Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf ·...
Transcript of Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf ·...
![Page 1: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/1.jpg)
6/22/07 1
Capacity Bounds on Timing Channelswith Bounded Service Times
S. Sellke, C.-C. Wang, N. B. Shroff, and S. Bagchi
School of Electrical and Computer EngineeringPurdue University, West Lafayette, IN 47907
USA
![Page 2: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/2.jpg)
2 of 22
What are Timing Channels?
00110100101
Msg(k)=00110100101
![Page 3: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/3.jpg)
3 of 22
Timing Channels
Information is conveyed in the timing of the bits Sender: a0, a2, …, an-1.
Server: S0,S2, …, Sn-1 Receiver: d0, d1, L, dn; and recovers information.
![Page 4: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/4.jpg)
4 of 22
Applications of Timing Channels Keyboard JitterBug [1]
[1] G. Shah et al, Keyboards and Covert Channels, 2006Best Student Paper Award, 15th USENIX Security Symposium
Implement timing channels using on-off technique over TCP/IPnetworks [2][2] S. Cabuk et al, IP Covert Timing Channels: Design and Detection, 2004
Covert Timing Channels in Multi-Level Security (MLS) Systems[3],[4]
[3] U. S. Department of Defense, ``The Orange Book”, 1985[4] J. Wray, An Analysis of Covert Timing Channels, 1991
![Page 5: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/5.jpg)
5 of 22
Exponential Service Timing Channel
ESTC: Service times S1, S2, … are iid exponential randomvariables with parameter µ.
Capacity of ESTC:
Capacity of others:
Deterministic Service Timing Channels have infinite capacity, evenif service time is large.
A. Anantharam and S. Verdu, “Bits through Queues,”, 1996
![Page 6: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/6.jpg)
6 of 22
Bounded Service Timing Channels
BSTC: service times S1, S2, L, Sn are iid with boundedsupport. General BSTC:
Symmetric BSTC
Examples of BSTC: Uniform BSTC Gaussian BSTC
![Page 7: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/7.jpg)
7 of 22
Lowest capacity BSTC?
Is there a particular BSTC that serves a role similarto that of ESTC?
That is, it has the lowest capacity among all BSTC withsame service rate and support interval.
![Page 8: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/8.jpg)
8 of 22
Our Contributions An upper bound
Two lower bounds CL,1 and CL,2 CL,1 : CL,2 :
For the uniform BSTC, CU.BSTC - CL,2 ! 0 as ² ! 0 CU. BSTC - CL,1 < const. for all ² CU.BSTC < CBSTC : serves role similar to ESTC
![Page 9: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/9.jpg)
9 of 22
Timing Channels with feedback
With Feedback: The sender knows dk-1 before deciding ak Thus, the sender has full control of Wk FB channel is reduced to a sequentially juxtaposed iid channel:
Wk ! Wk +Sk
![Page 10: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/10.jpg)
10 of 22
An Upper Bound on the CapacityNew i.i.d Channels: Wk ! Wk +Sk
where (inter-departure rate)Recall: (service rate)
![Page 11: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/11.jpg)
11 of 22
An Upper Bound
CU,PS (²) = µ sup0<°<1 G(², °) bits/sec,
where ° = ¸/µ and
![Page 12: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/12.jpg)
12 of 22
Achievability: Scheme 1
Ak : geometric r.v. to avoid queueing Dk = (ak + 1/µ +/- ²) - (ak-1 + 1/µ +/- ²) = Ak +/- 2 ²
Values for Ak are spaced 4 ² apart for error-free decoding
![Page 13: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/13.jpg)
13 of 22
CL,1 (²): the First Lower Bound
Error-free rate of scheme 1: CL,1 (²) = µ sup ° [H(p1) /p1] bits/sec
0<°<1/(1+² µ)
wherep1 = (4²µ ) / (1/° - 1 + 3 ² µ )
![Page 14: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/14.jpg)
14 of 22
![Page 15: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/15.jpg)
15 of 22
Achievability: Scheme 2 If the absolute timing information is available to both
sender and receiver.
dk = ak +/- ² for k = 1, 2, L ) error-free decoding With long codeword length, the absolute timing can
be obtained with arbitrary precision.
![Page 16: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/16.jpg)
16 of 22
CL,2(²): The Second Lower Bound
Error-free rate of scheme 2: CL,2 (²) = µ sup ° [H(p2) /p2] bits/sec
0<°<1/(1+ (1+2®)² µ)
wherep2 = (2²µ ) / (1/° - 1 + (1 - 2®) ² µ )® = [¯] - ¯, and ¯ = (1+²µ)/(2²µ)
![Page 17: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/17.jpg)
17 of 22
![Page 18: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/18.jpg)
18 of 22
Optimality of Our Schemes
Define: ¢ C1(²) = Cu (²) - CL,1 (²) ¢ C2(²) = Cu (²) - CL,2 (²)
Results on Uniform BSTC: ¢ C1(²) < log2(e) µ bits/sec ¢ C2(²) ! 0 as ² ! 0
![Page 19: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/19.jpg)
19 of 22
Capacity of a Uniform BSTC
For a uniform BSTC ¢ C1(²) < log2(e) µ bits/sec ) CU.BSTC(²) = CL,1(²) + O(1) ¢ C2(²) ! 0 as ² ! 0
) CU.BSTC(²) = CL,2(²) + o(1)
Scheme 2 is optimal;Scheme 2 is optimal; When When ²² is small, the uniform BSTC has is small, the uniform BSTC has thethe
smallestsmallest capacity among all capacity among all BSTCs BSTCs withwithsamesame µµ and and ²²..
![Page 20: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/20.jpg)
20 of 22
Gaussian BSTC
C = CL,2 + o(1) does not hold for G. BSTC.
Gaussian BSTCUniform BSTCAll
0.4743
0.4593
0.4812¢ C2
7.21270.00866.74696.73840.001
4.58330.03424.15824.12400.01
2.39270.11982.03141.91090.1CU¢ C2CU CL,2 ²µ
![Page 21: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/21.jpg)
21 of 22
Summary Obtained one upper bound (CU) and two error-free lower
bounds (CL,1 and CL,2) on the capacity of BSTC. These bounds are asymptotically tight for the uniform BSTC:
CU (U.BSTC) = CL,1 + O(1) ) CU.BSTC = CL,1 + O(1) CU (U.BSTC) = CL,2 + o(1) ) CU.BSTC= CL,2 + o(1) For any distribution-independent scheme, you cannot do better
than Scheme 2.
When ² is small,
![Page 22: Capacity Bounds on Timing Channels with Bounded Service Timeschihw/pub_pdf/07C_ISIT_TM_p.pdf · Applications of Timing Channels Keyboard JitterBug [1] [1] G. Shah et al, Keyboards](https://reader034.fdocuments.us/reader034/viewer/2022042221/5ec7e522ba98d85a5f5670f1/html5/thumbnails/22.jpg)
22 of 22
Implementation S. Sellke, C-C. Wang, N.B. Shroff, and S. Bagchi, Covert Timing Channels
over TCP/IP networks: from Theory to Practice, 2007
Practical Design and Implementation of a covert timing channelover TCP/IP networks.
Experiments on computers at Purdue and Princeton Network Delay Characteristics: Small Jitter (3-5%)
Rate of the TCP/IP Timing Channel: Up to 80 bit/sec, 5 times improvement over the on-off channels.
What’s more? For BSTC, a non-detectable scheme mimicking the normal traffic
pattern. Error-control coding for timing channel.