Re: Covert Channels

From: MA (mixalhsat_private)
Date: Wed Oct 16 2002 - 23:19:40 PDT

Next message: Dave McCormick: "Re: Covert Channels"

Previous message: CJ Oster: "Re: Covert Channels"
In reply to: kam: "Re: Covert Channels"
Next in thread: Roland Postle: "Re: Covert Channels"
Next in thread: kam: "Re: Covert Channels"
Reply: Roland Postle: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

kam <kamat_private> writes:

> In order to get a host machine to pull this out of the packet and USE it,
> you'd have to re-write the IP stack for that machine.

No. You just need libpcap/Winpcap and a custom program anywhere on the
path.

> Then again, if you can insert a new BOX on a
> network, you probably aren't worried about using such a complicated method
> of compromising a host. 

Mmmhhh... It reminds me of endless discussion about the mythical "covert
chanel analysis" in security evaluation criteria.
This appeared in the Orange Book (TCSEC) and everybody gave the same
example: a spy leaking information from a classified domain to an 
unclassified one by doing a kind of Morse code with a ps-like command. 
Anyway, the primary goal of the analysis (AVA_CCA in ISO-15408) was
not to protect against a bad guy (who can record the information in 
/dev/brain and play it back through /dev/mouth) but to disable Trojan 
horses.

> In a network sense- it's almost even more pointless. A router isn't going to
> understand whatever hidden commands you've got in any field (IP option, ID,
> generally unused portions of the TCP header, etc) so they will throw it out.

We don't want it to _understand_ the code, we just want it to let it
go through.
It will be very hard in real life: we have IP filters which may
rewrite IP ID or TCP ISN, (transparent) application proxies which will
kill any TCP/IP code, load balancers (which work somewhere between
layer 3 or 4 and layer 7, and may, or may not, rewrite the source IP
address) etc. 

> Depending on when you do the actual insertion of your data into the packet,
> chances are at somepoint (if not on your machine, up the line) someone's CRC
> is going to be off and you're going to lose the packet. Keep in mind that
> not everyone runs the same network appliances, and all stacks (unless
> intentionally otherwise) act differently.

Note that our Trojan horse may try several methods and adapt to the
real network. 

> All in all, a kinda cool concept, but completly pointless.

I wouldn't be so sure.

By the way, ISO-15408 defines AVA_CCA.3 "Exhaustive cover channel
analysis". AFAIK, this is science fiction. Does anybody have a silver
bullet?

Next message: Dave McCormick: "Re: Covert Channels"
Previous message: CJ Oster: "Re: Covert Channels"
In reply to: kam: "Re: Covert Channels"
Next in thread: Roland Postle: "Re: Covert Channels"
Next in thread: kam: "Re: Covert Channels"
Reply: Roland Postle: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 06:36:52 PDT