On 23 Oct 2002, Frank Knobbe wrote:
> As you said, a covert channel is comprised of valid data. But, doesn't
> that valid data have some properties that could characterize it as a
> possible covert channel?
>
> I think it was Jose who used the example of a rogue broker accessing
> websites in a certain order. While valid traffic, shouldn't it be
> possible to detect that behavior?
Do you know what's the correct order a person should view websites in?=)
No, it's pretty much impossible to detect a good channel like this. When
you try to go too far and build a model of how user is supposed to behave,
then:
- you get more false positives, because users of course aren't
computer programs and do not follow your expectations precisely,
- the attacker has to get closer to mimicking a real user, which may
decrease his effective bandwith, since the format has to be more
strict and communication has to occur less often to remain
undetected.
> Not on first occurrence of course, such a covert channel detector would
> have to watch traffic for a while.
Not really. If there are serious amounts of data being transferred day and
night, yes. But if it's just a small amount of data sent every two-three
days by visiting www.homepages.org/~jenny/, and clicking on several
subpages - how can you tell the backdoor, and not the user, is visiting
this page from time to time and sending few bytes - such as a new password
captured with the sniffer? You may say "because those requests would
differ from what Netscape launched by an user does" - but they do not have
to be...
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2002-10-23 18:41 --
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 16:42:42 PDT