Vulnerability Development mailing list archives
Re: Covert Channels
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Wed, 23 Oct 2002 18:46:48 -0400 (EDT)
On 23 Oct 2002, Frank Knobbe wrote:
As you said, a covert channel is comprised of valid data. But, doesn't that valid data have some properties that could characterize it as a possible covert channel? I think it was Jose who used the example of a rogue broker accessing websites in a certain order. While valid traffic, shouldn't it be possible to detect that behavior?
Do you know what's the correct order a person should view websites in?=) No, it's pretty much impossible to detect a good channel like this. When you try to go too far and build a model of how user is supposed to behave, then: - you get more false positives, because users of course aren't computer programs and do not follow your expectations precisely, - the attacker has to get closer to mimicking a real user, which may decrease his effective bandwith, since the format has to be more strict and communication has to occur less often to remain undetected.
Not on first occurrence of course, such a covert channel detector would have to watch traffic for a while.
Not really. If there are serious amounts of data being transferred day and night, yes. But if it's just a small amount of data sent every two-three days by visiting www.homepages.org/~jenny/, and clicking on several subpages - how can you tell the backdoor, and not the user, is visiting this page from time to time and sending few bytes - such as a new password captured with the sniffer? You may say "because those requests would differ from what Netscape launched by an user does" - but they do not have to be... -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-10-23 18:41 --
Current thread:
- Re: Covert Channels, (continued)
- Re: Covert Channels Michal Zalewski (Oct 23)
- RE: Covert Channels Omar Herrera (Oct 23)
- RE: Covert Channels Cade Cairns (Oct 24)
- Re: Covert Channels Roland Postle (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Message not available
- Message not available
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Roland Postle (Oct 24)
- RE: Covert Channels Omar Herrera (Oct 23)