Re: [fw-wiz] covert timing channel data

Thanks Travis but again this is not the data that I'm looking for.

The timing attacks described in your link are based on a single malicious
entity extracting data from a non compromised system by looking at timing

The type of covert channel that I'm simulating has two malicious entities (a
sender and a receiver). One residing on a higher level security system and
one residing on a lower level security system. The entity on the higher
level security system (the sender) secretly exfiltrates data (such as a
file) to the lower level security system (the receiver) by signaling the
bits of the file in a morse code-like fashion with the tcp interarrival
times. In its most basic format signalling a 1 with a certain delay
threshold and a 0 otherwise.
For example, the sender could be on a secure system and could be ftp-ing a
certain uninteresting file while secretly sending another highly sensitive
file encoded in the tcp delay times which the receiver would be monitoring.

As I mentioned, I have written the code to do this but the main objective of
my research is not to create covert timing channels but rather to detect
them. I am looking for specifically others who have written tcp covert
timing channels which are impervious to detection by regular statistical
analysis (distributions, entropy, regularity, e-similarity) and who would be
willing to lend me their data.


On Thu, Aug 19, 2010 at 10:11 PM,

On Sat, Jul 24, 2010 at 07:05:10PM +0300, Melissa Stockman wrote:
I'm doing research on covert timing channel detection [...]
Does anyone know where I can find such data?

This is my timing side-channel link collection:

I should probably break that section up into remote & local, but I'm
already 3 levels deep :-)

I'd definitely check out "remote timing attacks are practical", I think
that one has the most information for your case.

You might want to check out Bernstein's AES attacks, or a statistician,
to characterise the distributions you're looking at.

I asked on NANOG a few months ago, but didn't get any good network
latency information.

BTW, "least amount of time" isn't a good measure. It turns out that's too
unstable... 1st to 5th percentile measurements are much more stable.
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. |
If you are a spammer, please email john@xxxxxxxxxxxxxxxxx to get

firewall-wizards mailing list

Relevant Pages