Vulnerability Development mailing list archives
RE: Covert Channels
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Fri, 18 Oct 2002 14:41:25 -0400 (EDT)
On Fri, 18 Oct 2002, Ofir Arkin wrote:
There are protocols which you CAN perfectly understand and distinguish between legit and not legit traffic.
No, because, as I stated, this is not an either-or distinction. Simply put, the presence or abstence of a legitimate traffic, or a specific nature (sequence, target, type) of legitimate traffic can establish a covert channel. ICMP ping with no payload, normalized options, etc, can considered be a legitimate traffic, assuming your policy allows pings. Yet the fact the host is pinged three times, as opposed to two, may establish a covert information flow (practical for some purposes, not practical for others). -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-10-18 14:38 --
Current thread:
- Covert Channels Jeremy Junginger (Oct 16)
- Re: Covert Channels kam (Oct 16)
- Re: Covert Channels Valdis . Kletnieks (Oct 17)
- RE: Covert Channels Ofir Arkin (Oct 18)
- RE: Covert Channels Michal Zalewski (Oct 18)
- Re: Covert Channels David Litchfield (Oct 18)
- Re: Covert Channels Michal Zalewski (Oct 18)
- RE: Covert Channels Ofir Arkin (Oct 19)
- RE: Covert Channels Michal Zalewski (Oct 19)
- Re: Covert Channels Dragos Ruiu (Oct 21)
- Re: Covert Channels Roland Postle (Oct 22)
- Re: Covert Channels Valdis . Kletnieks (Oct 17)
- Re: Covert Channels kam (Oct 16)
- RE: Covert Channels Roland Postle (Oct 21)
- Re: Covert Channels Roland Postle (Oct 17)
- RE: Covert Channels Jeff Nathan (Oct 19)
- RE: Covert Channels Dom De Vitto (Oct 19)