Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Covert Channels

From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Wed, 23 Oct 2002 18:04:28 -0400 (EDT)
On Wed, 23 Oct 2002, Blue Boar wrote:


But who cares?  The question asked was whether it would be possible to
make a covert channel detector product.  My answer is that you can do as
much with a covert channel detector as with an IDS.


Wrong question - you can make everything into a product, it's a matter of
marketing ;-) The real question is, would it be possible to, with same
level of coverage and accuracy, cover newer and newer covert channel
techniques just like we cover new attack methods? The answer: yes, to a
point where covert channels are sophisticated enough to mimick valid
traffic to a level that is simply indistinguishable for a human or machine
without reading person's mind. There's no such issue with attack detection
IDSes, because attacks can be distinguished as a valid traffic, but only
to a degree, whereas covert channels can be *made of* valid traffic,
simple as that.

--
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-23 18:01 --
Previous By Date Next
Previous By Thread Next

Current thread: