Multiple Access Covert Channels

1
Multiple Access Covert Channels

• Ira Moskowitz
• Naval Research Lab
• moskowitz_at_nrl.itd.navy.mil

Richard Newman Univ. of Florida nemo_at_cise.ufl.edu
2
Focus

• Review covert channels from high assurance
  computing and anonymity
• Define quasi-anonymous channel
• Review analysis of single sender DMC
• Analyze 2-sender DMC

3
Covert Channels

• CC communication contrary to design
• Storage channels and timing channels
• Storage channel capacity given by mutual
  information, in bits per symbol
• Timing channel capacity analysis requires
  optimizing ratio of mutual information to
  expected time cost

4
Storage Channel Example

• File system full/not full
• High fills/leaves space in FS to signal 1 or 0
• Low tries to obtain space and fails or succeeds
  to read 1 or 0
• Low returns system to previous state

5
Timing Channel Example

• High uses full time quantum in time sharing host
  to send 1, gives up CPU early to send 0
• Low measures time gaps between accesses to read
  1 or 0

6
Anonymity Systems

• Started with Chaum Mixes
• Mix receives encrypted, padded msg
• Decrypts/re-encrypts padded msg
• Delays forwarding msg
• Scrambles order of msg forwarding

7
Mixes

• Mix may be timed (count number of msgs forwarded
  each time it fires)
• Mix may fire when threshold reached (count time
  between firings)
• Mixes may be chained
• Studied timed Mix-firewalls and covert channels
  now for threshold Mix-firewalls

8
Mix-firewall CC Model

• Alice behind M-F
• Eve listening to output of M-F
• Clueless senders behind M-F
• Each sender (Alice or Clueless) may either send
  or not send a msg each tick
• Alice modulates her behavior to try to
  communicate with Eve

9
Channel Model

• Discrete storage channel
• Each clueless sends 0 or 1 msg per tick
• Clueless are i.i.d. Bernouli random vars
• Alice sends 0 or 1 msg per tick
• Eve counts msgs per Mix firing
• Clueless act as noise, rate decreases to zero as
  N increases (for fixed p)

10
Two Transmitter Model

• Now two Alices, Alice1 and Alice2
• Each Alice has a quasi-anomymous channel to Eve
• Alices act as noise with respect to each other

11
NRL Pump

• NRL Network Pump considered multiple senders
  before
• Lows send to Highs, with the timing of ACKs
  forming a CC from Highs to Lows
• Pump modulates ACK timing to reduce the CC rate
  (but not eliminate it)
• Highs interfere with each others timing
• Pump uses timing channels cant apply

12
Degree of Collusion

• If Alices work perfectly together, then can
  achieve Clog 3 bits/tick data rate (assuming no
  clueless)
• Existence assumption - assume Alices know of
  each other (stationary), and pre-arrange coding,
  but do not collude once transmission begins

13
Shannon Channel

• Distributions X, Y
• Mutual Information I(XY) I(YX)
• I(XY) H(X) H(XY)
• Entropy H(X) and H(XY) conditional H
• Capacity
• C maxX I(X,Y)

14
Multiple Access Channels

• Now have two inputs, X1 and X2
• Existence assumption, with a priori knowledge
• Achievable error-free rates are joint
• Rate pair (R1,R2)
• Capacity estimated (incorrectly) as
• C log n / (TM TR )/2

15
Multiple Access Channels

• Mutual Information for A, B, C
• I(ABC) H(AC) H(AB,C)
• I(A,BC) H(A,B) H(A,BC)
• Rate pair (R1,R2) must satisfy
• 0 lt R1 lt I(X1YX2), and
• 0 lt R2 lt I(X2YX1), and
• 0 lt R1 R2 lt I(X1 ,X2Y)

16
Channel Transitions

• 0,0 ! 0
• 0,1
• 1
• 1,0
• 1,1 ! 2

17
Collaborating Alices

• Can conspire to send data at rate 3/2
• Max possible is log2 3 1.58
• With feedback, can do better than 3/2
• each at rate .76! (Gaarder Wolf)

18
Conclusions

• Introduced multiple access channels into analysis
  of covert channels
• Analyzed simple (noiseless) channel with two
  Alices
• Noted effects of varying levels of collusion
• Noted difficulties with timing channels
• Cant study CCs in isolation!