Design and analysis of a model-based Covert Timing Channel for Skype traffic

In a model-based Covert Timing Channel (CTC), the (covert) sender modulates the inter-packet delays (IPDs) of the packet stream generated by the overt application (source) by following a well-known statistical model of the application traffic. Implementing a CTC system that operates on real application traffic such as Skype requires addressing several challenges. First, packets generated by Skype must meet a maximum end-to-end delay requirement which imposes limits on how long a packet can be buffered by the sender. Second, buffer overrun and underrun may occur due to transient mis-matches between the rate at which packets are generated by the source and the rate at which the sender can service the covert buffer. As a single IPD of Skype traffic is small and has a small delay spread, we propose to use delay of multiple IPDs (m-IPDs) to modulate the encoded symbols. To minimize buffer overruns and underruns, we partition the delay of m-IPDs so that each encoded symbol can be mapped to multiple partitions of the delay distribution. We then provide a mathematical model to choose the appropriate partition for a given encoded symbol based on the state of the buffer. We evaluate the performance of an users-space implementation of the CTC system in real network settings for Skype traffic. We show that the covert channel based on the proposed design can be established even when the source is connected to a public WiFi network and it is largely non-detectable under well-known statistical tests including the entropy test, the Kolmogorov-Smirnov test, and the Kullback-Leibler divergence test.