RE: Covert Channels

[Omar Herrera <oherrera () prodigy net mx>]

I understand what you say, to build something that detects patterns from
known covert channel tools and I think it is possible "with some". 

I worry though that some types of covert channels (for example the ones
relying on timing) can't be efficiently detected without prompting a
high number of false positives and maybe this is what Michal is also
worried about since this is different from IDS and AV: with some covert
channels you will be able to send information in an unauthorized form
through an authorized channel and protocol. 

For example, suppose there is a covert channel tool (and I think it does
exist, I can't remember the name though) where I send messages out of my
machine to a web server that constantly changes address and DNS name (to
reduce repetition of that pattern) through the initial sequence number
while establishing a TCP communication. Suppose we already know that
this tool does no define a particular "dialect" so that you could match
it to a pattern (say for example that you send an initial sequence
number of 1000 if it is yes and 2000 if it is no). In this case, if the
user is able to select any number and arbitrarily assign any meaning to
each number I think it is extremely difficult to detect (I mean, to
detect it you have to match it against something right?).

Have you already thought of any way to build a tool to reduce this? The
question here is also if the amount of CC tools out there whose activity
can be matched against a pattern is big enough for the effort of
building the tool and how long will it be before more advanced CC tools
appear that are not detectable.

If I did not misunderstand Michal, this is what he is referring about
requiring an "Intelligence" in order to detect this kind of advanced CC
tools. 

An alternative idea of developing a tool would be developing a service
(supported by a tool) where some kind of experts analyze the traffic
flow. Now, I also doubt this would be practical, apart of being
extremely expensive and maybe only some organizations such as the NSA
might see some benefit of implementing this (and this sounds to me more
like intelligence/counterintelligence activity than simple information
security work).

Probably in more years for some specific environments where high
confidentiality is required this service might be profitable but I
wouldn't bet on it :-).

Just some thoughts,

Omar Herrera

-----Original Message-----
From: Blue Boar [mailto:BlueBoar () thievco com] 
Sent: Miércoles, 23 de Octubre de 2002 02:51 p.m.
To: Michal Zalewski
Cc: Jose Nazario; Frank Knobbe; vuln-dev () securityfocus com
Subject: Re: Covert Channels

Michal Zalewski wrote:

> Exploit author can do his best to fool most popular IDSes, and vendors
can
> easily update to cover this attack mechanism, fragmentation or
obfuscation
> scheme. No biggie. If the model of acceptable traffic is lacking, it
has
> to be refined, and in most cases, there's a way to do it without
catching
> too much of a valid traffic.

All I'm saying is that a covert channel detector can do as well as IDS'
do 
today, which means basically catching some set of known stuff.  IDS'
don't 
catch everything, and they have utility.  All you have to do is write a 
program that checks to see if ICMP echo request and reply packets match
the 
dozen or so different ping implementations, and if not, then flag it. 
There, you've got a program that catches *some* covert channel action.
You 
might even be able to make a commercial product out of it.

Just because some (most?) covert channels won't be detected doesn't mean

that you should give up trying to spot the known ones.  Otherwise, IDS'
and 
virus scanners are useless too, because they can always be bypassed.
Some 
people may think that they *are* useless, given their needs or
environment, 
which is why I said "If someone thinks an IDS is useful ... then there
is 
no reason to think a covert channel detector wouldn't be useful for the 
same reason."

                                        BB