Vulnerability Development mailing list archives
Re: Covert Channels
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 23 Oct 2002 17:30:11 -0500
On Wed, 2002-10-23 at 17:04, Michal Zalewski wrote:
[...] would it be possible to, with same level of coverage and accuracy, cover newer and newer covert channel techniques just like we cover new attack methods? The answer: yes, to a point where covert channels are sophisticated enough to mimick valid traffic to a level that is simply indistinguishable for a human or machine without reading person's mind. There's no such issue with attack detection IDSes, because attacks can be distinguished as a valid traffic, but only to a degree, whereas covert channels can be *made of* valid traffic, simple as that.
uuh... the perfect sentence. I think it's agreed that current IDS' look for signatures of (invalid) data. As you said, a covert channel is comprised of valid data. But, doesn't that valid data have some properties that could characterize it as a possible covert channel? I think it was Jose who used the example of a rogue broker accessing websites in a certain order. While valid traffic, shouldn't it be possible to detect that behavior? Not on first occurrence of course, such a covert channel detector would have to watch traffic for a while. And yes, the amount of data captured by the detector (data meaning certain properties of valid data, such as time of day, length, repetitive pattern, etc) would probably be enormously huge. One would have to gather so much data that it may become not feasible, but not impossible? Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Covert Channels, (continued)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- RE: Covert Channels Omar Herrera (Oct 23)
- RE: Covert Channels Cade Cairns (Oct 24)
- Re: Covert Channels Roland Postle (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Message not available
- Message not available
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Roland Postle (Oct 24)
- RE: Covert Channels Omar Herrera (Oct 23)