Abstract
The problem of communicating covertly over the Internet has recently received considerable attention from both industry and academic communities. However, the previously proposed network covert channels are plagued by their unreliability and very low data rate. In this paper, we show through a new class of timing channels coined as Cloak that it is possible to devise a 100 percent reliable covert channel and yet offer a much higher data rate (up to an order of magnitude) than the existing timing channels. Cloak is novel in several aspects. First, Cloak uses the different combinations of N packets sent over X flows in each round to represent a message. The combinatorial nature of the encoding methods increases the channel capacity largely with (N,X). Second, based on the well-known 12-fold Way, Cloak offers 10 different encoding and decoding methods, each of which has a unique tradeoff among several important considerations, such as channel capacity and camouflage capability. Third, the packet transmissions modulated by Cloak can be carefully crafted to mimic normal TCP flows for evading detection. We have implemented Cloak and evaluated it in the PlanetLab and a controlled testbed. The results show that it is not uncommon for Cloak to have an order of channel goodput improvement over the IP Timing channel and JitterBug. Moreover, Cloak does not suffer from any message loss under various loss and reordering scenarios.
| Original language | English |
|---|---|
| Article number | 6255743 |
| Pages (from-to) | 890-902 |
| Number of pages | 13 |
| Journal | IEEE Transactions on Dependable and Secure Computing |
| Volume | 9 |
| Issue number | 6 |
| DOIs | |
| Publication status | Published - 28 Sept 2012 |
Keywords
- covert channel detection
- Enumerative Combinatorics
- Network covert channel
- TCP
- timing channel
ASJC Scopus subject areas
- Electrical and Electronic Engineering