Quasi-Anonymous Channels

1. CNIS, Uniondale, NY Dec 2003 Quasi-Anonymous Channels Ira S. Moskowitz --- NRL Richard E. Newman --- UF Paul F. Syverson --- NRL Center for High Assurance Computer Systems Code 5540 Naval Research Laboratory Washington, DC 20375 http://chacs.nrl.navy.milmoskowitz@itd.nrl.navy.mil

2. Anonymity Interest is in hiding who is sending what to whom. How does one measure anonymity? Is there perfect anonymity?

3. Covert Channels A communication channel that exists, contrary to system design, in a computer system or network Typically in the realm of MLS systems Classically measure threat by capacity

4. Quasi-Anonymous Channels Less than perfect anonymity = quasi-anonymity Quasi-anonymity allows covert channel = quasi-anonymous channel Quasi-anonymous channel is • Illegal communication channel in its own right • A way of measuring anonymity

5. BACKGROUND MIXes A MIX is a device intended to hide source/message/destination associations. A MIX can use crypto, delay, shuffling, padding, etc. to accomplish this. Others have studied ways to “beat the MIX” --active attacks to flush the MIX. --passive attacks may study probabilities. MIX may successfully hide what, but does it always hide who/whom?

6. Prior measures of anonymity • AT&T Crowds-degree of anonymity, pfoward message • Not MIX based • Dresden: Anonymity (set of senders) Set size N, log(N) • Does not include observations by Eve • Cambridge: effective size, assign probs to senders between – and log(N) • We show (later): maximal entropy (most noise) does not assure anonymity • K.U. Leuven: normalize above • We want something that measures before & after That is Shannon’s information theory

7. covert channel Our Scenario WPES 2003 MIX Firewalls separating 2 enclaves. MIX Eve MIX Enclave 2 Enclave 1 Alice & Cluelessi overt channel --- anonymous? Timed MIX, total flush per tick Eve: counts # message per tick – perfect sync, knows # Cluelessi Cluelessi are IID, p = probability that Cluelessi does not send a message Alice is clueless w.r.t to Cluelessi

8. NRL Covert Channel Analysis Lab • John McDermott & Bruce Montrose • Actual network set-up to exploit these quasi-anonymous channels • First attempt: detect gross changes in traffic volume • Future work may be a more fine-tuned detection of the mathematical channels discussed here

9. Toy Scenario – only Clueless1 Alice can: not send a message (0), or send (0c) Only two input symbols to the (covert) channel What does Eve see? {0,1,2} 0 p 0 q Eve 1 Alice p 0c q 2

10. anonymizing network X Y Discrete Memoryless Channel Y X is the random variable representing Alice, the transmitter to the cc X has a prob dist P(X=0) = x P(X=0c) = 1-x Y represents Eve prob dist derived from X and channel matrix X

11. In general P(X = xi) = p(xi), similarly p(yk) Entropy of X H(X) = – ∑i p(xi)log[p(xi)] Conditional Entropy H(X|Y) = – ∑kp(yk) ∑ip(xi|yk)log[p(xi|yk)] Mutual information I(X,Y) = H(X) – H(Y|X) = H(Y) – H(Y|X) (we use the latter) Capacity is the maximum over dist X of I For toy scenario C = max x{–( pxlogpx +[qx+p(1–x)]log[qx+p(1–x)] +q(1–x)logq(1 – x) ) – h(p) } where h(p) = – { plogp + (1–p)log(1–p) }

13. General Scenario N Cluelessi 0 pN NpN-1q 0 1 . . . pN qN NqN-1p N 0c qN N+1

15. Note • Highest capacity when very low or very high clueless traffic • Capacity (of p) bounded below by C(0.5) x=.5 thus even at maximal entropy, not anonymous • Capacity monotonically decreases to 0 with N • C(p) is a continuous function of p • Alice’s optimal bias is function of p, and is always near 0.5

16. Comments • Lack of anonymity leads to comm. channel • Use this quasi-anonymous channel to measure the anonymity

17. Other MIX scenarios • Exit only MIX firewall • Instead of timed MIX could be: • Threshold (Chaum) MIX, Pool MIX

18. Other quasi-anonymous channels • Previous ex. was storage channel in a timed MIX • Can also have timing channel (threshold MIX). Much more complicated: Threshold MIX, MIX flushes when K messages have arrived. If Alice is only sender, and can send message to MIX every t Symbols Alice can send noiselessly to Eve:Kt, Kt+1, Kt+2, … Other senders add noise, so capacity is less Desire a method of taking timing control away from Alice, without hurting performance • Capacity is not always the correct measure---might want just mutual info, or number of bits passed

19. When is capacity not good? COMPASS’94 Shannon’s alternate def of capacity for noiseless channel C = limn→ sup { [ log |Sn| ] / n } bits per t 1 bit, 1 t by the M th transmission 1 bit, 2t there are 2M different symbols 1 bit, 4 t total time = 1+2+4 + …2M-1 1 bit, 8 t so n = 2M -1, Sn = 2M etc. C = limM→{ M / (2M-1) } = 0

20. messages messages Pump (buffer) HIGH SIDE LAN LOW SIDE LAN ACKs Statistically Modulated ACKs NRL Pump 1993 Kang & Moskowitz • secure message passing from a Low user/process to a High user/process, while maximizing system performance and minimizing the covert channel capacity

21. Use Pump theory for MIXPump MIX Pump MIX would keep history of senders Can delay certain messages to keep a sender from manipulating flush time-would also give a fairness criterion

22. Conclusions • Have illustrated how supposedly anonymous communication may leak info. through a quasi-anonymous channel • Dual use to also measure anonymity • Illustrated various anonymity architectures and possible quasi-anonymous solutions • We are working on solution with Pump-type approach