covert channel for one-way delay measurements

UNIVERSITÀ DEGLI STUDI ROMA TREDipartimento di Informatica e Automazione

Covert Channel for One-Way Delay Measurements

Mario ColaGiorgio De Lucia

Daria MazzaMaurizio Patrignani

Massimo Rimondini18th International Conference on Computer Communications and Networks (ICCCN)

August 4th, 2009

2ICCCN 2009

customer site 5

customer site 1

customer site 2 customer

site 3

customer site 4

customer

Scenario

ISP(MPLS backbone)

3ICCCN 2009

Lossy Difference Aggregation [Kompella09]

CAIDA reports & traces (CoralReef),Sprint IPMON

Ipanema patent,Distributed infrastr. [Arlos05]

Active Passive

State of the Art

1-way measuresIntrusiveProbesAccuracy

Measurement System

Cisco IP-SLA,Juniper RPM,H3C HWPing

NLANR AMP,CAIDA Archipelago,OWAMP

C API [Harfoush02]IPMP [Luckie02]Pathload [Jain02]

• Control packets• sync, negotiation, aggregate results

• Probe packets

Traffic samplingOut-of-band ch.

Ideal

4ICCCN 2009

A measurement architecturepassivenonintrusiveno samplingunaffected by lost orout-of-sequence packets

A formal establishmentof measurement accuracyExperimental evalution

Our Contributions

5ICCCN 2009

We exploit unused bits of the IP header

Covert Channel

infoEmbedding covert channels

into TCP/IP [Rowland97,Murdoch05]

to measure the OWD

6ICCCN 2009

customer site 5

customer site 1

customer site 2 customer

site 3

customer site 4

ISP(MPLS backbone)

7ICCCN 2009

customer site 5

customer site 1

customer site 2 customer

site 3

customer site 4

Architecture

ISP(MPLS backbone)MA

MA

MAMA

MA

8ICCCN 2009

Upstream component

Measurement Agents

MAreceive packet

directed to same

customer?

forward packet

...a different site of...

encode timestamp

YES

NO

store & forward

9ICCCN 2009

Downstream component

Measurement Agents

MAreceive packet

coming from same customer?

forward packet

...a different site of...

decode timestamp

YES

NO

cut through

compute aggregates

10

QoS between different customers X, Y connected to the same backbone

Measurement Agents

MA

coming from same customer?

directed to same

customer?

coming from

customer Y?

directed to customer

X?

11ICCCN 2009

Usable bitsnot used by ES for critical functionsnot altered by IS

If customers rule out fragmentation...

identification (16 bits)don’t fragment (1 bit)

IP*Sec: ESP, AHv6:

Digging the Covert Channel

( ok with MPLS)

reserved (1 bit)fragment offset (13 bits)ttl(some of 8 bits)type of service(8 bits)

12ICCCN 2009

Minimize (or, at least, watch) error on:

MeasurementMargin of errorConfidence level

Measurement Errors

cr owdowd

actual one-way

delay

computed one-way

delaycowd

TP

PTowdowd cr )Pr(

13ICCCN 2009

Measurement Errors:Quantization Error

(Max) sync offsetMeasure scale

1,

2 3 4 5 62

02

2

1

uqe

)pdf(uqe

02

2

1

dqe

)pdf(dqe

upstream component downstream componentquantization error2

0 1e

)pdf( 1e

1

14ICCCN 2009

Measurement Errors:Saturation Error

010

010

010

010

010

BAvailable bitsTimestamps representedmodulo

B bits

Bk 2

kttowdc mod12 0 k rowd

)pdf( rowd

A1 A2 A3k2 k3

error=0 error=kerror=2k

0 k 2e

)pdf( 2e

k2

A1

A2 A3

15ICCCN 2009

e1 and e2 are statistically independent

A1

Measurement Errors:Overall Error

2 2

A1 A2 A3

0 ke

)pdf(e

k2

16ICCCN 2009

Theorem. Let be such that and is minimized.Then, for we have .

