Vulnerability Development mailing list archives
RE: Covert Channels
From: "Ofir Arkin" <ofir () sys-security com>
Date: Fri, 18 Oct 2002 19:04:48 +0200
Michal, Using perfectly legitimate application traffic will always work. I have stated that...
All and all you cannot defeat covert channels because there are so
many
ways to implement them which the current technology simply lag
behind.
No, the reason is fundamentally different, which is that there is no
way
for the machine (or human being, as a matter of fact) to make a clear distinction between the necessary and potentially malicious traffic,
since
there is no either-or distinction. Any vital and necessary traffic can carry a covert information. Period.
There are protocols which you CAN perfectly understand and distinguish between legit and not legit traffic. I bet you are familiar with the concept of Scrubbing. It can also be applied, not only for traffic coming from the inside to the Internet (or any other target), but also on the opposite (Reverse Scrubber? :P). Please note that I was not referring to the IP header but to the ICMP part. Yours, Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: Michal Zalewski [mailto:lcamtuf () dione ids pl] Sent: Friday, October 18, 2002 3:42 PM To: Ofir Arkin Cc: Valdis.Kletnieks () vt edu; 'kam'; 'Jeremy Junginger'; vuln-dev () securityfocus com; pen-test () securityfocus com Subject: RE: Covert Channels On Fri, 18 Oct 2002, Ofir Arkin wrote:
Using covert channels with the ICMP protocol can be defeated if you
know
what to expect and how your traffic needs to look like.
Huh? It's perfectly possible to communicate over "good looking" channels using subtleties like timing, "acceptable" variations, etc, etc. Same with any other protocol - what if you limit outgoing HTTP requests only to two documents, /docone and /doctwo, if I can still implement a covert channel by requesting them in a specific order, for example? Or by sending specific If-Modified-Since, Accept-Encoding, or such... Not feasible? Hardly, most of covert channels for backdoors and such do not require too much bandwith. Not implemented yet? I'd argue.
All and all you cannot defeat covert channels because there are so
many
ways to implement them which the current technology simply lag behind.
No, the reason is fundamentally different, which is that there is no way for the machine (or human being, as a matter of fact) to make a clear distinction between the necessary and potentially malicious traffic, since there is no either-or distinction. Any vital and necessary traffic can carry a covert information. Period. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-10-18 09:39 --
Current thread:
- Covert Channels Jeremy Junginger (Oct 16)
- Re: Covert Channels kam (Oct 16)
- Re: Covert Channels Valdis . Kletnieks (Oct 17)
- RE: Covert Channels Ofir Arkin (Oct 18)
- RE: Covert Channels Michal Zalewski (Oct 18)
- Re: Covert Channels David Litchfield (Oct 18)
- Re: Covert Channels Michal Zalewski (Oct 18)
- RE: Covert Channels Ofir Arkin (Oct 19)
- RE: Covert Channels Michal Zalewski (Oct 19)
- Re: Covert Channels Dragos Ruiu (Oct 21)
- Re: Covert Channels Roland Postle (Oct 22)
- Re: Covert Channels Valdis . Kletnieks (Oct 17)
- Re: Covert Channels kam (Oct 16)
- RE: Covert Channels Roland Postle (Oct 21)
- Re: Covert Channels Roland Postle (Oct 17)
- RE: Covert Channels Jeff Nathan (Oct 19)