Re: Covert Channels

[Anton Aylward <aja () si on ca>]

On Wed, 2002-10-23 at 16:34, Blue Boar wrote:
> Anton Aylward wrote:
> > Not so.
> >
> > The set of possible covert channels is infinite, thanks to Shannon.
> >
> > How would your IDS add-on detect this channel:
>
> The specifics aren't important.  The number of way to implement some 
> attacks, and the number of ways to bypass an IDS are also infinite.  

I doubt that, but even if it is so, and IDS is limited to the network
whereas a convert channel could - as I illustrated - be anything.  It
cold be whether I leave my blinds open at night.  in this case, the set
of covert channels is transfinite.

Let me make that clear.  An IDS is working with a finite number of
channels on a bound and finite media, with a bound set of protocols. 
The messages may be infinite in detail but are enumerable (and actually
computable) by class.  A covert channel may be one of an infinite number
of possible mediums, not just the network, with an indeterminate
protocol.

But I doubt your premise.  Cantor's proof that there are an infinite
number of real numbers applies by analogy to covert channels since they
are distinct possibilities that can be infinitesimaly varied.  With a
network we have a limited number of ports, doing a limited number of
jobs, and a limited number of possible messages, since, for example, not
all over-runs will cause a buffer over-run attach to execute a command.

> You 
> can make a covert channel detector that is as much of a "success" as an IDS 
> product.  Just because it's always possible to bypass an IDS, or virus 
> scanner, etc.. does not mean the product has no value.

Not so.
Bypassing an IDS is one of two ways:
   1) it doesn't know the pattern - limit to the IDS
   2) you didn't set it up right, which may be architectural.

The analogy with virus scanners is weak because computer virus scanners
don't do the "is it me or not" that biological ones do.  The biological
ones can detect an infinite set without a patten database.

What you are asking for in a CoChDS is an "intelligence".  

Lets look at a few examples:
  - an employee leaves work sometimes wearing his spectacles and 
    sometimes not.  Is this a covert signal channel?  How cna you prove 
    it either way?  Are the glasses just a distraction and the real
    channel is whether he is carrying his breifcaze in his left or 
    right hand?  Or perhaps whether the person in front of him going 
    though the door is male or female?

  - Whether when I buy the $0.75 newspaper I had a $1 coin heads up or 
    tails up.  If I permute with a whether it is a $2 coin I can send 2
    bits of information with each exchange.  If I I'm buying one of 
    three daily newspapers that six bits of information.

Michal Zalewski gave an interesting example in his graphic example, but
it can also be used in other ways.  It could be that what fruit or
combination of fruit and other stuff I bring to lunch or buy for lunch
is a code.  This gives me the opportunity for a lot more information
bandwidth!

I think, Blue Boar, you need to read up on Shannon, Hamming codes, spies
and the commercial codes and cypher techniques from a few centuries ago.
Its all just coding theory.

You might also read up on such things as frequency-agile radio and how
the US Navy communicates with its submarines.  (And I don't just mean
the ULF.)

/anton