Covert Channel for One-Way Delay Measurements
description
Transcript of Covert Channel for One-Way Delay Measurements
![Page 1: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/1.jpg)
UNIVERSITÀ DEGLI STUDI ROMA TREDipartimento di Informatica e Automazione
Covert Channel for One-Way Delay Measurements
Mario ColaGiorgio De Lucia
Daria MazzaMaurizio Patrignani
Massimo Rimondini18th International Conference on Computer Communications and Networks (ICCCN)
August 4th, 2009
![Page 2: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/2.jpg)
2ICCCN 2009
customer site 5
customer site 1
customer site 2 customer
site 3
customer site 4
customer
Scenario
ISP(MPLS backbone)
![Page 3: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/3.jpg)
3ICCCN 2009
Lossy Difference Aggregation [Kompella09]
CAIDA reports & traces (CoralReef),Sprint IPMON
Ipanema patent,Distributed infrastr. [Arlos05]
Active Passive
State of the Art
1-way measuresIntrusiveProbesAccuracy
Measurement System
Cisco IP-SLA,Juniper RPM,H3C HWPing
NLANR AMP,CAIDA Archipelago,OWAMP
C API [Harfoush02]IPMP [Luckie02]Pathload [Jain02]
• Control packets• sync, negotiation, aggregate results
• Probe packets
Traffic samplingOut-of-band ch.
Ideal
![Page 4: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/4.jpg)
4ICCCN 2009
A measurement architecturepassivenonintrusiveno samplingunaffected by lost orout-of-sequence packets
A formal establishmentof measurement accuracyExperimental evalution
Our Contributions
![Page 5: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/5.jpg)
5ICCCN 2009
We exploit unused bits of the IP header
Covert Channel
infoEmbedding covert channels
into TCP/IP [Rowland97,Murdoch05]
to measure the OWD
![Page 6: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/6.jpg)
6ICCCN 2009
customer site 5
customer site 1
customer site 2 customer
site 3
customer site 4
ISP(MPLS backbone)
![Page 7: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/7.jpg)
7ICCCN 2009
customer site 5
customer site 1
customer site 2 customer
site 3
customer site 4
Architecture
ISP(MPLS backbone)MA
MA
MAMA
MA
![Page 8: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/8.jpg)
8ICCCN 2009
Upstream component
Measurement Agents
MAreceive packet
directed to same
customer?
forward packet
...a different site of...
encode timestamp
YES
NO
store & forward
![Page 9: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/9.jpg)
9ICCCN 2009
Downstream component
Measurement Agents
MAreceive packet
coming from same customer?
forward packet
...a different site of...
decode timestamp
YES
NO
cut through
compute aggregates
![Page 10: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/10.jpg)
10
QoS between different customers X, Y connected to the same backbone
Measurement Agents
MA
coming from same customer?
directed to same
customer?
coming from
customer Y?
directed to customer
X?
![Page 11: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/11.jpg)
11ICCCN 2009
Usable bitsnot used by ES for critical functionsnot altered by IS
If customers rule out fragmentation...
identification (16 bits)don’t fragment (1 bit)
IP*Sec: ESP, AHv6:
Digging the Covert Channel
( ok with MPLS)
reserved (1 bit)fragment offset (13 bits)ttl(some of 8 bits)type of service(8 bits)
![Page 12: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/12.jpg)
12ICCCN 2009
Minimize (or, at least, watch) error on:
MeasurementMargin of errorConfidence level
Measurement Errors
cr owdowd
actual one-way
delay
computed one-way
delaycowd
TP
PTowdowd cr )Pr(
![Page 13: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/13.jpg)
13ICCCN 2009
Measurement Errors:Quantization Error
(Max) sync offsetMeasure scale
1,
2 3 4 5 62
02
2
1
uqe
)pdf(uqe
02
2
1
dqe
)pdf(dqe
upstream component downstream componentquantization error2
0 1e
)pdf( 1e
1
![Page 14: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/14.jpg)
14ICCCN 2009
Measurement Errors:Saturation Error
010
010
010
010
010
BAvailable bitsTimestamps representedmodulo
B bits
Bk 2
kttowdc mod12 0 k rowd
)pdf( rowd
A1 A2 A3k2 k3
error=0 error=kerror=2k
0 k 2e
)pdf( 2e
k2
A1
A2 A3
![Page 15: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/15.jpg)
15ICCCN 2009
e1 and e2 are statistically independent
A1
Measurement Errors:Overall Error
2 2
A1 A2 A3
0 ke
)pdf(e
k2
![Page 16: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/16.jpg)
16ICCCN 2009
Theorem. Let be such that and is minimized.Then, for we have .
B, PTe PrB
0P T
1. MAs synchronized with precision2. User specifies , , and ,
requesting that
3. ,
4. Configure MAs with , , and source & destination addresses
Measurement Setup (1)
T P k PTe Pr
Pkowdr Pr
T
TkB 2log
B
while
Browd 2
guaranteeing that
![Page 17: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/17.jpg)
17ICCCN 2009
Measurement Setup (1):Example
ns4096ms1T001.0Pms1000k
In human words:user requiresand estimates that 99.9% of the packets have delay less than 1000ms
%1.0ms1Pr e
10B
![Page 18: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/18.jpg)
18ICCCN 2009
Alternative scenario:User provides and and has a constraint on
Alternative scenario:User provides , , andRequirements are satisfied if
Measurement Setup (2)
k PB
Pke B
2Pr
T P B
PTowd Br 2Pr
![Page 19: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/19.jpg)
19ICCCN 2009
Experimental Setup
MA1(upstream component)
ma1_ge0
ma1_ge1
MA2(downstream component)
ma2_ge0
ma2_ge1
Traffic generator & analyzer
tg_ge0
tg_ge1
Network impairment
ni_ge0
ni_ge1
Spirent SmartBits SMB600BFujitsu Siemens Primergy RX300Dual Quad-Core Intel Xeon 5000, 8GB RAM
2 dual-port GE NICs
Netem
GE
GE
GE
GE
![Page 20: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/20.jpg)
20ICCCN 2009
14,000 packets of 896 bytes eachbandwidth utilization: 70%
variable delays(uniform distribution)and guarantee on the delaydeduced by the networkimpairment configuration
Experiment 1:Validation
%1.0PT
input
![Page 21: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/21.jpg)
Exp. ID
Delay(ms) T (s) B Freq.
e>T1
30 10
200 90.0006
2 0.00023 0.0014
500 80
5 0.00036 07
1000 70
8 09 010
2000 60
11 012 0
Experiment 1:Validation
Exp. ID
Delay(ms) T (s) B Freq.
e>T13
60 10
200 100.0016
14 0.000115 0.000916
500 90.0002
17 018 0.000119
1000 80.0001
20 021 0.000122
2000 70
23 024 0
limited by transmission delay of the downstream
component
transmission delay of the downstream
component
![Page 22: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/22.jpg)
Experiment 2:Performance
10 20 30 40 50 60 70 80 9005
10152025303540
CPU Load (upstream component)
51276810241280
Link load (%)
Avg.
CPU
usa
ge (%
) pkt size(bytes)
10 20 30 40 50 60 70 80 9005
10152025303540
CPU Load (downstream component)
51276810241280
Link load (%)
Avg.
CPU
usa
ge (%
) pkt size(bytes)
nic queue saturation
owd computed @ downstream
componentDelay: 6010msMeas. time span: 20s
![Page 23: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/23.jpg)
23ICCCN 2009
512 768 1024 1280 512 768 1024 1280
0%10%20%30%40%50%60%70%80%90%
100%
Detailed CPU usage
othersipccmdriverkernel
Packet size (bytes)
Avg.
CPU
usa
ge (
%)
upstreamdownstream
Experiment 2:Performance
Bandwidth: 90%
![Page 24: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/24.jpg)
Experiment 3:Latency
512 640 768 896 1024 1152 1280 140820
30
40
50
60
70
80Avg. delay introduced by MAs
10%20%30%40%50%60%70%80%90%
Packet size (bytes)
Late
ncy
(s)
BW• No network
impairment• Delays collected by
SMB
switching overhead
![Page 25: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/25.jpg)
25ICCCN 2009
No network impairment100% bandwidth utilizationVarying packet size (untilfirst dropped)
With disabled MAs:
With enabled MAs:
5.24% reduction
Experiment 4:Throughput
450 bytes long
476 bytes long
265,957 pkts/s
252,016 pkts/s
![Page 26: Covert Channel for One-Way Delay Measurements](https://reader036.fdocuments.us/reader036/viewer/2022070420/56815f17550346895dcde1fc/html5/thumbnails/26.jpg)
26ICCCN 2009
Conclusions and Future Work
Take awayIP covert channel for OWD measurements is feasibleFormal analysis of measurement errors
What nextDifferent techniques to exploit the covert channelDifferent kinds of measurements