model-based covert timing channels: automated modeling and evasion steven gianvecchio 1, haining...
TRANSCRIPT
Model-Based Covert Timing Channels:Automated Modeling and Evasion
Steven Gianvecchio1, Haining Wang1, Duminda Wijesekera2, and Sushil Jajodia2
1College of William and Mary2George Mason University
2RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
3RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
4RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Background
Covert Channels manipulate shared resources to transfer
information hide communication (or extra communication) exfiltrate sensitive data (e.g., keys,
passwords)
5RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Background
Types of Covert Channels shared resource is the type covert storage channels
(e.g., packet header fields) covert timing channels
(e.g., packet arrival times)
6RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
7RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Main Goals high capacity strong detection resistance
Capacity –
bits/time unit, not bits/symbol
Covert Timing Channels
)(
);(max
XE
YXIC Xt
8RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Covert Timing Channels
OPtimal Capacity (OPC) send information as fast as possible E(X) is small (1,000s of packets/second)
Fixed-average Packet Rate (FPR) send information as fast as possible with a
fixed-average packet rate E(X) is fixed (a few packets/second)
9RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
10RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Model-Based Framework
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
The Framework filters and analyzes legitimate traffic encodes and transmits covert traffic
11RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Components
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
Filter filters input for the specified type of traffic
(e.g., outgoing HTTP) outputs legitimate IPDs
12RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Components
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
Analyzer fits the legitimate IPDs to several models
using MLE (blocks of 100 IPDs) selects the model with the lowest RMSE
13RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Components
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
Encoder uses the IDF of the model generates covert IPDs that mimic the
legitimate traffic
14RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Encoding / Decoding
1. Continuize
2. Encode
3. Decode
4. Discretize
scontinuize rrS
ssF
1mod||
)(
ss1
modelencode drFF )(
srrSrF ssdiscretize )1mod)((||)(
ssmodeldecode rdFF )(
15RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Components
LEGITTRAFFIC
ANALYZERCOVERT
IPDs
FILTERLEGITIPDs
MODELENCODER TRANSMITTER
COVERTTRAFFIC
TERMS:IPD – INTER-PACKET DELAY
POISSON, WEIBULL, ...
EXPONENTIAL, GAMMA,
PARETO, LOGNORMAL,
MODELS:
MESSAGE
RANDOM NUMBER
INPUT:
Transmitter sends out packets with covert IPDs
Receiver and Decoder receive packets and decode message
16RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Model-Based Framework
Implementation Details components run in user space filter, encoder, transmitter written in C; plus
inline assembly for RDTSC analyzer written in MATLAB
17RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
18RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Experimental Evaluation
Test Scenarios LAN, WAN East-to-East, WAN East-to-West
LAN WAN-EE WAN-EW
distance 0.3 mi 525 mi 2660 mi
RTT 1.7ms 59.6ms 87.2ms
IPDV 2.5e-05 2.41e-03 2.1e-04
hops 3 18 13
IPDV – inter-packet delay variation
19RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Test Setup
MB-HTTP Weibull – avg. λ = 0.0371, avg. k = 0.3010 E(X) is 0.3385 (~3 packets/second)
OPC E(X) is 7.31e-3 to 7.87e-5
(1,515 to 12,777 packets/second) FPR
Exponential – λ = 2.954 E(X) is 0.3385 (~3 packets/second)
20RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Theoretical Capacity
channel
LAN WAN-EE WAN-EW
CPP CPS CPP CPS CPP CPS
MB-HTTP 9.39 27.76 4.12 12.19 6.84 20.21
OPC 0.50 6,395 0.50 68.80 0.50 758.54
FPR 12.63 37.32 6.15 18.17 9.59 28.35
CPP – capacity/packet, CPS = capacity/second
LAN, WAN East-East, WAN East-West OPC has highest capacity
21RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Theoretical Capacity
channel
LAN WAN-EE WAN-EW
CPP CPS CPP CPS CPP CPS
MB-HTTP 9.39 27.76 4.12 12.19 6.84 20.21
OPC 0.50 6,395 0.50 68.80 0.50 758.54
FPR 12.63 37.32 6.15 18.17 9.59 28.35
CPP – capacity/packet, CPS = capacity/second
LAN, WAN East-East, WAN East-West MB-HTTP and FPR are close
22RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Empirical Capacity
WAN E-E empirical capacity
0
0.2
0.4
0.6
0.8
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
bit
em
pir
ica
l ca
pa
cit
y
FPR MB-HTTP
WAN E-E bit error rates
0
0.1
0.2
0.3
0.4
0.5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
bit
err
or
rate
FPR MB-HTTP
WAN East-East MB-HTTP versus FPR capacity and bit error degrade quickly
23RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Empirical Capacity
WAN E-W empirical capacity
0
0.2
0.4
0.6
0.8
1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
bit
em
pir
ica
l ca
pa
cit
y
FPR MB-HTTP
WAN E-W bit error rates
0
0.1
0.2
0.3
0.4
0.5
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
bit
err
or
rate
FPR MB-HTTP
WAN East-West MB-HTTP versus FPR capacity and bit error degrade slowly
24RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Empirical Capacity
channel
LAN WAN-EE WAN-EW
CPP CPS CPP CPS CPP CPS
MB-HTTP 6.74 19.93 2.15 6.35 5.18 15.31
OPC 0.85 10,899 0.66 91.28 0.98 1,512
FPR 10.95 32.35 4.63 13.67 9.37 27.69
CPP – capacity/packet, CPS = capacity/second
LAN, WAN East-East, WAN East-West OPC again has the highest capacity
25RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Empirical Capacity
channel
LAN WAN-EE WAN-EW
CPP CPS CPP CPS CPP CPS
MB-HTTP 6.74 19.93 2.15 6.35 5.18 15.31
OPC 0.85 10,899 0.66 91.28 0.98 1,512
FPR 10.95 32.35 4.63 13.67 9.37 27.69
CPP – capacity/packet, CPS = capacity/second
LAN, WAN East-East, WAN East-West MB-HTTP and FPR are still close
26RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Tests of Shape: Kolmogorov-Smirnov test –
where s1 and s2 are distribution functions
Tests of Regularity: The regularity test (Cabuk 2004) –
26
Detection Resistance
|)()(|max 21 xsxsKSTEST
jijiSTDEVregularity
i
ji ,,,||
27RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
LEGIT-HTTP MB-HTTP FPR OPC
sample size mean stddev m. s.d. m. s.d m. s.d
100x2,000 .193 .110 .196 .093 .92 .0 .99 .0
100x10,000 .141 .103 .157 .087 .92 .0 .99 .0
100x50,000 .096 .096 .122 .073 .92 .0 .99 .0
100x250,000 .069 .066 .096 .036 .92 .0 .99 .0
KSTEST scores high mean and low s.d. for FPR and OPC
28RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
LEGIT-HTTP MB-HTTP FPR OPC
sample size mean stddev m. s.d. m. s.d m. s.d
100x2,000 .193 .110 .196 .093 .92 .0 .99 .0
100x10,000 .141 .103 .157 .087 .92 .0 .99 .0
100x50,000 .096 .096 .122 .073 .92 .0 .99 .0
100x250,000 .069 .066 .096 .036 .92 .0 .99 .0
KSTEST scores similar mean and s.d. for LEGIT and MB-HTTP
29RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
scores for 100x 2,000 packets
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
test score
pro
po
rtio
n
LEGIT-HTTP MB-HTTP
scores for 100x 10,000 packets
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
test score
pro
po
rtio
n
LEGIT-HTTP MB-HTTP
KSTEST distribution similar distributions for LEGIT-HTTP and MB-
HTTP scores
30RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
scores for 100x 50,000 packets
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
test score
pro
po
rtio
n
LEGIT-HTTP MB-HTTP
scores for 100x 250,000 packets
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5
test score
pro
po
rtio
n
LEGIT-HTTP MB-HTTP
KSTEST distribution LEGIT-HTTP and MB-HTTP overlap even
with 250,000 packets
31RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 .01 .01 1.00 1.00
100x10,000 .01 .01 1.00 1.00
100x50,000 .01 .01 1.00 1.00
100x250,000 .01 .02 1.00 1.00
KSTEST detection rates FPR and OPC are detected easily
32RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
KSTEST
LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 .01 .01 1.00 1.00
100x10,000 .01 .01 1.00 1.00
100x50,000 .01 .01 1.00 1.00
100x250,000 .01 .02 1.00 1.00
KSTEST detection rates FP equals TP for LEGIT and MB-HTTP
33RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
regularity
LEGIT-HTTP MB-HTTP FPR OPC
sample size mean mean mean mean
100x2,000 w=100
43.80 38.21 0.34 0.00
100x2,000 w=250
23.74 22.87 0.26 0.00
regularity scores similar mean for LEGIT and MB-HTTP
34RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
regularity
LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 w=100
.01 .00 1.00 1.00
100x2,000 w=250
.01 .00 1.00 1.00
regularity detection rates MB-HTTP is not detected at all
35RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
regularity
LEGIT-HTTP MB-HTTP FPR OPC
sample size FP TP TP TP
100x2,000 w=100
.01 .00 1.00 1.00
100x2,000 w=250
.01 .00 1.00 1.00
regularity detection rates again FPR and OPC are detected easily
36RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Outline
Background Covert Timing Channels Model-Based Framework Experimental Evaluation
Capacity Detection Resistance
Conclusion
37RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Conclusion
Model-Based Covert Timing Channels can be built automatically effective even in coast-to-coast scenario capacity is very close to FPR much stronger detection resistance than FPR
and OPC
38RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Conclusion (cont.)
Future Work investigate detection methods for model-
based covert timing channels explore other more advanced covert timing
channel designs (e.g., non-parametric models)
39RAID 2008 Model-Based Covert Timing Channels: Automated Modeling and Evasion
Questions?
Thank You!