Covert Channel for One-Way Delay Measurements
description
Transcript of Covert Channel for One-Way Delay Measurements
UNIVERSITÀ DEGLI STUDI ROMA TREDipartimento di Informatica e Automazione
Covert Channel for One-Way Delay Measurements
Mario ColaGiorgio De Lucia
Daria MazzaMaurizio Patrignani
Massimo Rimondini18th International Conference on Computer Communications and Networks (ICCCN)
August 4th, 2009
2ICCCN 2009
customer site 5
customer site 1
customer site 2 customer
site 3
customer site 4
customer
Scenario
ISP(MPLS backbone)
3ICCCN 2009
Lossy Difference Aggregation [Kompella09]
CAIDA reports & traces (CoralReef),Sprint IPMON
Ipanema patent,Distributed infrastr. [Arlos05]
Active Passive
State of the Art
1-way measuresIntrusiveProbesAccuracy
Measurement System
Cisco IP-SLA,Juniper RPM,H3C HWPing
NLANR AMP,CAIDA Archipelago,OWAMP
C API [Harfoush02]IPMP [Luckie02]Pathload [Jain02]
• Control packets• sync, negotiation, aggregate results
• Probe packets
Traffic samplingOut-of-band ch.
Ideal
4ICCCN 2009
A measurement architecturepassivenonintrusiveno samplingunaffected by lost orout-of-sequence packets
A formal establishmentof measurement accuracyExperimental evalution
Our Contributions
5ICCCN 2009
We exploit unused bits of the IP header
Covert Channel
infoEmbedding covert channels
into TCP/IP [Rowland97,Murdoch05]
to measure the OWD
6ICCCN 2009
customer site 5
customer site 1
customer site 2 customer
site 3
customer site 4
ISP(MPLS backbone)
7ICCCN 2009
customer site 5
customer site 1
customer site 2 customer
site 3
customer site 4
Architecture
ISP(MPLS backbone)MA
MA
MAMA
MA
8ICCCN 2009
Upstream component
Measurement Agents
MAreceive packet
directed to same
customer?
forward packet
...a different site of...
encode timestamp
YES
NO
store & forward
9ICCCN 2009
Downstream component
Measurement Agents
MAreceive packet
coming from same customer?
forward packet
...a different site of...
decode timestamp
YES
NO
cut through
compute aggregates
10
QoS between different customers X, Y connected to the same backbone
Measurement Agents
MA
coming from same customer?
directed to same
customer?
coming from
customer Y?
directed to customer
X?
11ICCCN 2009
Usable bitsnot used by ES for critical functionsnot altered by IS
If customers rule out fragmentation...
identification (16 bits)don’t fragment (1 bit)
IP*Sec: ESP, AHv6:
Digging the Covert Channel
( ok with MPLS)
reserved (1 bit)fragment offset (13 bits)ttl(some of 8 bits)type of service(8 bits)
12ICCCN 2009
Minimize (or, at least, watch) error on:
MeasurementMargin of errorConfidence level
Measurement Errors
cr owdowd
actual one-way
delay
computed one-way
delaycowd
TP
PTowdowd cr )Pr(
13ICCCN 2009
Measurement Errors:Quantization Error
(Max) sync offsetMeasure scale
1,
2 3 4 5 62
02
2
1
uqe
)pdf(uqe
02
2
1
dqe
)pdf(dqe
upstream component downstream componentquantization error2
0 1e
)pdf( 1e
1
14ICCCN 2009
Measurement Errors:Saturation Error
010
010
010
010
010
BAvailable bitsTimestamps representedmodulo
B bits
Bk 2
kttowdc mod12 0 k rowd
)pdf( rowd
A1 A2 A3k2 k3
error=0 error=kerror=2k
0 k 2e
)pdf( 2e
k2
A1
A2 A3
15ICCCN 2009
e1 and e2 are statistically independent
A1
Measurement Errors:Overall Error
2 2
A1 A2 A3
0 ke
)pdf(e
k2
16ICCCN 2009
Theorem. Let be such that and is minimized.Then, for we have .
