Vulnerability Development mailing list archives

Re: Covert Channels

From: MA <mixalhs () noos fr>
Date: 17 Oct 2002 08:19:40 +0200

kam <kam () aversion net> writes:

In order to get a host machine to pull this out of the packet and USE it,
you'd have to re-write the IP stack for that machine.


No. You just need libpcap/Winpcap and a custom program anywhere on the
path.

Then again, if you can insert a new BOX on a
network, you probably aren't worried about using such a complicated method
of compromising a host.


Mmmhhh... It reminds me of endless discussion about the mythical "covert
chanel analysis" in security evaluation criteria.
This appeared in the Orange Book (TCSEC) and everybody gave the same
example: a spy leaking information from a classified domain to an 
unclassified one by doing a kind of Morse code with a ps-like command. 
Anyway, the primary goal of the analysis (AVA_CCA in ISO-15408) was
not to protect against a bad guy (who can record the information in 
/dev/brain and play it back through /dev/mouth) but to disable Trojan 
horses.

In a network sense- it's almost even more pointless. A router isn't going to
understand whatever hidden commands you've got in any field (IP option, ID,
generally unused portions of the TCP header, etc) so they will throw it out.


We don't want it to _understand_ the code, we just want it to let it
go through.
It will be very hard in real life: we have IP filters which may
rewrite IP ID or TCP ISN, (transparent) application proxies which will
kill any TCP/IP code, load balancers (which work somewhere between
layer 3 or 4 and layer 7, and may, or may not, rewrite the source IP
address) etc.

Depending on when you do the actual insertion of your data into the packet,
chances are at somepoint (if not on your machine, up the line) someone's CRC
is going to be off and you're going to lose the packet. Keep in mind that
not everyone runs the same network appliances, and all stacks (unless
intentionally otherwise) act differently.


Note that our Trojan horse may try several methods and adapt to the
real network.

All in all, a kinda cool concept, but completly pointless.


I wouldn't be so sure.

By the way, ISO-15408 defines AVA_CCA.3 "Exhaustive cover channel
analysis". AFAIK, this is science fiction. Does anybody have a silver
bullet?

Current thread:

RE: Covert Channels, (continued)
- - - RE: Covert Channels Michal Zalewski (Oct 18)
    - Re: Covert Channels David Litchfield (Oct 18)
    - Re: Covert Channels Michal Zalewski (Oct 18)
    - RE: Covert Channels Ofir Arkin (Oct 19)
    - RE: Covert Channels Michal Zalewski (Oct 19)
    - Re: Covert Channels Dragos Ruiu (Oct 21)
    - Re: Covert Channels Roland Postle (Oct 22)
    - RE: Covert Channels Roland Postle (Oct 21)
  - RE: Covert Channels Jason Barbour (Oct 17)
  - Re: Covert Channels Alex Tibbles (Oct 17)
  - Re: Covert Channels MA (Oct 17)
    - Re: Covert Channels Roland Postle (Oct 17)
  - RE: Covert Channels Dom De Vitto (Oct 17)
    - RE: Covert Channels Jeff Nathan (Oct 19)
    - RE: Covert Channels Dom De Vitto (Oct 19)
- Re: Covert Channels Craig Baltes (Oct 17)
- Re: Covert Channels CJ Oster (Oct 17)
- Re: Covert Channels Rohit Sharma (Oct 17)
- Re: Covert Channels Chris Reining (Oct 18)
- Re: Covert Channels Darryl Luff (Oct 18)
  - Re: Covert Channels Valdis . Kletnieks (Oct 18)

(Thread continues...)