Liquid: A Detection Resistant Covert Timing Channel Based On Ipd Shaping

Covert timing channels provide a way to surreptitiously leak information from an entity in a higher-security level to an entity in a lower level. The difficulty of detecting or eliminating such channels makes them a desirable choice for adversaries that value stealth over throughput. When one considers the possibility of such channels transmitting information across network boundaries, the threat becomes even more acute. A promising technique for detecting covert timing channels focuses on using entropy-based tests. This method is able to reliably detect known covert timing channels by using a combination of entropy and conditional entropy to detect anomalies in shape and regularity, respectively. This dual approach is intended to make entropy-based detection robust against both current and future channels. In this work, we show that entropy-based detection can be defeated by a channel that intelligently manipulates the metrics used for detection. Specifically, we propose a new covert channel that uses a portion of the inter-packet delays in a compromised stream to smooth out the distortions detected by the entropy test. Our experimental results suggest that this channel can successfully evade entropy-based detection and other known tests while maintaining reasonable throughput. Furthermore, we investigate the effects of parameter selection on the channel. We introduce a model for analyzing the effect of our techniques on the entropy of the channel and empirically investigate the accuracy of the model.