Dailydave mailing list archives
air gap vs. covert channels (was: We got owned by the Chinese...)
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Wed, 24 May 2006 22:55:02 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Aitel wrote: /.../
It's most non-classified networks that allow http, https or dns access. You can tunnel effectively through any of them. You could even tunnel through SMTP if you were ballsy enough. Everyone's been doing this since 1992AD, and I assume that if anyone puts an anomaly detection application firewall in place on HTTP and HTTPS, there'll be some public research into covert channels. Maybe Joanna will release something to explain how egress filtering without an air gap is just amusing.
haha, yeah, without an air gap the problem is quite hard so to say... but, I would like to point out some notable efforts in this area: Drew Hintz presented at Defcon 10 in 2002 a very simple method of how to detect a very complex covert channel in TCP timestamps (described and implemented by some clever guys from MIT and Harvard): http://guh.nu/projects/cc/covertchan.ppt (slides describing the channel, by one of its creators, can be found here: http://www.eecs.harvard.edu/~greenie/ccslides.pdf) Actually I need to say that, although it's a 4 year old idea now, I am still very much impressed by this covert channel :) And, of course, my favorite examples of two independent approaches of how to detect my NUSHU covert channel :) One by Steven Murdoch from Cambridge (nice pictures inside!): http://www.cl.cam.ac.uk/users/sjm217/talks/ccc05covert-tcp.pdf And another one, exploiting neural networks, presented by guys from I-409 Labs from Russian Taganrog State University: http://www.rootkit.com/vault/90210/neural_networks_vs_NUSHU.pdf (note that this is a free copy for the community, if you're a snob, you can also buy it from IEEE website for $19 ;)) So, all those people actually implemented a working network based detectors against some complex covert channels. Those channels were designed to be undetectable, even though the algorithm was publicly known (i.e. the security of the channel should have relied on a secret key, like with modern crypto algorithms). I'm really impressed with all those approaches (apparently even academia can produce some cool stuff ;) But the natural question arises - how this all scale to other, unknown schemes? After all, those detection techniques were invented after the given channel was made public. Can one come up with a generic 'traffic observer', say at L3/L4 (so I exclude application layer to make the problem easier), which would notice any patterns, like those introduced by TCP timestamp or NUSHU covert channels and many many other? I personally think that it's not feasible. But I might be missing something, so share your thoughts! And also, is anybody aware of any covert channel detectors being deployed in some real networks (i.e. outside labs)? Because I still have this wired feeling that maybe some people spent lots of time thinking and implementing new, extremely advanced covert channels, while in case of 99% networks everything which is more advanced then standard connect back can go through pretty unnoticeable... Or does the detection rely on a smart dude becoming suspicious from time? ;) joanna. -----BEGIN PGP SIGNATURE----- iD8DBQFEdMgkORdkotfEW84RAkj9AKDndD+4XFSVoYfWRvb+VvSEv04tCgCdHAfl NCtxoZUD3UvJkvtr6RAhY4o= =W69t -----END PGP SIGNATURE-----
Current thread:
- Re: We got owned by the Chinese and didn't even get a "lessons learned", (continued)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" mark (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Steve Wilson (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Martin Johns (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Etaoin Shrdlu (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Andrew Simmons (May 24)
- Re: We got owned by the Chinese and didn't even get a"lessons learned" Halvar Flake (May 24)
- Re: We got owned by the Chinese and didn't even get a"lessons learned" Etaoin Shrdlu (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Martin Johns (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Kyle Maxwell (May 24)
- air gap vs. covert channels (was: We got owned by the Chinese...) Joanna Rutkowska (May 24)