Vulnerability Development mailing list archives

Re: Covert Channels

From: "Roland Postle" <mail () blazde co uk>
Date: Wed, 23 Oct 2002 22:20:46 +0100

On Wed, 23 Oct 2002 14:46:21 -0400 (EDT), Michal Zalewski wrote:

All low-level attacks (buffer overflows, etc) can be told from legitimate
traffic.


I disagree. How do you detect an attack (involving a low level buffer
overflow etc..) that rides inside an encrypted session? In theory you
give the IDS info about all the encrypted communications you expect to
happen, give it all your keys (including session keys on the fly) so it
can make a desicion about whether there's an intrusion taking place.
But it's not practical. Getting at session keys means integrating the
IDS tightly into all your applications that might want to send/recieve
encrypted data. And then what is it but just another part of your
application, prone to vulnerabilities and open to attack. I'm no expert
on IDSs so I don't know how they tackle this problem currently, but I'm
sure you can no longer have the traditional isolated IDS on an
impregnable host silently watching your entire network.

The issue of covert channels riding on an encrypted communication is
something I believe was mentioned at the begining of this thread, but I
for one, had forgotten all about it. How do you stop me smuggling the
entire Windows source tree out of the Microsoft network when as an
employee I'm allowed to initiate secure HTTP connections to external
websites? I don't even need cover traffic, once I've pretended to
access my website, exchanged keys and entered encrypted mode I can send
my source code as is. Provided I send it in bursts to mimic a browsing
session I could reasonably transmit many megabytes an hour. In other
words I /can/ send arbtrary raw binary data on port 443, and you can't
have a rule to stop me. Agreed, there's still a limit to my covert
channel. But the limit isn't defined by how many nooks and crannies I
can squeeze my bits into by manipulating timings etc... It's defined by
how much regular bandwidth I can use without alerting suspicion. 

Once again privacy and protection come head to head. Using encryption
compromises your network,

- Blazde

Current thread:

Re: Covert Channels, (continued)
- - Re: Covert Channels Valdis . Kletnieks (Oct 18)
  - Re: Covert Channels Jeff Nathan (Oct 19)
- Re: Covert Channels Frank Knobbe (Oct 23)
  - Re: Covert Channels Jose Nazario (Oct 23)
    - Re: Covert Channels Blue Boar (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - Re: Covert Channels Blue Boar (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - RE: Covert Channels Omar Herrera (Oct 23)
    - RE: Covert Channels Cade Cairns (Oct 24)
    - Re: Covert Channels Roland Postle (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - Message not available
    - Message not available
    - Re: Covert Channels Anton Aylward (Oct 23)
    - Re: Covert Channels Blue Boar (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - Re: Covert Channels Frank Knobbe (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - Re: Covert Channels Michal Zalewski (Oct 23)
    - Re: Covert Channels Frank Knobbe (Oct 23)
    - Re: Covert Channels Anton Aylward (Oct 23)
    - Re: Covert Channels Roland Postle (Oct 24)

(Thread continues...)