Vulnerability Development mailing list archives
RE: Covert Channels
From: Omar Herrera <oherrera () prodigy net mx>
Date: Wed, 23 Oct 2002 17:32:06 -0600
I understand what you say, to build something that detects patterns from known covert channel tools and I think it is possible "with some". I worry though that some types of covert channels (for example the ones relying on timing) can't be efficiently detected without prompting a high number of false positives and maybe this is what Michal is also worried about since this is different from IDS and AV: with some covert channels you will be able to send information in an unauthorized form through an authorized channel and protocol. For example, suppose there is a covert channel tool (and I think it does exist, I can't remember the name though) where I send messages out of my machine to a web server that constantly changes address and DNS name (to reduce repetition of that pattern) through the initial sequence number while establishing a TCP communication. Suppose we already know that this tool does no define a particular "dialect" so that you could match it to a pattern (say for example that you send an initial sequence number of 1000 if it is yes and 2000 if it is no). In this case, if the user is able to select any number and arbitrarily assign any meaning to each number I think it is extremely difficult to detect (I mean, to detect it you have to match it against something right?). Have you already thought of any way to build a tool to reduce this? The question here is also if the amount of CC tools out there whose activity can be matched against a pattern is big enough for the effort of building the tool and how long will it be before more advanced CC tools appear that are not detectable. If I did not misunderstand Michal, this is what he is referring about requiring an "Intelligence" in order to detect this kind of advanced CC tools. An alternative idea of developing a tool would be developing a service (supported by a tool) where some kind of experts analyze the traffic flow. Now, I also doubt this would be practical, apart of being extremely expensive and maybe only some organizations such as the NSA might see some benefit of implementing this (and this sounds to me more like intelligence/counterintelligence activity than simple information security work). Probably in more years for some specific environments where high confidentiality is required this service might be profitable but I wouldn't bet on it :-). Just some thoughts, Omar Herrera -----Original Message----- From: Blue Boar [mailto:BlueBoar () thievco com] Sent: MiƩrcoles, 23 de Octubre de 2002 02:51 p.m. To: Michal Zalewski Cc: Jose Nazario; Frank Knobbe; vuln-dev () securityfocus com Subject: Re: Covert Channels Michal Zalewski wrote:
Exploit author can do his best to fool most popular IDSes, and vendors
can
easily update to cover this attack mechanism, fragmentation or
obfuscation
scheme. No biggie. If the model of acceptable traffic is lacking, it
has
to be refined, and in most cases, there's a way to do it without
catching
too much of a valid traffic.
All I'm saying is that a covert channel detector can do as well as IDS' do today, which means basically catching some set of known stuff. IDS' don't catch everything, and they have utility. All you have to do is write a program that checks to see if ICMP echo request and reply packets match the dozen or so different ping implementations, and if not, then flag it. There, you've got a program that catches *some* covert channel action. You might even be able to make a commercial product out of it. Just because some (most?) covert channels won't be detected doesn't mean that you should give up trying to spot the known ones. Otherwise, IDS' and virus scanners are useless too, because they can always be bypassed. Some people may think that they *are* useless, given their needs or environment, which is why I said "If someone thinks an IDS is useful ... then there is no reason to think a covert channel detector wouldn't be useful for the same reason." BB
Current thread:
- Re: Covert Channels, (continued)
- Re: Covert Channels Chris Reining (Oct 18)
- Re: Covert Channels Darryl Luff (Oct 18)
- Re: Covert Channels Valdis . Kletnieks (Oct 18)
- Re: Covert Channels Jeff Nathan (Oct 19)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Jose Nazario (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- RE: Covert Channels Omar Herrera (Oct 23)
- RE: Covert Channels Cade Cairns (Oct 24)
- Re: Covert Channels Jose Nazario (Oct 23)
- Re: Covert Channels Roland Postle (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Message not available
- Message not available
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)