Vulnerability Development mailing list archives
Re: Covert Channels
From: MA <mixalhs () noos fr>
Date: 17 Oct 2002 08:19:40 +0200
kam <kam () aversion net> writes:
In order to get a host machine to pull this out of the packet and USE it, you'd have to re-write the IP stack for that machine.
No. You just need libpcap/Winpcap and a custom program anywhere on the path.
Then again, if you can insert a new BOX on a network, you probably aren't worried about using such a complicated method of compromising a host.
Mmmhhh... It reminds me of endless discussion about the mythical "covert chanel analysis" in security evaluation criteria. This appeared in the Orange Book (TCSEC) and everybody gave the same example: a spy leaking information from a classified domain to an unclassified one by doing a kind of Morse code with a ps-like command. Anyway, the primary goal of the analysis (AVA_CCA in ISO-15408) was not to protect against a bad guy (who can record the information in /dev/brain and play it back through /dev/mouth) but to disable Trojan horses.
In a network sense- it's almost even more pointless. A router isn't going to understand whatever hidden commands you've got in any field (IP option, ID, generally unused portions of the TCP header, etc) so they will throw it out.
We don't want it to _understand_ the code, we just want it to let it go through. It will be very hard in real life: we have IP filters which may rewrite IP ID or TCP ISN, (transparent) application proxies which will kill any TCP/IP code, load balancers (which work somewhere between layer 3 or 4 and layer 7, and may, or may not, rewrite the source IP address) etc.
Depending on when you do the actual insertion of your data into the packet, chances are at somepoint (if not on your machine, up the line) someone's CRC is going to be off and you're going to lose the packet. Keep in mind that not everyone runs the same network appliances, and all stacks (unless intentionally otherwise) act differently.
Note that our Trojan horse may try several methods and adapt to the real network.
All in all, a kinda cool concept, but completly pointless.
I wouldn't be so sure. By the way, ISO-15408 defines AVA_CCA.3 "Exhaustive cover channel analysis". AFAIK, this is science fiction. Does anybody have a silver bullet?
Current thread:
- RE: Covert Channels, (continued)
- RE: Covert Channels Michal Zalewski (Oct 18)
- Re: Covert Channels David Litchfield (Oct 18)
- Re: Covert Channels Michal Zalewski (Oct 18)
- RE: Covert Channels Ofir Arkin (Oct 19)
- RE: Covert Channels Michal Zalewski (Oct 19)
- Re: Covert Channels Dragos Ruiu (Oct 21)
- Re: Covert Channels Roland Postle (Oct 22)
- RE: Covert Channels Roland Postle (Oct 21)
- Re: Covert Channels Roland Postle (Oct 17)
- RE: Covert Channels Jeff Nathan (Oct 19)
- RE: Covert Channels Dom De Vitto (Oct 19)
- Re: Covert Channels Valdis . Kletnieks (Oct 18)