air gap vs. covert channels (was: We got owned by the Chinese...)

[Joanna Rutkowska <joanna () invisiblethings org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Aitel wrote:
/.../
> It's most non-classified networks that allow http, https or dns access.
> You can tunnel effectively through any of them. You could even tunnel
> through SMTP if you were ballsy enough. Everyone's been doing this since
> 1992AD, and I assume that if anyone puts an anomaly detection
> application firewall in place on HTTP and HTTPS, there'll be some public
> research into covert channels. Maybe Joanna will release something to
> explain how egress filtering without an air gap is just amusing.

haha, yeah, without an air gap the problem is quite hard so to say...

but, I would like to point out some notable efforts in this area:

Drew Hintz presented at Defcon 10 in 2002 a very simple method of how to
detect a very complex covert channel in TCP timestamps (described and
implemented by some clever guys from MIT and Harvard):
http://guh.nu/projects/cc/covertchan.ppt
(slides describing the channel, by one of its creators, can be found
here: http://www.eecs.harvard.edu/~greenie/ccslides.pdf)

Actually I need to say that, although it's a 4 year old idea now, I am
still very much impressed by this covert channel :)

And, of course, my favorite examples of two independent approaches of
how to detect my NUSHU covert channel :)

One by Steven Murdoch from Cambridge (nice pictures inside!):
http://www.cl.cam.ac.uk/users/sjm217/talks/ccc05covert-tcp.pdf

And another one, exploiting neural networks, presented by guys from
I-409 Labs from Russian Taganrog State University:
http://www.rootkit.com/vault/90210/neural_networks_vs_NUSHU.pdf
(note that this is a free copy for the community, if you're a snob, you
can also buy it from IEEE website for $19 ;))

So, all those people actually implemented a working network based
detectors against some complex covert channels. Those channels were
designed to be undetectable, even though the algorithm was publicly
known (i.e. the security of the channel should have relied on a secret
key, like with modern crypto algorithms).

I'm really impressed with all those approaches (apparently even academia
can produce some cool stuff ;) But the natural question arises - how
this all scale to other, unknown schemes? After all, those detection
techniques were invented after the given channel was made public. Can
one come up with a generic 'traffic observer', say at L3/L4 (so I
exclude application layer to make the problem easier), which would
notice any patterns, like those introduced by TCP timestamp or NUSHU
covert channels and many many other? I personally think that it's not
feasible. But I might be missing something, so share your thoughts!

And also, is anybody aware of any covert channel detectors being
deployed in some real networks (i.e. outside labs)? Because I still have
 this wired feeling that maybe some people spent lots of time thinking
and implementing new, extremely advanced covert channels, while in case
of 99% networks everything which is more advanced then standard connect
back can go through pretty unnoticeable... Or does the detection rely on
a smart dude becoming suspicious from time? ;)

joanna.
-----BEGIN PGP SIGNATURE-----

iD8DBQFEdMgkORdkotfEW84RAkj9AKDndD+4XFSVoYfWRvb+VvSEv04tCgCdHAfl
NCtxoZUD3UvJkvtr6RAhY4o=
=W69t
-----END PGP SIGNATURE-----