On 23 Oct 2002, Frank Knobbe wrote: > As you said, a covert channel is comprised of valid data. But, doesn't > that valid data have some properties that could characterize it as a > possible covert channel? > > I think it was Jose who used the example of a rogue broker accessing > websites in a certain order. While valid traffic, shouldn't it be > possible to detect that behavior? Do you know what's the correct order a person should view websites in?=) No, it's pretty much impossible to detect a good channel like this. When you try to go too far and build a model of how user is supposed to behave, then: - you get more false positives, because users of course aren't computer programs and do not follow your expectations precisely, - the attacker has to get closer to mimicking a real user, which may decrease his effective bandwith, since the format has to be more strict and communication has to occur less often to remain undetected. > Not on first occurrence of course, such a covert channel detector would > have to watch traffic for a while. Not really. If there are serious amounts of data being transferred day and night, yes. But if it's just a small amount of data sent every two-three days by visiting www.homepages.org/~jenny/, and clicking on several subpages - how can you tell the backdoor, and not the user, is visiting this page from time to time and sending few bytes - such as a new password captured with the sniffer? You may say "because those requests would differ from what Netscape launched by an user does" - but they do not have to be... -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-10-23 18:41 --
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 16:42:42 PDT