Re: Covert Channels

From: Michal Zalewski (lcamtufat_private)
Date: Fri Oct 18 2002 - 08:34:55 PDT

Next message: Luis Bernardi: "Re: ACF2 auditing"

Previous message: Jeremy Junginger: "RE: Covert Channels"
In reply to: David Litchfield: "Re: Covert Channels"
Next in thread: Alex Tibbles: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 18 Oct 2002, David Litchfield wrote:

> Whilst this works on a binary level /docone = 0 and /doctwo = 1 enabling you
> to channel bits it's quite network intensive.

Yes, if you are about to transfer a 50 kB file, but not for basic backdoor
signalling.

> Further, by looking at the log files one could get an idea that
> *something* is wrong.

Hardly... The code can behave to look pretty much like an average browser
user, just the selection of visited documents would be specific for the
message encoded. Besides, an average visit on a webpage (say, *blink*
lcamtuf.coredump.cx *blink*) generates something around 20-30 GET requests
for all images and such. The order is pretty arbitrary - depends on what
browsers you use, what is already cached, which SYN leaves the local TCP
stack first and which handshake is first completed, etc. The order of
those requests can be altered to fit quite a few bits of data, most likely
without being detected - there's no reliable way to do it. Quite a few
ordinary users visit a page they find interesting several times a day, and
visit more than the frontpage. This is more than enough to send back
sniffer passwords, for example.

But defending this particular technique is not the point - point is, as
long as I can get any traffic off the network you're trying to defend -
which is a real-world scenario - I can send a message to the world, as
long as I previously agreed on a specific covert channel protocol with my
party. There's nothing you can do about it. There are ways to mitigate the
risk by making it more difficult (since the attacker would have to get
close to "normal" traffic characteristics - and how difficult that is
depends on how good your model would be), and ways to defend against known
code, but protocol analysis is no silver bullet against covert channels =)

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-18 11:25 --

Next message: Luis Bernardi: "Re: ACF2 auditing"
Previous message: Jeremy Junginger: "RE: Covert Channels"
In reply to: David Litchfield: "Re: Covert Channels"
Next in thread: Alex Tibbles: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 09:05:38 PDT