Re: Covert Channels

["Roland Postle" <mail () blazde co uk>]

On 23 Oct 2002 17:11:56 -0400, Anton Aylward wrote:
> Let me make that clear.  An IDS is working with a finite number of
> channels on a bound and finite media, with a bound set of protocols. 
> The messages may be infinite in detail but are enumerable (and actually
> computable) by class.  A covert channel may be one of an infinite number
> of possible mediums, not just the network, with an indeterminate
> protocol.

I'm not clear what you see as infinite. If we're still just talking
about a single IP link (and not any physical signals like whether I'm
waving a flag out of the window), then there's still a finite number
number of channels (on a bound and finite media, with a bound set of
protocols) when it comes to covert channels. If you're concerned about
the timing then it isn't an issue, if the CPU on the host sending
covert data clocks at 1Ghz, then it can't make subtle timing
differences any finer than 1 / 10^9 seconds. (In any case timing can be
a part of an attack sequence which an IDS might detect. In extreme
cases, timing could be the /only/ difference between valid data and an
attack. So it's no more infinte in covert channels than it is in
intrustion detection). 

Let me give an example. I have a wire with a switch at one end and a
bulb at the other. You can flick the switch, the bulb comes on, flick
it the other way and it's off. But it will only turn on or off on
second boundaries. This mimics a (slow) ip link. I can transmit a
finite amount of data down it (in finite time), so how can it have an
/infinite/ number of possible mediums, or ways to trasmit that data? 

What I think you could possibly be talking about is the fact that I
could for example encode the number PI as the bulb being on and the
number e as the bulb being off. Now I can transmit an infinte sequence
of digits in a single second. Or have I cheated by pretransmiting the
data? If I tell someone that if I access a certain website at a certain
time it means the entire windows source tree looks like *this*, whereas
if I don't it looks like *this* (assume one is correct). Then I go to
work at Microsoft HQ, look at the source and act accordingly. Have I
sent the source code via a covert channel or haven't I? Have I broken
the security policy (Windows source code must not leave Microsoft
network) or have I just sent a bit of information? What about if I
prearange bit sequences to represent common C/Windows keywords etc..
like void, UINT, #include... and transmit them to make up the source
code? At what point is the data actually transmitted?

Forgive my ramblings, but here is the problem: I can encode the
smuggled data in almost any way I like. That is, there's finite
encodings for my smuggled data, but because I can encode/encrypt it
against my prearranged 'one time pad', I can make it impossible to
distinguish it from random data, which means I can plausibly deny
having transmited the Windows source code.

Now, if the definition of a covert channel is a communication path that
violates the security policy, the security policy is that the Windows
source code musn't leave the Microsoft network, and you allow any kind
of communication over the IP link, then you can't be sure you don't
have a covert channel. If on the other hand you define a covert channel
as the transmission of data via any but the established means (email,
ftp etc..) and ignore what is actually being transmitted, then you
/can/ go /some/ way towards detecting it (practically now, not
theorectically) by looking for differences in network traffic over
time. Applications tend to use the same well trodden paths of any
protocol they adhere to, so if there's suddenly more paths being
trodden, someone may be doing something they shouldn't.

On Wed, 23 Oct 2002 17:32:06 -0600, Omar Herrera wrote:
> For example, suppose there is a covert channel tool (and I think it does
> exist, I can't remember the name though) where I send messages out of my
> machine to a web server that constantly changes address and DNS name (to
> reduce repetition of that pattern) through the initial sequence number
> while establishing a TCP communication. Suppose we already know that
> this tool does no define a particular "dialect" so that you could match
> it to a pattern (say for example that you send an initial sequence
> number of 1000 if it is yes and 2000 if it is no). In this case, if the
> user is able to select any number and arbitrarily assign any meaning to
> each number I think it is extremely difficult to detect (I mean, to
> detect it you have to match it against something right?).

Here's a good example of what I'm talking about. Suppose we log the
ISNs for a while coming from this host and use them to build one of
Michal's lovely strange attractor thingies
(http://razor.bindview.com/publish/papers/tcpseq.html if you haven't
read it). Assume we know what OS the host is running. Over time we'll
notice a difference between the observed and expected attractor. If the
observed data becomes true random, then there might be a covert channel
but we have no hope of finding out what data is leaking. (If it becomes
less random, then we might actually be able to decipher it.) 

However, when OSs start using true random ISN generators we're screwed
because the data is random regardless of whether it's a genuine ISN or
a bit of Windows source encrypted against my one time pad. Essentially
the same problem as detecting a covert channel over an encrypted link,
but not one we can ignore by saying "well encryption's different,
forget that for now". I wonder if there's some way to generate a one
time pad in such a way that combined with some data it doesn't look
random, but instead looks like it's generated by an OSs RNG as ISNs
would be.... Or is randomness really that special?

On 23 Oct 2002 17:53:58 -0500, Frank Knobbe wrote:
> > Do you know what's the correct order a person should view websites in?=)
>
> No, but the order should be pretty much random and unpredictable. But
> wouldn't a covert channel add some static element to it? For example if
> every Friday, three websites gets visited in the same order, that could
> indicate a covert channel, or not? 

This is exactly the opposite of what I'm saying :) Every friday three
websites in the same order might represent a different bit of data (see
my one time pad). The user/application on the other hand probably has a
habit of doing the same things, tho any part of that expected traffic
that is expected to be true random represents an undetectable covert
channel.

It's a good thread this ;)

- Blazde