Vulnerability Development mailing list archives
Re: Covert Channels
From: "Roland Postle" <mail () blazde co uk>
Date: Wed, 23 Oct 2002 22:20:46 +0100
On Wed, 23 Oct 2002 14:46:21 -0400 (EDT), Michal Zalewski wrote:
All low-level attacks (buffer overflows, etc) can be told from legitimate traffic.
I disagree. How do you detect an attack (involving a low level buffer overflow etc..) that rides inside an encrypted session? In theory you give the IDS info about all the encrypted communications you expect to happen, give it all your keys (including session keys on the fly) so it can make a desicion about whether there's an intrusion taking place. But it's not practical. Getting at session keys means integrating the IDS tightly into all your applications that might want to send/recieve encrypted data. And then what is it but just another part of your application, prone to vulnerabilities and open to attack. I'm no expert on IDSs so I don't know how they tackle this problem currently, but I'm sure you can no longer have the traditional isolated IDS on an impregnable host silently watching your entire network. The issue of covert channels riding on an encrypted communication is something I believe was mentioned at the begining of this thread, but I for one, had forgotten all about it. How do you stop me smuggling the entire Windows source tree out of the Microsoft network when as an employee I'm allowed to initiate secure HTTP connections to external websites? I don't even need cover traffic, once I've pretended to access my website, exchanged keys and entered encrypted mode I can send my source code as is. Provided I send it in bursts to mimic a browsing session I could reasonably transmit many megabytes an hour. In other words I /can/ send arbtrary raw binary data on port 443, and you can't have a rule to stop me. Agreed, there's still a limit to my covert channel. But the limit isn't defined by how many nooks and crannies I can squeeze my bits into by manipulating timings etc... It's defined by how much regular bandwidth I can use without alerting suspicion. Once again privacy and protection come head to head. Using encryption compromises your network, - Blazde
Current thread:
- Re: Covert Channels, (continued)
- Re: Covert Channels Valdis . Kletnieks (Oct 18)
- Re: Covert Channels Jeff Nathan (Oct 19)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Jose Nazario (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- RE: Covert Channels Omar Herrera (Oct 23)
- RE: Covert Channels Cade Cairns (Oct 24)
- Re: Covert Channels Jose Nazario (Oct 23)
- Re: Covert Channels Roland Postle (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Message not available
- Message not available
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Roland Postle (Oct 24)