B, PTe PrB
0P T
1. MAs synchronized with precision2. User specifies , , and ,
requesting that
3. ,
4. Configure MAs with , , and source & destination addresses
Measurement Setup (1)
T P k PTe Pr
Pkowdr Pr
T
TkB 2log
B
while
Browd 2
guaranteeing that
17ICCCN 2009
Measurement Setup (1):Example
ns4096ms1T001.0Pms1000k
In human words:user requiresand estimates that 99.9% of the packets have delay less than 1000ms
%1.0ms1Pr e
10B
18ICCCN 2009
Alternative scenario:User provides and and has a constraint on
Alternative scenario:User provides , , andRequirements are satisfied if
Measurement Setup (2)
k PB
Pke B
2Pr
T P B
PTowd Br 2Pr
19ICCCN 2009
Experimental Setup
MA1(upstream component)
ma1_ge0
ma1_ge1
MA2(downstream component)
ma2_ge0
ma2_ge1
Traffic generator & analyzer
tg_ge0
tg_ge1
Network impairment
ni_ge0
ni_ge1
Spirent SmartBits SMB600BFujitsu Siemens Primergy RX300Dual Quad-Core Intel Xeon 5000, 8GB RAM
2 dual-port GE NICs
Netem
GE
GE
GE
GE
20ICCCN 2009
14,000 packets of 896 bytes eachbandwidth utilization: 70%
variable delays(uniform distribution)and guarantee on the delaydeduced by the networkimpairment configuration
Experiment 1:Validation
%1.0PT
input
Exp. ID
Delay(ms) T (s) B Freq.
e>T1
30 10
200 90.0006
2 0.00023 0.0014
500 80
5 0.00036 07
1000 70
8 09 010
2000 60
11 012 0
Experiment 1:Validation
Exp. ID
Delay(ms) T (s) B Freq.
e>T13
60 10
200 100.0016
14 0.000115 0.000916
500 90.0002
17 018 0.000119
1000 80.0001
20 021 0.000122
2000 70
23 024 0
limited by transmission delay of the downstream
component
transmission delay of the downstream
component
Experiment 2:Performance
10 20 30 40 50 60 70 80 9005
10152025303540
CPU Load (upstream component)
51276810241280
Link load (%)
Avg.
CPU
usa
ge (%
) pkt size(bytes)
10 20 30 40 50 60 70 80 9005
10152025303540
CPU Load (downstream component)
51276810241280
Link load (%)
Avg.
CPU
usa
ge (%
) pkt size(bytes)
nic queue saturation
owd computed @ downstream
componentDelay: 6010msMeas. time span: 20s
23ICCCN 2009
512 768 1024 1280 512 768 1024 1280
0%10%20%30%40%50%60%70%80%90%
100%
Detailed CPU usage
othersipccmdriverkernel
Packet size (bytes)
Avg.
CPU
usa
ge (
%)
upstreamdownstream
Experiment 2:Performance
Bandwidth: 90%
Experiment 3:Latency
512 640 768 896 1024 1152 1280 140820
30
40
50
60
70
80Avg. delay introduced by MAs
10%20%30%40%50%60%70%80%90%
Packet size (bytes)
Late
ncy
(s)
BW• No network
impairment• Delays collected by
SMB
switching overhead
25ICCCN 2009
No network impairment100% bandwidth utilizationVarying packet size (untilfirst dropped)
With disabled MAs:
With enabled MAs:
5.24% reduction
Experiment 4:Throughput
450 bytes long
476 bytes long
265,957 pkts/s
252,016 pkts/s
26ICCCN 2009
Conclusions and Future Work
Take awayIP covert channel for OWD measurements is feasibleFormal analysis of measurement errors
What nextDifferent techniques to exploit the covert channelDifferent kinds of measurements