OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ofir Arkin (ofir_at_sys-security.com)
Date: Fri Oct 18 2002 - 12:04:48 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Michal,

    Using perfectly legitimate application traffic will always work. I have
    stated that...

    >> All and all you cannot defeat covert channels because there are so
    many
    >> ways to implement them which the current technology simply lag
    behind.

    >No, the reason is fundamentally different, which is that there is no
    way
    >for the machine (or human being, as a matter of fact) to make a clear
    >distinction between the necessary and potentially malicious traffic,
    since
    >there is no either-or distinction. Any vital and necessary traffic can
    >carry a covert information. Period.

    There are protocols which you CAN perfectly understand and distinguish
    between legit and not legit traffic.

    I bet you are familiar with the concept of Scrubbing. It can also be
    applied, not only for traffic coming from the inside to the Internet (or
    any other target), but also on the opposite (Reverse Scrubber? :P).

    Please note that I was not referring to the IP header but to the ICMP
    part.

    Yours,
    Ofir Arkin [ofirsys-security.com]
    Founder
    The Sys-Security Group
    http://www.sys-security.com
    PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

    -----Original Message-----
    From: Michal Zalewski [mailto:lcamtufdione.ids.pl]
    Sent: Friday, October 18, 2002 3:42 PM
    To: Ofir Arkin
    Cc: Valdis.Kletnieksvt.edu; 'kam'; 'Jeremy Junginger';
    vuln-devsecurityfocus.com; pen-testsecurityfocus.com
    Subject: RE: Covert Channels

    On Fri, 18 Oct 2002, Ofir Arkin wrote:

    > Using covert channels with the ICMP protocol can be defeated if you
    know
    > what to expect and how your traffic needs to look like.

    Huh? It's perfectly possible to communicate over "good looking" channels
    using subtleties like timing, "acceptable" variations, etc, etc. Same
    with
    any other protocol - what if you limit outgoing HTTP requests only to
    two
    documents, /docone and /doctwo, if I can still implement a covert
    channel
    by requesting them in a specific order, for example? Or by sending
    specific If-Modified-Since, Accept-Encoding, or such... Not feasible?
    Hardly, most of covert channels for backdoors and such do not require
    too
    much bandwith. Not implemented yet? I'd argue.

    > All and all you cannot defeat covert channels because there are so
    many
    > ways to implement them which the current technology simply lag behind.

    No, the reason is fundamentally different, which is that there is no way
    for the machine (or human being, as a matter of fact) to make a clear
    distinction between the necessary and potentially malicious traffic,
    since
    there is no either-or distinction. Any vital and necessary traffic can
    carry a covert information. Period. 

    --
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2002-10-18 09:39 --