Re: Covert Channels

From: Blue Boar (BlueBoarat_private)
Date: Wed Oct 23 2002 - 13:50:50 PDT

Next message: Roland Postle: "Re: Covert Channels"

Previous message: Michal Zalewski: "RE: Covert Channels"
In reply to: Michal Zalewski: "Re: Covert Channels"
Next in thread: Omar Herrera: "RE: Covert Channels"
Next in thread: Roland Postle: "Re: Covert Channels"
Next in thread: Omar Herrera: "RE: Covert Channels"
Reply: Omar Herrera: "RE: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michal Zalewski wrote:
> The difference is pretty obvious. IDS is supposed to detect known
> characteristics of _unacceptable_ traffic (signature detection), or
> unexpected _deviations_ from acceptable patterns (anomaly detection).
> That makes sense - break-in attempts are an anomaly; there are no cases
> when a common, valid traffic can also be an attack attempt 

Of course there are.  There are a huge number of POP3 clients out there.. 
some of which will fail when given a particular input, some of which will 
handle it with no trouble.  The input is legal, according to some spec, and 
people sometimes find these bugs on accident.

> All low-level attacks (buffer overflows, etc) can be told from legitimate
> traffic. There's no legitimate traffic that would look like a valid
> session - or, if there is, the false positive ratio is marginal. We get
> bounces because we used the words "i love you" in a mail from time to
> time, but generally, it's not a concern, and is a result of poor QA, not
> strategy problems.

There have and will be cases where a buffer of size X is an overflow in one 
product, and legal and normal in another.

> 
> Exploit author can do his best to fool most popular IDSes, and vendors can
> easily update to cover this attack mechanism, fragmentation or obfuscation
> scheme. No biggie. If the model of acceptable traffic is lacking, it has
> to be refined, and in most cases, there's a way to do it without catching
> too much of a valid traffic.

All I'm saying is that a covert channel detector can do as well as IDS' do 
today, which means basically catching some set of known stuff.  IDS' don't 
catch everything, and they have utility.  All you have to do is write a 
program that checks to see if ICMP echo request and reply packets match the 
dozen or so different ping implementations, and if not, then flag it. 
There, you've got a program that catches *some* covert channel action.  You 
might even be able to make a commercial product out of it.

Just because some (most?) covert channels won't be detected doesn't mean 
that you should give up trying to spot the known ones.  Otherwise, IDS' and 
virus scanners are useless too, because they can always be bypassed.  Some 
people may think that they *are* useless, given their needs or environment, 
which is why I said "If someone thinks an IDS is useful ... then there is 
no reason to think a covert channel detector wouldn't be useful for the 
same reason."

					BB

Next message: Roland Postle: "Re: Covert Channels"
Previous message: Michal Zalewski: "RE: Covert Channels"
In reply to: Michal Zalewski: "Re: Covert Channels"
Next in thread: Omar Herrera: "RE: Covert Channels"
Next in thread: Roland Postle: "Re: Covert Channels"
Next in thread: Omar Herrera: "RE: Covert Channels"
Reply: Omar Herrera: "RE: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 14:38:48 PDT