Covert channel capacity defined

Computing the bitrate

Conclusions

On the computation of covert channel capacity

Eugène Asarin Cătălin Dima

LIAFA, CNRS & Univ. Paris 7 LACL, Univ. Paris 12

JM’08, Aug. 28, 2008

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Computing the bitrate
Conclusions

1 Covert channel capacity defined

Covert channels and their bitrates
Basic properties and examples

2 Computing the bitrate

An underapproximation
Input-deterministic channels
Some ideas for attacking nondeterministic channels

3 Conclusions

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

An information flow setting

A covert channel is a transducer T = (Q, Σ, Γ, δ, q0 , F)

Input from the “spy” : Lin (T ).
Output to the “intelligence agency” : Lout (T ).
Translation operated by the system/environment.
One bit of information = one alternative for spy’s input that
can be observed distinctly by the agency.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

An information flow setting

A covert channel is a transducer T = (Q, Σ, Γ, δ, q0 , F)

Input from the “spy” : Lin (T ).
Output to the “intelligence agency” : Lout (T ).
Translation operated by the system/environment.
One bit of information = one alternative for spy’s input that
can be observed distinctly by the agency.

a/c b/c

2 1 3
a, b/c a, b/d

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

Distinguishability

L ⊆ pref(Lin (T )) is distinguishable if

∀w , w ′ ∈ L, if |w | = |w ′ | then T (q0 , w ) ∩ T (q0 , w ′ ) = ∅

Then L can be used by the spy for transmitting some

information to the agency.
Such that the agency can uniquely decode the information
received.
Infinitary variant : L ⊆ Lin (T ) is distinguishable if

∀w , w ′ ∈ L, T (q0 , w ) ∩ T (q0 , w ′ ) = ∅

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

Distinguishability

L ⊆ pref(Lin (T )) is distinguishable if

∀w , w ′ ∈ L, if |w | = |w ′ | then T (q0 , w ) ∩ T (q0 , w ′ ) = ∅

Then L can be used by the spy for transmitting some

information to the agency.
Such that the agency can uniquely decode the information
received.
Infinitary variant : L ⊆ Lin (T ) is distinguishable if

∀w , w ′ ∈ L, T (q0 , w ) ∩ T (q0 , w ′ ) = ∅

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

Channel bitrates

The uniform bitrate of T is:

Bu (T ) = sup E(L) | L ⊆ Σω , L is distinguishable



Here E(L) is the entropy of L.

The regular-uniform bitrate of T is:

Bru (T ) = sup E(L) | L ⊆ Σω , L is distinguishable and ω-regular



L is then called a realization of the bitrate.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

Bitrates (2)

The nonuniform bitrate of T is:

1
· log2 max card(W ) | W ⊆ Σn ,

Bnu (T ) = lim sup
n→∞ n
W is distinguishable

W ⊆ Σω realizes Bnu (T ) if ∃(kn )n∈N with kn ≤ kn+1 such

that
W [1..kn ] is distinguishable for all n ∈ N and
Bnu (T ) = lim supn→∞ k1n · log2 card(W [1..kn ])

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

Two basic problems

Problem (1)
Given a channel T , compute the (uniform, nonuniform,
regular-uniform) bitrate of T .

Problem (2)
Given a channel T , construct a (regular) realization L of Bu (T )
(resp. Bru (T ), Bnu (T ).

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

First example

a/c b/c

2 1 3
a, b/c a, b/d

Lin (T1 ) is distinguishable.

The family Lin (T1 )[1..2n] n∈N is distinguishable.
Hence
1
Bu (T1 ) = Bru (T1 ) = Bnu (T1 ) =
2

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

Example 2

a/a, b b/b, c

d/a, d c/c, d

Bu (T1 ) = Bru (T1 ) = Bnu (T1 ) = 1

Only the opposite leaves can be used for coding.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

Example 3

b/b 2 a/a

a/c
1
b/c

b/c 3 a/a
√
1+ 13
Bu (T1 ) = Bru (T1 ) = Bnu (T1 ) =
2
Loops in states 2 and 3 induce “ambiguities”.
The (uniform) bitrate is realized by a non-closed language,
and cannot be realized by a closed language.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

Some relations between the different bitrates

Bru (T ) ≤ Bu (T ).
Bru (T ) ≤ Bnu (T ).
Given a covert channel T and an ω-regular language R, it
is decidable whether R is distinguishable in T .

