Firewall Wizards mailing list archives
Re: covert timing channel data
From: Melissa Stockman <melissa.stockman1 () gmail com>
Date: Fri, 20 Aug 2010 01:52:11 +0300
Thanks Travis but again this is not the data that I'm looking for. The timing attacks described in your link are based on a single malicious entity extracting data from a non compromised system by looking at timing information. The type of covert channel that I'm simulating has two malicious entities (a sender and a receiver). One residing on a higher level security system and one residing on a lower level security system. The entity on the higher level security system (the sender) secretly exfiltrates data (such as a file) to the lower level security system (the receiver) by signaling the bits of the file in a morse code-like fashion with the tcp interarrival times. In its most basic format signalling a 1 with a certain delay threshold and a 0 otherwise. For example, the sender could be on a secure system and could be ftp-ing a certain uninteresting file while secretly sending another highly sensitive file encoded in the tcp delay times which the receiver would be monitoring. As I mentioned, I have written the code to do this but the main objective of my research is not to create covert timing channels but rather to detect them. I am looking for specifically others who have written tcp covert timing channels which are impervious to detection by regular statistical analysis (distributions, entropy, regularity, e-similarity) and who would be willing to lend me their data. Regards, Melissa On Thu, Aug 19, 2010 at 10:11 PM, <travis+ml-firewalls () subspacefield org<travis%2Bml-firewalls () subspacefield org>
wrote:
On Sat, Jul 24, 2010 at 07:05:10PM +0300, Melissa Stockman wrote:I'm doing research on covert timing channel detection [...] Does anyone know where I can find such data?This is my timing side-channel link collection: http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc31.2.4 I should probably break that section up into remote & local, but I'm already 3 levels deep :-) I'd definitely check out "remote timing attacks are practical", I think that one has the most information for your case. You might want to check out Bernstein's AES attacks, or a statistician, to characterise the distributions you're looking at. I asked on NANOG a few months ago, but didn't get any good network latency information. BTW, "least amount of time" isn't a good measure. It turns out that's too unstable... 1st to 5th percentile measurements are much more stable. -- A Weapon of Mass Construction My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email john () subspacefield org to get blacklisted.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: covert timing channel data travis+ml-firewalls (Aug 21)
- Re: covert timing channel data Melissa Stockman (Aug 21)