RE: Covert Channels

[Michal Zalewski <lcamtuf () dione ids pl>]

On 23 Oct 2002, Frank Knobbe wrote:

> For the most part yes. But cutting through the snake oil, aren't there
> products that attempt to detect steganography (i.e. examining images in
> transit to check if they contain hidden messages)? I would consider this
> a covert channel as well.

Hardly the point. Detection of certain, existing and grossly imperfect
tools is possible. In the example you've mentioned, this is because the
steganography used is a fairly low-level one, susceptible to a trivial
analysis. What if, instead of least significant bits, I decide to transfer
information in the fact the picture shows an apple and a cucumber instead
of a banana and three pears? Or, more realistic example, text
steganography - what if, instead of hiding information in typos and
whitespaces, I decide to hide information in the wording, subject,
language constructions, etc? There was some impressive research done on
that subject, and it's not as difficult or ineffective as it may sound.
There is a good software that can write certain types of documents to make
them virtually indistinguishable from those authored by humans, so this
process can be automated. Ooops. While it's possible to build a model of
how least significant bits in a picture should look like, or how
whitespaces are supposed to look, it's practically impossible to do it on
higher levels of abstraction. Because of that, I think there's a wall
ahead - making just few steps further in covert channel detection would be
the end of the road, while attackers would still have lots of
possibilities to use; this is, of course, a bit pessimistic, I tend to
overestimate how smart and determined people are.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-23 14:47 --