Evaluation of the timing covert channel capacity considering packet transfer time distribution
Lampson was the first to introduce a covert channel as a channel that was not designed for information transmission. The problem of information leakage via network covert channels has a large scale due to the facts that IP protocol is widely used and has a lot of features to use it for hidden information transmission. Usually covert channels are divided into two groups by transmission technic: storage and timing covert channels. In the paper authors provide brief survey for network timing and storage covert channels as well as methods of information leakage counteraction. According to best practices, information systems and infrastructure have an information security policy with the requirements about allowable level of covert channel capacity. However, to take a decision about any method activation it is important not to allow underestimation of covert channel capacity. For the effective prevention of information leakage via network covert channels authors suggest a way to assess timing covert channel capacity. Two binary timing channels have been investigated: on/off and channel based on inter packet intervals modulation. In on/off covert channel the sender sends a packet during a preliminarily agreed time interval to transmit the bit «1» and does not send to transmit the bit «0». In a covert channel based on inter packet intervals modulation the sender sends packets with different time intervals defining different bits. The scientific novelty consists in taking into account network load conditions while assessing maximum amount of information that can be stealthily transmitted from secure infrastructure to an illegitimate receiver beyond secure perimeter. Authors investigated cases when packet transfer time from the sender to the receiver in the network (PTT) is defined by normal and exponential distribution – the most common distribution according to current research. Covert channel capacity is evaluated as a function of covert channel parameters and parameters of the PTT distribution (DPTT). Conducted research shows that in case when secure officer does not take into account typical load for the network and DPTT type maximum covert channel capacity will most likely be underestimated. If allowable level of covert channel capacity is set up, obtained results allow to take right decision about activation of countermeasures to prevent information leakage.