Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: MA (mixalhs_at_noos.fr)
Date: Thu Oct 17 2002 - 01:19:40 CDT
kam <kamaversion.net> writes:
> In order to get a host machine to pull this out of the packet and USE it,
> you'd have to re-write the IP stack for that machine.
No. You just need libpcap/Winpcap and a custom program anywhere on the
> Then again, if you can insert a new BOX on a
> network, you probably aren't worried about using such a complicated method
> of compromising a host.
Mmmhhh... It reminds me of endless discussion about the mythical "covert
chanel analysis" in security evaluation criteria.
This appeared in the Orange Book (TCSEC) and everybody gave the same
example: a spy leaking information from a classified domain to an
unclassified one by doing a kind of Morse code with a ps-like command.
Anyway, the primary goal of the analysis (AVA_CCA in ISO-15408) was
not to protect against a bad guy (who can record the information in
/dev/brain and play it back through /dev/mouth) but to disable Trojan
> In a network sense- it's almost even more pointless. A router isn't going to
> understand whatever hidden commands you've got in any field (IP option, ID,
> generally unused portions of the TCP header, etc) so they will throw it out.
We don't want it to _understand_ the code, we just want it to let it
It will be very hard in real life: we have IP filters which may
rewrite IP ID or TCP ISN, (transparent) application proxies which will
kill any TCP/IP code, load balancers (which work somewhere between
layer 3 or 4 and layer 7, and may, or may not, rewrite the source IP
> Depending on when you do the actual insertion of your data into the packet,
> chances are at somepoint (if not on your machine, up the line) someone's CRC
> is going to be off and you're going to lose the packet. Keep in mind that
> not everyone runs the same network appliances, and all stacks (unless
> intentionally otherwise) act differently.
Note that our Trojan horse may try several methods and adapt to the
> All in all, a kinda cool concept, but completly pointless.
I wouldn't be so sure.
By the way, ISO-15408 defines AVA_CCA.3 "Exhaustive cover channel
analysis". AFAIK, this is science fiction. Does anybody have a silver