RE: Covert Channels

[Michal Zalewski <lcamtuf () dione ids pl>]

On Fri, 18 Oct 2002, Ofir Arkin wrote:

> Using covert channels with the ICMP protocol can be defeated if you know
> what to expect and how your traffic needs to look like.

Huh? It's perfectly possible to communicate over "good looking" channels
using subtleties like timing, "acceptable" variations, etc, etc. Same with
any other protocol - what if you limit outgoing HTTP requests only to two
documents, /docone and /doctwo, if I can still implement a covert channel
by requesting them in a specific order, for example? Or by sending
specific If-Modified-Since, Accept-Encoding, or such... Not feasible?
Hardly, most of covert channels for backdoors and such do not require too
much bandwith. Not implemented yet? I'd argue.

> All and all you cannot defeat covert channels because there are so many
> ways to implement them which the current technology simply lag behind.

No, the reason is fundamentally different, which is that there is no way
for the machine (or human being, as a matter of fact) to make a clear
distinction between the necessary and potentially malicious traffic, since
there is no either-or distinction. Any vital and necessary traffic can
carry a covert information. Period.

--
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-18 09:39 --