessi behavior…
• More general timed Mixes• Threshold Mixes, pool Mixes, Mix networks• Effective sender set size• Relationship of CC capacity to anonymity