Re: Covert Channels

From: Roland Postle (mailat_private)
Date: Wed Oct 23 2002 - 14:20:46 PDT

Next message: Omar Herrera: "RE: Covert Channels"

Previous message: Blue Boar: "Re: Covert Channels"
In reply to: Michal Zalewski: "Re: Covert Channels"
Next in thread: Michal Zalewski: "Re: Covert Channels"
Next in thread: Omar Herrera: "RE: Covert Channels"
Reply: Michal Zalewski: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 23 Oct 2002 14:46:21 -0400 (EDT), Michal Zalewski wrote:

>All low-level attacks (buffer overflows, etc) can be told from legitimate
>traffic.

I disagree. How do you detect an attack (involving a low level buffer
overflow etc..) that rides inside an encrypted session? In theory you
give the IDS info about all the encrypted communications you expect to
happen, give it all your keys (including session keys on the fly) so it
can make a desicion about whether there's an intrusion taking place.
But it's not practical. Getting at session keys means integrating the
IDS tightly into all your applications that might want to send/recieve
encrypted data. And then what is it but just another part of your
application, prone to vulnerabilities and open to attack. I'm no expert
on IDSs so I don't know how they tackle this problem currently, but I'm
sure you can no longer have the traditional isolated IDS on an
impregnable host silently watching your entire network.

The issue of covert channels riding on an encrypted communication is
something I believe was mentioned at the begining of this thread, but I
for one, had forgotten all about it. How do you stop me smuggling the
entire Windows source tree out of the Microsoft network when as an
employee I'm allowed to initiate secure HTTP connections to external
websites? I don't even need cover traffic, once I've pretended to
access my website, exchanged keys and entered encrypted mode I can send
my source code as is. Provided I send it in bursts to mimic a browsing
session I could reasonably transmit many megabytes an hour. In other
words I /can/ send arbtrary raw binary data on port 443, and you can't
have a rule to stop me. Agreed, there's still a limit to my covert
channel. But the limit isn't defined by how many nooks and crannies I
can squeeze my bits into by manipulating timings etc... It's defined by
how much regular bandwidth I can use without alerting suspicion. 

Once again privacy and protection come head to head. Using encryption
compromises your network,

- Blazde

Next message: Omar Herrera: "RE: Covert Channels"
Previous message: Blue Boar: "Re: Covert Channels"
In reply to: Michal Zalewski: "Re: Covert Channels"
Next in thread: Michal Zalewski: "Re: Covert Channels"
Next in thread: Omar Herrera: "RE: Covert Channels"
Reply: Michal Zalewski: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 14:41:59 PDT