kam <kamat_private> writes: > In order to get a host machine to pull this out of the packet and USE it, > you'd have to re-write the IP stack for that machine. No. You just need libpcap/Winpcap and a custom program anywhere on the path. > Then again, if you can insert a new BOX on a > network, you probably aren't worried about using such a complicated method > of compromising a host. Mmmhhh... It reminds me of endless discussion about the mythical "covert chanel analysis" in security evaluation criteria. This appeared in the Orange Book (TCSEC) and everybody gave the same example: a spy leaking information from a classified domain to an unclassified one by doing a kind of Morse code with a ps-like command. Anyway, the primary goal of the analysis (AVA_CCA in ISO-15408) was not to protect against a bad guy (who can record the information in /dev/brain and play it back through /dev/mouth) but to disable Trojan horses. > In a network sense- it's almost even more pointless. A router isn't going to > understand whatever hidden commands you've got in any field (IP option, ID, > generally unused portions of the TCP header, etc) so they will throw it out. We don't want it to _understand_ the code, we just want it to let it go through. It will be very hard in real life: we have IP filters which may rewrite IP ID or TCP ISN, (transparent) application proxies which will kill any TCP/IP code, load balancers (which work somewhere between layer 3 or 4 and layer 7, and may, or may not, rewrite the source IP address) etc. > Depending on when you do the actual insertion of your data into the packet, > chances are at somepoint (if not on your machine, up the line) someone's CRC > is going to be off and you're going to lose the packet. Keep in mind that > not everyone runs the same network appliances, and all stacks (unless > intentionally otherwise) act differently. Note that our Trojan horse may try several methods and adapt to the real network. > All in all, a kinda cool concept, but completly pointless. I wouldn't be so sure. By the way, ISO-15408 defines AVA_CCA.3 "Exhaustive cover channel analysis". AFAIK, this is science fiction. Does anybody have a silver bullet?
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 06:36:52 PDT