OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Crosbie (mcrosbieCUP.HP.COM)
Date: Wed Apr 18 2001 - 12:47:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In message <1366.152.81.11.167.987607159.squirrelwww.loria.fr>, Matthieu Huin
    writes:

    Hi Matthieu,

    >This is why I think the best way to detect a covert channel isn't
    >network-based but host-based IDS : look for a strange, unknown program being
    >launched at startup . If the potentially infected host is also having a lot

    Ahh yes, the mythical "strange, unknown program" is an elusive beast
    to catch, even given an IDS with built-in 20-20 Hindsight (tm) :-)

    Some ideas for covert channels on a host system could be:
    1. The existence/non-existence of a file or directory.
    2. The permission bits on a file/dir.
    3. The file/dir name or a subset of the name
    4. The fact that a process is/is not running
    5. The process name of a process.
    6. Percentage of CPU used by a process (e.g. <50%, >50%)
    7. Current process memory footprint (as reported by top)
    8. Number of open file descriptors
    9. Number of child processes of a given process
    10. etc etc etc

    Gathering the data on these types of activity or system state is
    relatively straightforward. Kernel audit data, file and directory
    checksums and a kernel statistics profiler will reveal most of the
    state data that could be used for a covert channel.

    But analyzing that data - whew! A misuse detector system would have a
    tough time coming up with rules that were specific enough to detect
    the covert channel and yet would not flood the admin with spurious
    alerts.

    A statistical anomaly detector may detect strange goings on (e.g. files
    reappearing in directories at somewhat predictable intervals), but the
    beauty of a covert channel is that you can reduce the rate of
    information leakage so that it falls far below the noise threshold of
    any anomaly-based IDS.

    Mark. 

    --
Mark Crosbie        	  http://www.hp.com/security/products/ids
HP Praesidium IDS/9000 Product Architect 
Hewlett-Packard MS 47 LA        
19447 Pruneridge Avenue   mcrosbiecup.hp.com
Cupertino, CA 95014       (408) 447-2308

    >of unexpected traffic going back and forth ( icmp for Loki, Ack packets for
>AckCmd, traffic aimed at port 80 although there's no webserver on that host
>... ), then you can almost be sure a covert channel is up .
>
>Now, I might be wrong on some points, be nice enough to signal them =)
>
>Matthieu Huin
>Elève-Ingénieur des Mines de Nancy & DEA d'informatique à l'Université Nancy
>II
>
>PS : I am working on an application of pattern matching to intrusion
>detection . A "beta" version of my report is online at
>http://eleves.mines.u-nancy.fr/~huin/fake/filtres.html . Comments very
>welcomed ! ( unfortunately the report is in french, sorry ... )
>
>