On 23 Oct 2002 17:11:56 -0400, Anton Aylward wrote: >Let me make that clear. An IDS is working with a finite number of >channels on a bound and finite media, with a bound set of protocols. >The messages may be infinite in detail but are enumerable (and actually >computable) by class. A covert channel may be one of an infinite number >of possible mediums, not just the network, with an indeterminate >protocol. I'm not clear what you see as infinite. If we're still just talking about a single IP link (and not any physical signals like whether I'm waving a flag out of the window), then there's still a finite number number of channels (on a bound and finite media, with a bound set of protocols) when it comes to covert channels. If you're concerned about the timing then it isn't an issue, if the CPU on the host sending covert data clocks at 1Ghz, then it can't make subtle timing differences any finer than 1 / 10^9 seconds. (In any case timing can be a part of an attack sequence which an IDS might detect. In extreme cases, timing could be the /only/ difference between valid data and an attack. So it's no more infinte in covert channels than it is in intrustion detection). Let me give an example. I have a wire with a switch at one end and a bulb at the other. You can flick the switch, the bulb comes on, flick it the other way and it's off. But it will only turn on or off on second boundaries. This mimics a (slow) ip link. I can transmit a finite amount of data down it (in finite time), so how can it have an /infinite/ number of possible mediums, or ways to trasmit that data? What I think you could possibly be talking about is the fact that I could for example encode the number PI as the bulb being on and the number e as the bulb being off. Now I can transmit an infinte sequence of digits in a single second. Or have I cheated by pretransmiting the data? If I tell someone that if I access a certain website at a certain time it means the entire windows source tree looks like *this*, whereas if I don't it looks like *this* (assume one is correct). Then I go to work at Microsoft HQ, look at the source and act accordingly. Have I sent the source code via a covert channel or haven't I? Have I broken the security policy (Windows source code must not leave Microsoft network) or have I just sent a bit of information? What about if I prearange bit sequences to represent common C/Windows keywords etc.. like void, UINT, #include... and transmit them to make up the source code? At what point is the data actually transmitted? Forgive my ramblings, but here is the problem: I can encode the smuggled data in almost any way I like. That is, there's finite encodings for my smuggled data, but because I can encode/encrypt it against my prearranged 'one time pad', I can make it impossible to distinguish it from random data, which means I can plausibly deny having transmited the Windows source code. Now, if the definition of a covert channel is a communication path that violates the security policy, the security policy is that the Windows source code musn't leave the Microsoft network, and you allow any kind of communication over the IP link, then you can't be sure you don't have a covert channel. If on the other hand you define a covert channel as the transmission of data via any but the established means (email, ftp etc..) and ignore what is actually being transmitted, then you /can/ go /some/ way towards detecting it (practically now, not theorectically) by looking for differences in network traffic over time. Applications tend to use the same well trodden paths of any protocol they adhere to, so if there's suddenly more paths being trodden, someone may be doing something they shouldn't. On Wed, 23 Oct 2002 17:32:06 -0600, Omar Herrera wrote: >For example, suppose there is a covert channel tool (and I think it does >exist, I can't remember the name though) where I send messages out of my >machine to a web server that constantly changes address and DNS name (to >reduce repetition of that pattern) through the initial sequence number >while establishing a TCP communication. Suppose we already know that >this tool does no define a particular "dialect" so that you could match >it to a pattern (say for example that you send an initial sequence >number of 1000 if it is yes and 2000 if it is no). In this case, if the >user is able to select any number and arbitrarily assign any meaning to >each number I think it is extremely difficult to detect (I mean, to >detect it you have to match it against something right?). Here's a good example of what I'm talking about. Suppose we log the ISNs for a while coming from this host and use them to build one of Michal's lovely strange attractor thingies (http://razor.bindview.com/publish/papers/tcpseq.html if you haven't read it). Assume we know what OS the host is running. Over time we'll notice a difference between the observed and expected attractor. If the observed data becomes true random, then there might be a covert channel but we have no hope of finding out what data is leaking. (If it becomes less random, then we might actually be able to decipher it.) However, when OSs start using true random ISN generators we're screwed because the data is random regardless of whether it's a genuine ISN or a bit of Windows source encrypted against my one time pad. Essentially the same problem as detecting a covert channel over an encrypted link, but not one we can ignore by saying "well encryption's different, forget that for now". I wonder if there's some way to generate a one time pad in such a way that combined with some data it doesn't look random, but instead looks like it's generated by an OSs RNG as ISNs would be.... Or is randomness really that special? On 23 Oct 2002 17:53:58 -0500, Frank Knobbe wrote: >> Do you know what's the correct order a person should view websites in?=) > >No, but the order should be pretty much random and unpredictable. But >wouldn't a covert channel add some static element to it? For example if >every Friday, three websites gets visited in the same order, that could >indicate a covert channel, or not? This is exactly the opposite of what I'm saying :) Every friday three websites in the same order might represent a different bit of data (see my one time pad). The user/application on the other hand probably has a habit of doing the same things, tho any part of that expected traffic that is expected to be true random represents an undetectable covert channel. It's a good thread this ;) - Blazde
This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 23:14:47 PDT