RE: Covert Channels

["Ofir Arkin" <ofir () sys-security com>]

Michal,

Using perfectly legitimate application traffic will always work. I have
stated that...

> > All and all you cannot defeat covert channels because there are so
many
> > ways to implement them which the current technology simply lag
behind.

> No, the reason is fundamentally different, which is that there is no
way
> for the machine (or human being, as a matter of fact) to make a clear
> distinction between the necessary and potentially malicious traffic,
since
> there is no either-or distinction. Any vital and necessary traffic can
> carry a covert information. Period.

There are protocols which you CAN perfectly understand and distinguish
between legit and not legit traffic. 


I bet you are familiar with the concept of Scrubbing. It can also be
applied, not only for traffic coming from the inside to the Internet (or
any other target), but also on the opposite (Reverse Scrubber? :P).

Please note that I was not referring to the IP header but to the ICMP
part.

Yours,
Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf () dione ids pl] 
Sent: Friday, October 18, 2002 3:42 PM
To: Ofir Arkin
Cc: Valdis.Kletnieks () vt edu; 'kam'; 'Jeremy Junginger';
vuln-dev () securityfocus com; pen-test () securityfocus com
Subject: RE: Covert Channels 

On Fri, 18 Oct 2002, Ofir Arkin wrote:

> Using covert channels with the ICMP protocol can be defeated if you
know
> what to expect and how your traffic needs to look like.

Huh? It's perfectly possible to communicate over "good looking" channels
using subtleties like timing, "acceptable" variations, etc, etc. Same
with
any other protocol - what if you limit outgoing HTTP requests only to
two
documents, /docone and /doctwo, if I can still implement a covert
channel
by requesting them in a specific order, for example? Or by sending
specific If-Modified-Since, Accept-Encoding, or such... Not feasible?
Hardly, most of covert channels for backdoors and such do not require
too
much bandwith. Not implemented yet? I'd argue.

> All and all you cannot defeat covert channels because there are so
many
> ways to implement them which the current technology simply lag behind.

No, the reason is fundamentally different, which is that there is no way
for the machine (or human being, as a matter of fact) to make a clear
distinction between the necessary and potentially malicious traffic,
since
there is no either-or distinction. Any vital and necessary traffic can
carry a covert information. Period.

--
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-18 09:39 --