Vulnerability Development mailing list archives

Re: Covert Channels

From: Blue Boar <BlueBoar () thievco com>
Date: Wed, 23 Oct 2002 13:50:50 -0700

Michal Zalewski wrote:

The difference is pretty obvious. IDS is supposed to detect known
characteristics of _unacceptable_ traffic (signature detection), or
unexpected _deviations_ from acceptable patterns (anomaly detection).
That makes sense - break-in attempts are an anomaly; there are no cases

when a common, valid traffic can also be an attack attempt

Of course there are. There are a huge number of POP3 clients out there..some of which will fail when given a particular input, some of which willhandle it with no trouble. The input is legal, according to some spec, andpeople sometimes find these bugs on accident.

All low-level attacks (buffer overflows, etc) can be told from legitimate
traffic. There's no legitimate traffic that would look like a valid
session - or, if there is, the false positive ratio is marginal. We get
bounces because we used the words "i love you" in a mail from time to
time, but generally, it's not a concern, and is a result of poor QA, not
strategy problems.

There have and will be cases where a buffer of size X is an overflow in oneproduct, and legal and normal in another.


Exploit author can do his best to fool most popular IDSes, and vendors can
easily update to cover this attack mechanism, fragmentation or obfuscation
scheme. No biggie. If the model of acceptable traffic is lacking, it has
to be refined, and in most cases, there's a way to do it without catching
too much of a valid traffic.

All I'm saying is that a covert channel detector can do as well as IDS' dotoday, which means basically catching some set of known stuff. IDS' don'tcatch everything, and they have utility. All you have to do is write aprogram that checks to see if ICMP echo request and reply packets match thedozen or so different ping implementations, and if not, then flag it.There, you've got a program that catches *some* covert channel action. Youmight even be able to make a commercial product out of it.

Just because some (most?) covert channels won't be detected doesn't meanthat you should give up trying to spot the known ones. Otherwise, IDS' andvirus scanners are useless too, because they can always be bypassed. Somepeople may think that they *are* useless, given their needs or environment,which is why I said "If someone thinks an IDS is useful ... then there isno reason to think a covert channel detector wouldn't be useful for thesame reason."

BB

Current thread:

Re: Covert Channels, (continued)
- Re: Covert Channels CJ Oster (Oct 17)
- Re: Covert Channels Rohit Sharma (Oct 17)
- Re: Covert Channels Chris Reining (Oct 18)
- Re: Covert Channels Darryl Luff (Oct 18)
  - Re: Covert Channels Valdis . Kletnieks (Oct 18)
  - Re: Covert Channels Jeff Nathan (Oct 19)
- Re: Covert Channels Frank Knobbe (Oct 23)
  - Re: Covert Channels Jose Nazario (Oct 23)
    - Re: Covert Channels Blue Boar (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - Re: Covert Channels Blue Boar (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - RE: Covert Channels Omar Herrera (Oct 23)
    - RE: Covert Channels Cade Cairns (Oct 24)
    - Re: Covert Channels Roland Postle (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - Message not available
    - Message not available
    - Re: Covert Channels Anton Aylward (Oct 23)
    - Re: Covert Channels Blue Boar (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - Re: Covert Channels Frank Knobbe (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)

(Thread continues...)