That's the beauty of it. As soon as someone picks up on your channel (if ever), you can change the method by simply utilizing another field/protocol and you're back in business. ;-) -----Original Message----- From: Michal Zalewski [mailto:lcamtufat_private] Sent: Friday, October 18, 2002 6:42 AM To: Ofir Arkin Cc: Valdis.Kletnieksat_private; 'kam'; Jeremy Junginger; vuln-devat_private; pen-testat_private Subject: RE: Covert Channels On Fri, 18 Oct 2002, Ofir Arkin wrote: > Using covert channels with the ICMP protocol can be defeated if you > know what to expect and how your traffic needs to look like. Huh? It's perfectly possible to communicate over "good looking" channels using subtleties like timing, "acceptable" variations, etc, etc. Same with any other protocol - what if you limit outgoing HTTP requests only to two documents, /docone and /doctwo, if I can still implement a covert channel by requesting them in a specific order, for example? Or by sending specific If-Modified-Since, Accept-Encoding, or such... Not feasible? Hardly, most of covert channels for backdoors and such do not require too much bandwith. Not implemented yet? I'd argue. > All and all you cannot defeat covert channels because there are so > many ways to implement them which the current technology simply lag > behind. No, the reason is fundamentally different, which is that there is no way for the machine (or human being, as a matter of fact) to make a clear distinction between the necessary and potentially malicious traffic, since there is no either-or distinction. Any vital and necessary traffic can carry a covert information. Period. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-10-18 09:39 --
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 08:23:31 PDT