RE: Covert Channels

["Jeremy Junginger" <jjunginger () usbestcrm com>]

That's the beauty of it.  As soon as someone picks up on your channel
(if ever), you can change the method by simply utilizing another
field/protocol and you're back in business.

;-)

-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf () dione ids pl] 
Sent: Friday, October 18, 2002 6:42 AM
To: Ofir Arkin
Cc: Valdis.Kletnieks () vt edu; 'kam'; Jeremy Junginger;
vuln-dev () securityfocus com; pen-test () securityfocus com
Subject: RE: Covert Channels 


On Fri, 18 Oct 2002, Ofir Arkin wrote:

> Using covert channels with the ICMP protocol can be defeated if you 
> know what to expect and how your traffic needs to look like.

Huh? It's perfectly possible to communicate over "good looking" channels
using subtleties like timing, "acceptable" variations, etc, etc. Same
with any other protocol - what if you limit outgoing HTTP requests only
to two documents, /docone and /doctwo, if I can still implement a covert
channel by requesting them in a specific order, for example? Or by
sending specific If-Modified-Since, Accept-Encoding, or such... Not
feasible? Hardly, most of covert channels for backdoors and such do not
require too much bandwith. Not implemented yet? I'd argue.

> All and all you cannot defeat covert channels because there are so 
> many ways to implement them which the current technology simply lag 
> behind.

No, the reason is fundamentally different, which is that there is no way
for the machine (or human being, as a matter of fact) to make a clear
distinction between the necessary and potentially malicious traffic,
since there is no either-or distinction. Any vital and necessary traffic
can carry a covert information. Period.

--
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-18 09:39 --