On 23 Oct 2002, Frank Knobbe wrote: > For the most part yes. But cutting through the snake oil, aren't there > products that attempt to detect steganography (i.e. examining images in > transit to check if they contain hidden messages)? I would consider this > a covert channel as well. Hardly the point. Detection of certain, existing and grossly imperfect tools is possible. In the example you've mentioned, this is because the steganography used is a fairly low-level one, susceptible to a trivial analysis. What if, instead of least significant bits, I decide to transfer information in the fact the picture shows an apple and a cucumber instead of a banana and three pears? Or, more realistic example, text steganography - what if, instead of hiding information in typos and whitespaces, I decide to hide information in the wording, subject, language constructions, etc? There was some impressive research done on that subject, and it's not as difficult or ineffective as it may sound. There is a good software that can write certain types of documents to make them virtually indistinguishable from those authored by humans, so this process can be automated. Ooops. While it's possible to build a model of how least significant bits in a picture should look like, or how whitespaces are supposed to look, it's practically impossible to do it on higher levels of abstraction. Because of that, I think there's a wall ahead - making just few steps further in covert channel detection would be the end of the road, while attackers would still have lots of possibilities to use; this is, of course, a bit pessimistic, I tend to overestimate how smart and determined people are. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-10-23 14:47 --
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 12:30:13 PDT