Re: Covert Channels

[Dragos Ruiu <dr () kyx net>]

On Fri, 18 Oct 2002 14:41:25 -0400 (EDT)
Michal Zalewski <lcamtuf () dione ids pl> wrote:

> On Fri, 18 Oct 2002, Ofir Arkin wrote:
>
> > There are protocols which you CAN perfectly understand and distinguish
> > between legit and not legit traffic.
>
> No, because, as I stated, this is not an either-or distinction. Simply
> put, the presence or abstence of a legitimate traffic, or a specific
> nature (sequence, target, type) of legitimate traffic can establish a
> covert channel. ICMP ping with no payload, normalized options, etc, can
> considered be a legitimate traffic, assuming your policy allows pings. Yet
> the fact the host is pinged three times, as opposed to two, may establish
> a covert information flow (practical for some purposes, not practical for
> others).

To reinforce Michal's statement and to further contradict Ofir and all the
would be covert channel filter advocates:

You will _never_ be able to screen all covert channels.  You can
modulate information (albeit slowly) for instance by _not_ pinging
in a predetermined fashion.

I am reminded of the old "ladies dress code" where spies modulated/encoded/signalled 
information by having lady messengers wear certain colors/styles of outfits. Uhm you 
should then force everyone (especially pretty ladies :-) go nude to avoid this 
possibility... :-P (On second thought this might not be so good it would mean
ugly old fat guys would have to go nude too :-)

Same thing applies to packets. The only way to block a potential covert
channel is to disable the communications link altogether.

Blocking covert channels may be futile, but detection is another matter :-).
Subverting the covert channel to disinform is left as an excercise for the
reader.

-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
        0 = 1 , for large values of zero and small values of one.