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Covert channels and their bitrates
Computing the bitrate
Basic properties and examples
Conclusions

Some relations between the different bitrates

Bru (T ) ≤ Bu (T ).
Bru (T ) ≤ Bnu (T ).
Given a covert channel T and an ω-regular language R, it
is decidable whether R is distinguishable in T .

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

An underapproximation using Turán’s Theorem

Consider Gn = (LnT , ETn ) where

ETn = (w , w ′ ) ∈ LnT × LnT | T (w ) ∩ T (w ′ ) = ∅



Denote l = card(LnT ) and e = card(ETn ).

Proposition
Suppose that the asymptotics of l and e are respectively
l ≃ 2αn and e ≃ 2βn . Then the bitrate of T satisfies
B(T ) ≥ 2α − β.

Proof – using Turán’s Theorem.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

Computing the asymptotics of l and e

Asymptotics of l = entropy of the input language Lin (T ).

For the asymptotics of e, build an “intersection” automaton:

Pairs(T ) = (2Q × 2Q , Σ × Σ, θ, (q0 , q0 )) where

 a,b
θ = (Q1 , Q2 ) −−→ (R1 , R2 ) | R1 = δ1 (Q1 , a), R2 = δ1 (Q2 , b)

and T (Q1 , a) ∩ T (Q2 , b) 6= ∅
Here δ1 = δ Q×Σ×Q .
If we denote Ln = L(Pairs(T )) ∩ (Σ × Σ)n and k = card(Σ),
then
k n (k n − 1)
e= − card(Ln )
2

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

Regular realization of the bitrates for

input-deterministic channels

Proposition
If T is input-deterministic then
Bu (T1 ) = Bru (T1 ) = Bnu (T1 ) = E(Lout (T ))
Moreover one can effectively construct a regular realization of
the uniform entropy.

Proof: show that a regular realization of the uniform

entropy can be defined within MSO1 .
The formula identifies in fact a regular ω-sublanguage in
Lin (T ) on which T is bijective.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

The MSO1 -definable realization

For each w ∈ Lout (T ), the MSO1 formula chooses a

unique w ′ ∈ Lin (T ) with T (q0 , w ′ ) = w .
The choice is such that w ′ reaches “the fastest” a final
component in F
... and between all words that reach some final component
with the same ”speed” as w ′ , it is lexicographically the
smallest.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

Tree automata from channels

Assume Tin = (Q, Σ, δin , q0 , F) is deterministic.

Construct a tree automaton A(T ):


a/x

 

e/t b/y , -
z
  

J
d/z, t
J
  c/x^



q → S ∈ θ if ∃A ⊆ Σ such that ∀a, b ∈ A, a 6= b,

T (q, a) ∩ T (q, b) = ∅.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

Tree automata from channels

Assume Tin = (Q, Σ, δin , q0 , F) is deterministic.

Construct a tree automaton A(T ):


a/x

 

e/t b/y , -
z
  

J
d/z, t
J
  c/x^



q → S ∈ θ if ∃A ⊆ Σ such that ∀a, b ∈ A, a 6= b,

T (q, a) ∩ T (q, b) = ∅.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

Tree automata from channels

Assume Tin = (Q, Σ, δin , q0 , F) is deterministic.

Construct a tree automaton A(T ):


a/x

 

e/t b/y , -
z
  

J
d/z, t
J
  c/x^



q → S ∈ θ if ∃A ⊆ Σ such that ∀a, b ∈ A, a 6= b,

T (q, a) ∩ T (q, b) = ∅.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

Tree automata from channels

Assume Tin = (Q, Σ, δin , q0 , F) is deterministic.

Construct a tree automaton A(T ):


a/x

 

e/t b/y , -
z
  

J
d/z, t
J
  c/x^



q → S ∈ θ if ∃A ⊆ Σ such that ∀a, b ∈ A, a 6= b,

T (q, a) ∩ T (q, b) = ∅.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

Tree automata from channels

Assume Tin = (Q, Σ, δin , q0 , F) is deterministic.

