On Wed, 2002-10-23 at 12:36, Jose Nazario wrote: > On 23 Oct 2002, Frank Knobbe wrote: > > > For the most part yes. But cutting through the snake oil, aren't there > > products that attempt to detect steganography (i.e. examining images in > > transit to check if they contain hidden messages)? I would consider this > > a covert channel as well. > > talking with people "in the know" (read government contractors and > employees) detecting stego in real time is simply not possible. you'd have > to stop and read every image which traverses the net to try and find the > one or two which have stego in them. Oh I agree, the overhead is immense for real-time. But I don't think that is that critical. Afterall, even if detected in realtime, the message has already passed. Also, monitoring the Internet at large as you describe doesn't sound feasible (and I'm not sure even the NSA has the resources to go to that extend...) Consider this. A caching proxy server type app that passes all web requests through, but keeping a copy of it in a local queue. The queue gets processed in parallel (read, on data that has already passed) and analyzed for various things. These 'various things' can be examining images for steg, or checking URL accesses for frequency/abnormalities. Upon a hit, an alert can be given that lists the sender, receiver, URL, and a copy of the image (just an example). Here is the point where the possibilities are endless to detect covert channels. Can't be prevented, but we can make an effort to detect. I'm fully aware that this area is (currently) mostly hypothetical, and we don't seem to have a grip, or even a starting point. You say (speaking for most of us): > by their design, however, covert channels are nearly impossible to detect. > its not like watching two kids in the back of the room pass a note. its > more like the communication of data by the manipulation, within a subtle > degree, of any parameters. packet timings. packet sizes. those are just > two i can think of off the top of my head at the ethernet layer. think > about an insider trading attack. if i visit websites A B and C in that > order buy this stock, if i visit in the order of C A B sell. > > the closest you can get to defeating covert channels is 100% traffic > normalization. this includes sizes, timings, connection patterns (hosts, > ports, protocols, absence or presence), etc. you'd have to make sure that > what you see on day 1 is what you see every day, whats there and whats > not, in exactly the same form. the very existence of communications allows > for covert channels to exist. an impossible problem to solve if you allow > communications. I think that sounds a bit too pessimistic. Let's not discourage ourselves with the abyssimal challenges. I say I should start to think more seriously about this subject. I know you and Niels and several others are on the ball. I just like to see more of us be aware of the challenges, but at the same time not discouraged that there may be solutions ahead (albeit many years ahead). We should start to tackle this subject, maybe as the next step beyond intrusion detection. I don't think we'll ever eliminate it, or even detect it all, but we cna try to make a serious dent in it, and try to detect as much as we can. Regards, Frank
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 12:29:24 PDT