Ira S. Moskowitz

A pump for rapid, reliable, secure communication

Communication from a low- to a high-level system without acknowledgements will be unreliable; with acknowledgements, it can be insecure. We propose to provide quantifiable security, acceptable reliability, and minimal performance penalties by interposing a device (called the Pump) to push messages to the high system and provide a controlled stream of acknowledgements to the low system. This paper describes how the Pump supports the transmission of messages upward and limits the capacity of the covert timing channel in the acknowledgement stream without affecting the average acknowledgement delay seen by the low system or the message delivery delay seen by the high system in the absence of actual Trojan horses. By adding random delays to the acknowledgment stream, we show how to further reduce the covert channel capacity even in the presence of cooperating Trojan horses in both the high and low systems. We also discuss engineering trade-offs relevant to practical use of the Pump.

Covert channels and anonymizing networks

There have long been threads of investigation into covert channels, and threads of investigation into anonymity, but these two closely related areas of information hiding have not been directly associated. This paper represents an initial inquiry into the relationship between covert channel capacity and anonymity, and poses more questions than it answers. Even this preliminary work has proven difficult, but in this investigation lies the hope of a deeper understanding of the nature of both areas. MIXes have been used for anonymity, where the concern is shielding the identity of the sender or the receiver of a message, or both. In contrast to traffic analysis prevention methods which conceal larger traffic patterns, we are concerned with how much information a sender to a MIX can leak to an eavesdropping outsider, despite the concealment efforts of MIXes acting as firewalls.

Correlation-based watermarking method for image authentication applications

We propose a correlation-based digital watermarking technique for robust image pattern authentication. We hide a phase-based signature of the image back into its Fourier magnitude spectrum in the embedding stage. The detector computes the Fourier transform of the watermarked image and extracts the embedded signature. Authentication performance is measured by a correlation test of the extracted signature and the signature computed from the watermarked image. The quality of the watermarked image is obtained from the peak signal-to-noise ratio metric. We also furnish simulation results to show the robustness of our approach to typical image processing as found in JPEG compression

Simple timing channels

We discuss the different ways of defining channel capacity for certain types of illicit communication channels. We also correct some errors from the literature, offer new proofs of some historical results, and give bounds for channel capacity. Special function techniques are employed to express the results in closed form. We are interested in a specific type of covert channel, a timing channel. A timing channel exists if it is possible for High to interfere with the system response time to an input by Low. Therefore, a timing channel is a communication channel where the output alphabet is constructed from different time values. However, the thrust of the paper is the analysis of timing channels that are discrete, memoryless, and noiseless. We call such a timing channel a simple timing channel (STC).<<ETX>>

The channel capacity of a certain noisy timing channel

The effect of noise on a simple covert timing channel is investigated. Shannons information theory is used to quantify the resulting information flow across the channel. In particular, how a probabilistic response time to a query by the receiver affects the mutual information and channel capacity is studied. The channel capacity is expressed in terms of the critical probability for the mutual information function which is given in closed form in terms of Wrights hypergeometric function. >

Metrics for Traffic Analysis Prevention

This paper considers systems for Traffic Analysis Prevention (TAP) in a theoretical model. It considers TAP based on padding and rerouting of messages and describes the effects each has on the difference between the actual and the observed traffic matrix (TM). The paper introduces an entropy-based approach to the amount of uncertainty a global passive adversary has in determining the actual TM, or alternatively, the probability that the actual TM has a property of interest. Unlike previous work, the focus is on determining the overall amount of anonymity a TAP system can provide, or the amount it can provide for a given cost in padding and rerouting, rather than on the amount of protection afforded particular communications.

A network version of the Pump

A designer of reliable MLS networks must consider covert channels and denial of service attacks in addition to traditional network performance measures such as throughput, fairness, and reliability. We show how to extend the NRL data Pump to a certain MLS network architecture in order to balance the requirements of congestion control, fairness, good performance, and reliability against those of minimal threats from covert channels and denial of service attacks. We back up our claims with simulation results.<<ETX>>

Parsimonious downgrading and decision trees applied to the inference problem

Abstract : In this paper we present our new paradigm for dealing with the inference problem which arises from downgrading. Our new paradigm has two main parts: the application of decision tree analysis to the inference problem, and the concept of parsimonious downgrading. We also include a new thermodynamically motivated way of dealing with the deduction of inference rules from partial data.

Design and assurance strategy for the NRL Pump

The NRL Pump forwards messages from a low level system to a high level system and monitors the timing of acknowledgments from the high level system to minimize leaks. It is the keystone to a proposed architecture that uses specialized high assurance devices to separate data at different security levels. We describe the software design and assurance argument strategy for this device, the Network NRL Pump, which can be used in any multilevel secure distributed architecture. We have completed the system requirements and logical design of a prototype pump and are working on its physical design.

A new paradigm hidden in steganography

Abstract : We discuss how steganography, in contrast to similar disciplines, requires a new paradigm based upon discontinuities and the absence of noise as a detection deterrent.