Re: Covert Channels

[Michal Zalewski <lcamtuf () dione ids pl>]

On 23 Oct 2002, Frank Knobbe wrote:

> As you said, a covert channel is comprised of valid data. But, doesn't
> that valid data have some properties that could characterize it as a
> possible covert channel?
>
> I think it was Jose who used the example of a rogue broker accessing
> websites in a certain order. While valid traffic, shouldn't it be
> possible to detect that behavior?

Do you know what's the correct order a person should view websites in?=)
No, it's pretty much impossible to detect a good channel like this. When
you try to go too far and build a model of how user is supposed to behave,
then:

  - you get more false positives, because users of course aren't
    computer programs and do not follow your expectations precisely,

  - the attacker has to get closer to mimicking a real user, which may
    decrease his effective bandwith, since the format has to be more
    strict and communication has to occur less often to remain
    undetected.

> Not on first occurrence of course, such a covert channel detector would
> have to watch traffic for a while.

Not really. If there are serious amounts of data being transferred day and
night, yes. But if it's just a small amount of data sent every two-three
days by visiting www.homepages.org/~jenny/, and clicking on several
subpages - how can you tell the backdoor, and not the user, is visiting
this page from time to time and sending few bytes - such as a new password
captured with the sniffer? You may say "because those requests would
differ from what Netscape launched by an user does" - but they do not have
to be...

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-23 18:41 --