Re: [fw-wiz] covert timing channel data



Thanks Travis but again this is not the data that I'm looking for.

The timing attacks described in your link are based on a single malicious
entity extracting data from a non compromised system by looking at timing
information.

The type of covert channel that I'm simulating has two malicious entities (a
sender and a receiver). One residing on a higher level security system and
one residing on a lower level security system. The entity on the higher
level security system (the sender) secretly exfiltrates data (such as a
file) to the lower level security system (the receiver) by signaling the
bits of the file in a morse code-like fashion with the tcp interarrival
times. In its most basic format signalling a 1 with a certain delay
threshold and a 0 otherwise.
For example, the sender could be on a secure system and could be ftp-ing a
certain uninteresting file while secretly sending another highly sensitive
file encoded in the tcp delay times which the receiver would be monitoring.

As I mentioned, I have written the code to do this but the main objective of
my research is not to create covert timing channels but rather to detect
them. I am looking for specifically others who have written tcp covert
timing channels which are impervious to detection by regular statistical
analysis (distributions, entropy, regularity, e-similarity) and who would be
willing to lend me their data.


Regards,
Melissa

On Thu, Aug 19, 2010 at 10:11 PM,
<travis+ml-firewalls@xxxxxxxxxxxxxxxxx<travis%2Bml-firewalls@xxxxxxxxxxxxxxxxx>
wrote:

On Sat, Jul 24, 2010 at 07:05:10PM +0300, Melissa Stockman wrote:
I'm doing research on covert timing channel detection [...]
Does anyone know where I can find such data?

This is my timing side-channel link collection:

http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc31.2.4

I should probably break that section up into remote & local, but I'm
already 3 levels deep :-)

I'd definitely check out "remote timing attacks are practical", I think
that one has the most information for your case.

You might want to check out Bernstein's AES attacks, or a statistician,
to characterise the distributions you're looking at.

I asked on NANOG a few months ago, but didn't get any good network
latency information.

BTW, "least amount of time" isn't a good measure. It turns out that's too
unstable... 1st to 5th percentile measurements are much more stable.
--
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john@xxxxxxxxxxxxxxxxx to get
blacklisted.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages