Vulnerability Development mailing list archives

RE: Covert Channels

From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Fri, 18 Oct 2002 14:41:25 -0400 (EDT)

On Fri, 18 Oct 2002, Ofir Arkin wrote:

There are protocols which you CAN perfectly understand and distinguish
between legit and not legit traffic.


No, because, as I stated, this is not an either-or distinction. Simply
put, the presence or abstence of a legitimate traffic, or a specific
nature (sequence, target, type) of legitimate traffic can establish a
covert channel. ICMP ping with no payload, normalized options, etc, can
considered be a legitimate traffic, assuming your policy allows pings. Yet
the fact the host is pinged three times, as opposed to two, may establish
a covert information flow (practical for some purposes, not practical for
others).

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-18 14:38 --

Current thread:

Covert Channels Jeremy Junginger (Oct 16)
- Re: Covert Channels kam (Oct 16)
  - Re: Covert Channels Valdis . Kletnieks (Oct 17)
    - RE: Covert Channels Ofir Arkin (Oct 18)
    - RE: Covert Channels Michal Zalewski (Oct 18)
    - Re: Covert Channels David Litchfield (Oct 18)
    - Re: Covert Channels Michal Zalewski (Oct 18)
    - RE: Covert Channels Ofir Arkin (Oct 19)
    - RE: Covert Channels Michal Zalewski (Oct 19)
    - Re: Covert Channels Dragos Ruiu (Oct 21)
    - Re: Covert Channels Roland Postle (Oct 22)
    - RE: Covert Channels Roland Postle (Oct 21)
  - RE: Covert Channels Jason Barbour (Oct 17)
  - Re: Covert Channels Alex Tibbles (Oct 17)
  - Re: Covert Channels MA (Oct 17)
    - Re: Covert Channels Roland Postle (Oct 17)
  - RE: Covert Channels Dom De Vitto (Oct 17)
    - RE: Covert Channels Jeff Nathan (Oct 19)
    - RE: Covert Channels Dom De Vitto (Oct 19)

(Thread continues...)