As stated previously, behavioural tests are based on timing information obtained from P. and T. Features from this information are then stored in a dataset and used for training a classification-based algorithm for a later classification of target embedded machines. In this scenario, a clever attacker could use one entry from the training set related to an REM and replicate its ping response time and timestamp values.
The aim of the attacker is to conceal itself by pretending to be an REM in order to create M2FM communications. The only way to achieve this attack is to have the capability to actively modify the kernel of the powerful machine. This can be done by using Linux-based OSs. The rationale behind this attack is to insert delays when a ping request packet is received. This can be achieved because a powerful machine is faster
than an embedded machine, whereas this method cannot be used in VESs because these have timing-related problems as per Hypothesis 1 (Subsection 3.4.1). For these reasons, this attack is called an FTA. An FTA can be very dangerous in scenarios in which there is a medium to extreme level of security (Table 4.8). In fact, information collected by one attacker node may be used against businesses and/or governments, affecting their reputations and security.
An attacker can modify the kernel for the purpose of changing the timing behaviours of a powerful machine, as shown in Figure 5.2. In this figure, three delta times are highlighted as follows:
• ∆T0: time required for the ping request packet to reach the kernel space from the
user space;
• ∆T1: time required by the kernel to receive and parse the request packet, cre-
ate a ping response packet, calculate and insert the delay for mimicking the real embedded machine, and finally send the response packet to the user space;
• ∆T2: time required for the ping response packet to reach the user space from the
kernel space. ICMP_ECHO ICMP_ECHOREPLY
ΔT
ΔT
ΔT
Characterisation Algorithm (ping localhost) Function that receives the packet Function that sends the packetFunctions that create the reply packet
Start timer Insert delay
0
1
2 User space
Kernel space
Figure 5.2: Kernel modification of a powerful machine for the purpose of faking its timing behaviours in order to mimic behaviours of a real embedded machine.
As Figure 5.2 indicates, the attacker may change its ping response time (T pingEve)
by considering the ping response information of an REM (T pingREM) and following
these steps:
1. Start a timer when the ping request packet (ICMP ECHO) arrives in the kernel space;
2. Stop the timer before sending the ping response packet (ICMP ECHOREPLY) to the user space;
3. If T pingEve is smaller than T pingREM, delay sending the response packet by
delayEve milliseconds;
4. Send the ping response packet to the user space.
Therefore, the equations used by the attacker for mimicking the timing behaviours for these steps are:
• The powerful machine response time shown in Figure 5.2 can be expressed as: T pingEve = ∆T0+ ∆T1+ ∆T2 (5.1)
• If T pingEve < T pingREM, the delay that must be inserted before sending the
response packet must be:
delayEve = T pingREM − T pingEve = T pingREM− (∆T0+ ∆T1+ ∆T2) (5.2)
• However, the attacker can only manage ∆T1 as this is strictly related to the kernel
space. Meanwhile, ∆T0 and ∆T2 can vary for each ping, making their timing
values unknown and unmanageable. Therefore, a clever attacker will estimate them, resulting in an estimated delay as follows:
℮ (delayEve) = T pingREM− [∆T1+℮ (∆T0+ ∆T2)] (5.3)
where:
℮ (∆T0+ ∆T2) = average (T pingEve− ∆T1) (5.4)
• From the equations above, it follows that the faked ping response time that the characterisation algorithm will receive is:
F akedT pingEve = T pingEve+℮ (delayEve) (5.5)
It is clear that the attacker will be unable to fake its timing behaviours if T pingEve is
greater or equal to T pingREM. The equal condition is valid because the attacker needs
at least some microseconds to calculate its ∆T1, with the result that its F akedT pingEve
will always be greater than T pingREM. These discrepancies will cause the attack to fail,
giving the trustor node an opportunity to detect it. From Equation 5.5 it is possible to show that theoretically Hypothesis 3 is valid, because the faked ping is based on an estimation of ∆T0 and ∆T2.
Furthermore, it follows from Equation 5.5, the attacker will have an average trend of ping response times close, but not identical, to the average trend of the REM. Therefore, the data distribution obtained by the attacker will be different compared to that of the REM. In particular, this issue will change the central tendency of the data distribution obtained from the attacker timing behaviours. Specifically, the frequency of values with
the same time and the middle timing value will be different with a high probability, as shown in Figures 5.6(E) and 5.6(F), which show the median and mode ping response time respectively (see Section 5.4 for further details). This leads to Hypothesis 4:
Hypothesis 4. An FTA can be detected using statistical measurements of the central tendency of a data distribution, such as median and mode.