B, PTe PrB

0P T

1. MAs synchronized with precision2. User specifies , , and ,

requesting that

3. ,

4. Configure MAs with , , and source & destination addresses

Measurement Setup (1)

T P k PTe Pr

Pkowdr Pr

T

TkB 2log

B

while

Browd 2

guaranteeing that

17ICCCN 2009

Measurement Setup (1):Example

ns4096ms1T001.0Pms1000k

In human words:user requiresand estimates that 99.9% of the packets have delay less than 1000ms

%1.0ms1Pr e

10B

18ICCCN 2009

Alternative scenario:User provides and and has a constraint on

Alternative scenario:User provides , , andRequirements are satisfied if

Measurement Setup (2)

k PB

Pke B

2Pr

T P B

PTowd Br 2Pr

19ICCCN 2009

Experimental Setup

MA1(upstream component)

ma1_ge0

ma1_ge1

MA2(downstream component)

ma2_ge0

ma2_ge1

Traffic generator & analyzer

tg_ge0

tg_ge1

Network impairment

ni_ge0

ni_ge1

Spirent SmartBits SMB600BFujitsu Siemens Primergy RX300Dual Quad-Core Intel Xeon 5000, 8GB RAM

2 dual-port GE NICs

Netem

GE

GE

GE

GE

20ICCCN 2009

14,000 packets of 896 bytes eachbandwidth utilization: 70%

variable delays(uniform distribution)and guarantee on the delaydeduced by the networkimpairment configuration

Experiment 1:Validation

%1.0PT

input

Exp. ID

Delay(ms) T (s) B Freq.

e>T1

30 10

200 90.0006

2 0.00023 0.0014

500 80

5 0.00036 07

1000 70

8 09 010

2000 60

11 012 0

Experiment 1:Validation

Exp. ID

Delay(ms) T (s) B Freq.

e>T13

60 10

200 100.0016

14 0.000115 0.000916

500 90.0002

17 018 0.000119

1000 80.0001

20 021 0.000122

2000 70

23 024 0

limited by transmission delay of the downstream

component

transmission delay of the downstream

component

Experiment 2:Performance

10 20 30 40 50 60 70 80 9005

10152025303540

CPU Load (upstream component)

51276810241280

Link load (%)

Avg.

CPU

usa

ge (%

) pkt size(bytes)

10 20 30 40 50 60 70 80 9005

10152025303540

CPU Load (downstream component)

51276810241280

Link load (%)

Avg.

CPU

usa

ge (%

) pkt size(bytes)

nic queue saturation

owd computed @ downstream

componentDelay: 6010msMeas. time span: 20s

23ICCCN 2009

512 768 1024 1280 512 768 1024 1280

0%10%20%30%40%50%60%70%80%90%

100%

Detailed CPU usage

othersipccmdriverkernel

Packet size (bytes)

Avg.

CPU

usa

ge (

%)

upstreamdownstream

Experiment 2:Performance

Bandwidth: 90%

Experiment 3:Latency

512 640 768 896 1024 1152 1280 140820

30

40

50

60

70

80Avg. delay introduced by MAs

10%20%30%40%50%60%70%80%90%

Packet size (bytes)

Late

ncy

(s)

BW• No network

impairment• Delays collected by

SMB

switching overhead

25ICCCN 2009

No network impairment100% bandwidth utilizationVarying packet size (untilfirst dropped)

With disabled MAs:

With enabled MAs:

5.24% reduction

Experiment 4:Throughput

450 bytes long

476 bytes long

265,957 pkts/s

252,016 pkts/s

26ICCCN 2009

Conclusions and Future Work

Take awayIP covert channel for OWD measurements is feasibleFormal analysis of measurement errors

What nextDifferent techniques to exploit the covert channelDifferent kinds of measurements