I understand what you say, to build something that detects patterns from known covert channel tools and I think it is possible "with some". I worry though that some types of covert channels (for example the ones relying on timing) can't be efficiently detected without prompting a high number of false positives and maybe this is what Michal is also worried about since this is different from IDS and AV: with some covert channels you will be able to send information in an unauthorized form through an authorized channel and protocol. For example, suppose there is a covert channel tool (and I think it does exist, I can't remember the name though) where I send messages out of my machine to a web server that constantly changes address and DNS name (to reduce repetition of that pattern) through the initial sequence number while establishing a TCP communication. Suppose we already know that this tool does no define a particular "dialect" so that you could match it to a pattern (say for example that you send an initial sequence number of 1000 if it is yes and 2000 if it is no). In this case, if the user is able to select any number and arbitrarily assign any meaning to each number I think it is extremely difficult to detect (I mean, to detect it you have to match it against something right?). Have you already thought of any way to build a tool to reduce this? The question here is also if the amount of CC tools out there whose activity can be matched against a pattern is big enough for the effort of building the tool and how long will it be before more advanced CC tools appear that are not detectable. If I did not misunderstand Michal, this is what he is referring about requiring an "Intelligence" in order to detect this kind of advanced CC tools. An alternative idea of developing a tool would be developing a service (supported by a tool) where some kind of experts analyze the traffic flow. Now, I also doubt this would be practical, apart of being extremely expensive and maybe only some organizations such as the NSA might see some benefit of implementing this (and this sounds to me more like intelligence/counterintelligence activity than simple information security work). Probably in more years for some specific environments where high confidentiality is required this service might be profitable but I wouldn't bet on it :-). Just some thoughts, Omar Herrera -----Original Message----- From: Blue Boar [mailto:BlueBoarat_private] Sent: Miércoles, 23 de Octubre de 2002 02:51 p.m. To: Michal Zalewski Cc: Jose Nazario; Frank Knobbe; vuln-devat_private Subject: Re: Covert Channels Michal Zalewski wrote: > > Exploit author can do his best to fool most popular IDSes, and vendors can > easily update to cover this attack mechanism, fragmentation or obfuscation > scheme. No biggie. If the model of acceptable traffic is lacking, it has > to be refined, and in most cases, there's a way to do it without catching > too much of a valid traffic. All I'm saying is that a covert channel detector can do as well as IDS' do today, which means basically catching some set of known stuff. IDS' don't catch everything, and they have utility. All you have to do is write a program that checks to see if ICMP echo request and reply packets match the dozen or so different ping implementations, and if not, then flag it. There, you've got a program that catches *some* covert channel action. You might even be able to make a commercial product out of it. Just because some (most?) covert channels won't be detected doesn't mean that you should give up trying to spot the known ones. Otherwise, IDS' and virus scanners are useless too, because they can always be bypassed. Some people may think that they *are* useless, given their needs or environment, which is why I said "If someone thinks an IDS is useful ... then there is no reason to think a covert channel detector wouldn't be useful for the same reason." BB
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 16:16:01 PDT