Re: Covert Channels

From: Blue Boar (BlueBoarat_private)
Date: Wed Oct 23 2002 - 14:29:09 PDT

Next message: Anton Aylward: "Re: Covert Channels"

Previous message: Timothy J. Miller: "Re: Covert Channels"
Next in thread: Michal Zalewski: "Re: Covert Channels"
Reply: Michal Zalewski: "Re: Covert Channels"
Reply: Anton Aylward: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anton Aylward wrote:
> On Wed, 2002-10-23 at 16:34, Blue Boar wrote:
>>The specifics aren't important.  The number of way to implement some 
>>attacks, and the number of ways to bypass an IDS are also infinite.  
> I doubt that, but even if it is so, and IDS is limited to the network
> whereas a convert channel could - as I illustrated - be anything.  It
> cold be whether I leave my blinds open at night.  in this case, the set
> of covert channels is transfinite.

If you want to take covert channels outside of the realm of computer 
networks, there's no reason the concept of an IDS couldn't as well.  The 
airport x-ray IDS is perfectly capable of detecting the midget-in-luggage 
attack.

> 
> Let me make that clear.  An IDS is working with a finite number of
> channels on a bound and finite media, with a bound set of protocols. 
> The messages may be infinite in detail but are enumerable (and actually
> computable) by class.  A covert channel may be one of an infinite number
> of possible mediums, not just the network, with an indeterminate
> protocol.

But who cares?  The question asked was whether it would be possible to make 
a covert channel detector product.  My answer is that you can do as much 
with a covert channel detector as with an IDS.  So your assertion that an 
IDS does less doesn't much affect my statement.

>>You 
>>can make a covert channel detector that is as much of a "success" as an IDS 
>>product.  Just because it's always possible to bypass an IDS, or virus 
>>scanner, etc.. does not mean the product has no value.
> Not so.
> Bypassing an IDS is one of two ways:
>    1) it doesn't know the pattern - limit to the IDS
>    2) you didn't set it up right, which may be architectural.

Those aren't the only ways to bypass an IDS.  But again, what does that 
have to do with an IDS having value?

> What you are asking for in a CoChDS is an "intelligence".  

No, what I'm saying is that you can make a "product" that checks for any 
number of known network-based covert channels, and you'll have something 
that is of some utility.

					BB

Next message: Anton Aylward: "Re: Covert Channels"
Previous message: Timothy J. Miller: "Re: Covert Channels"
Next in thread: Michal Zalewski: "Re: Covert Channels"
Reply: Michal Zalewski: "Re: Covert Channels"
Reply: Anton Aylward: "Re: Covert Channels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 14:47:46 PDT