Re: covert timing channel data

[Melissa Stockman <melissa.stockman1 () gmail com>]

Thanks Travis but again this is not the data that I'm looking for.

The timing attacks described in your link are based on a single malicious
entity extracting data from a non compromised system by looking at timing
information.

The type of covert channel that I'm simulating has two malicious entities (a
sender and a receiver).  One residing on a higher level security system and
one residing on a lower level security system.  The entity on the higher
level security system (the sender) secretly exfiltrates data (such as a
file) to the lower level security system (the receiver) by signaling the
bits of the file in a morse code-like fashion with the tcp interarrival
times. In its most basic format signalling a 1 with a certain delay
threshold and a 0 otherwise.
For example, the sender could be on a secure system  and could be ftp-ing a
certain uninteresting file while secretly sending another highly sensitive
file encoded in the tcp delay times which the receiver would be monitoring.

As I mentioned, I have written the code to do this but the main objective of
my research is not to create covert timing channels but rather to detect
them. I am looking for specifically others who have written tcp covert
timing channels which are impervious to detection by regular statistical
analysis (distributions, entropy, regularity, e-similarity) and who would be
willing to lend me their data.


Regards,
Melissa

On Thu, Aug 19, 2010 at 10:11 PM,
<travis+ml-firewalls () subspacefield org<travis%2Bml-firewalls () subspacefield org>
> wrote:

> On Sat, Jul 24, 2010 at 07:05:10PM +0300, Melissa Stockman wrote:
> > I'm doing research on covert timing channel detection [...]
> > Does anyone know where I can find such data?
>
> This is my timing side-channel link collection:
>
> http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc31.2.4
>
> I should probably break that section up into remote & local, but I'm
> already 3 levels deep :-)
>
> I'd definitely check out "remote timing attacks are practical", I think
> that one has the most information for your case.
>
> You might want to check out Bernstein's AES attacks, or a statistician,
> to characterise the distributions you're looking at.
>
> I asked on NANOG a few months ago, but didn't get any good network
> latency information.
>
> BTW, "least amount of time" isn't a good measure.  It turns out that's too
> unstable... 1st to 5th percentile measurements are much more stable.
> --
> A Weapon of Mass Construction
> My emails do not have attachments; it's a digital signature that your mail
> program doesn't understand. | http://www.subspacefield.org/~travis/
> If you are a spammer, please email john () subspacefield org to get
> blacklisted.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards