Vulnerability Development mailing list archives
Re: Covert Channels
From: Blue Boar <BlueBoar () thievco com>
Date: Wed, 23 Oct 2002 14:29:09 -0700
Anton Aylward wrote:
On Wed, 2002-10-23 at 16:34, Blue Boar wrote:The specifics aren't important. The number of way to implement some attacks, and the number of ways to bypass an IDS are also infinite.I doubt that, but even if it is so, and IDS is limited to the network whereas a convert channel could - as I illustrated - be anything. It cold be whether I leave my blinds open at night. in this case, the set of covert channels is transfinite.
If you want to take covert channels outside of the realm of computer networks, there's no reason the concept of an IDS couldn't as well. The airport x-ray IDS is perfectly capable of detecting the midget-in-luggage attack.
Let me make that clear. An IDS is working with a finite number ofchannels on a bound and finite media, with a bound set of protocols. The messages may be infinite in detail but are enumerable (and actuallycomputable) by class. A covert channel may be one of an infinite number of possible mediums, not just the network, with an indeterminate protocol.
But who cares? The question asked was whether it would be possible to make a covert channel detector product. My answer is that you can do as much with a covert channel detector as with an IDS. So your assertion that an IDS does less doesn't much affect my statement.
You can make a covert channel detector that is as much of a "success" as an IDS product. Just because it's always possible to bypass an IDS, or virus scanner, etc.. does not mean the product has no value.Not so. Bypassing an IDS is one of two ways: 1) it doesn't know the pattern - limit to the IDS 2) you didn't set it up right, which may be architectural.
Those aren't the only ways to bypass an IDS. But again, what does that have to do with an IDS having value?
What you are asking for in a CoChDS is an "intelligence".
No, what I'm saying is that you can make a "product" that checks for any number of known network-based covert channels, and you'll have something that is of some utility.
BB
Current thread:
- Re: Covert Channels, (continued)
- Re: Covert Channels Jose Nazario (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- RE: Covert Channels Omar Herrera (Oct 23)
- RE: Covert Channels Cade Cairns (Oct 24)
- Re: Covert Channels Jose Nazario (Oct 23)
- Re: Covert Channels Roland Postle (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Message not available
- Message not available
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Roland Postle (Oct 24)
- RE: Covert Channels Omar Herrera (Oct 23)