Construct a tree automaton A(T ):


a/x

 

e/t b/y , -
z
  

J
d/z, t
J
  c/x^



q → S ∈ θ if ∃A ⊆ Σ such that ∀a, b ∈ A, a 6= b,

T (q, a) ∩ T (q, b) = ∅.

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

The entropy of a tree automaton

Suppose A = (Q, Σ, δ, q0 , F ) is a tree automaton.

The entropy of A is

E(A) = lim sup E(T ) | T accepted by A

Problem (3)
Is E(A) computable ?

Subproblem of the joint spectral radius problem.

If M1 , . . . , Mk ∈ M then any recombination of the lines in
M1 , . . . , Mk is also in M.
Problem (4)
Does there exist a (regular) tree realizing E(A) ?

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

The entropy of a tree automaton

Suppose A = (Q, Σ, δ, q0 , F ) is a tree automaton.

The entropy of A is

E(A) = lim sup E(T ) | T accepted by A

Problem (3)
Is E(A) computable ?

Subproblem of the joint spectral radius problem.

If M1 , . . . , Mk ∈ M then any recombination of the lines in
M1 , . . . , Mk is also in M.
Problem (4)
Does there exist a (regular) tree realizing E(A) ?

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

The entropy of a tree automaton

Suppose A = (Q, Σ, δ, q0 , F ) is a tree automaton.

The entropy of A is

E(A) = lim sup E(T ) | T accepted by A

Problem (3)
Is E(A) computable ?

Subproblem of the joint spectral radius problem.

If M1 , . . . , Mk ∈ M then any recombination of the lines in
M1 , . . . , Mk is also in M.
Problem (4)
Does there exist a (regular) tree realizing E(A) ?

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

Entropy of tree automata and covert channels

E(A(T )) is an underapproximation of Bu (T ).
Choose distinguishable inputs at each state.

a/c b/c

2 1 3
a, b/c a, b/d
Exact matching between E(A(T )) and Bu (T ) requires in
non-regular acceptance conditions in A(T ).
Level conditions.
Decidability?

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

Entropy of tree automata and covert channels

E(A(T )) is an underapproximation of Bu (T ).
Choose distinguishable inputs at each state.

a/c b/c

2 1 3
a, b/c a, b/d
Exact matching between E(A(T )) and Bu (T ) requires in
non-regular acceptance conditions in A(T ).
Level conditions.
Decidability?

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

A semi-algorithm

Iteratively eliminate from Lin (T ) useless sublanguages:

a/a, b b/b, c

d/a, d c/c, d
L1 = (Σ∗ c)∗ Σω is useless.
After eliminating L1 , (Σ∗ a)∗ Σω is useless too.
We are left with (b + d )ω , which is distinguishable.
Generalizable?...

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

A semi-algorithm

Iteratively eliminate from Lin (T ) useless sublanguages:

a/a, b b/b, c

d/a, d c/c, d
L1 = (Σ∗ c)∗ Σω is useless.
After eliminating L1 , (Σ∗ a)∗ Σω is useless too.
We are left with (b + d )ω , which is distinguishable.
Generalizable?...

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined An underapproximation
Computing the bitrate Input-deterministic channels
Conclusions Nondeterministic channels

A semi-algorithm

Iteratively eliminate from Lin (T ) useless sublanguages:

a/a, b b/b, c

d/a, d c/c, d
L1 = (Σ∗ c)∗ Σω is useless.
After eliminating L1 , (Σ∗ a)∗ Σω is useless too.
We are left with (b + d )ω , which is distinguishable.
Generalizable?...

E. Asarin & C. Dima On the computation of covert channel capacity

 Covert channel capacity defined
Computing the bitrate
Conclusions

Conclusions

Covert channel capacity as three generalized forms of

entropy of a transducer.
Computable for input-deterministic transducers.
Underapproximable using Turán’s theorem.
General case?

E. Asarin & C. Dima On the computation of covert channel capacity