OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: MA (mixalhs_at_noos.fr)
Date: Thu Oct 17 2002 - 01:19:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    kam <kamaversion.net> writes:

    > In order to get a host machine to pull this out of the packet and USE it,
    > you'd have to re-write the IP stack for that machine.

    No. You just need libpcap/Winpcap and a custom program anywhere on the
    path.

    > Then again, if you can insert a new BOX on a
    > network, you probably aren't worried about using such a complicated method
    > of compromising a host.

    Mmmhhh... It reminds me of endless discussion about the mythical "covert
    chanel analysis" in security evaluation criteria.
    This appeared in the Orange Book (TCSEC) and everybody gave the same
    example: a spy leaking information from a classified domain to an
    unclassified one by doing a kind of Morse code with a ps-like command.
    Anyway, the primary goal of the analysis (AVA_CCA in ISO-15408) was
    not to protect against a bad guy (who can record the information in
    /dev/brain and play it back through /dev/mouth) but to disable Trojan
    horses.

    > In a network sense- it's almost even more pointless. A router isn't going to
    > understand whatever hidden commands you've got in any field (IP option, ID,
    > generally unused portions of the TCP header, etc) so they will throw it out.

    We don't want it to _understand_ the code, we just want it to let it
    go through.
    It will be very hard in real life: we have IP filters which may
    rewrite IP ID or TCP ISN, (transparent) application proxies which will
    kill any TCP/IP code, load balancers (which work somewhere between
    layer 3 or 4 and layer 7, and may, or may not, rewrite the source IP
    address) etc.

    > Depending on when you do the actual insertion of your data into the packet,
    > chances are at somepoint (if not on your machine, up the line) someone's CRC
    > is going to be off and you're going to lose the packet. Keep in mind that
    > not everyone runs the same network appliances, and all stacks (unless
    > intentionally otherwise) act differently.

    Note that our Trojan horse may try several methods and adapt to the
    real network.

    > All in all, a kinda cool concept, but completly pointless.

    I wouldn't be so sure.

    By the way, ISO-15408 defines AVA_CCA.3 "Exhaustive cover channel
    analysis". AFAIK, this is science fiction. Does anybody have a silver
    bullet?