Vulnerability Development mailing list archives
Re: Covert Channels
From: Blue Boar <BlueBoar () thievco com>
Date: Wed, 23 Oct 2002 13:50:50 -0700
Michal Zalewski wrote:
The difference is pretty obvious. IDS is supposed to detect known characteristics of _unacceptable_ traffic (signature detection), or unexpected _deviations_ from acceptable patterns (anomaly detection). That makes sense - break-in attempts are an anomaly; there are no caseswhen a common, valid traffic can also be an attack attempt
Of course there are. There are a huge number of POP3 clients out there.. some of which will fail when given a particular input, some of which will handle it with no trouble. The input is legal, according to some spec, and people sometimes find these bugs on accident.
All low-level attacks (buffer overflows, etc) can be told from legitimate traffic. There's no legitimate traffic that would look like a valid session - or, if there is, the false positive ratio is marginal. We get bounces because we used the words "i love you" in a mail from time to time, but generally, it's not a concern, and is a result of poor QA, not strategy problems.
There have and will be cases where a buffer of size X is an overflow in one product, and legal and normal in another.
Exploit author can do his best to fool most popular IDSes, and vendors can easily update to cover this attack mechanism, fragmentation or obfuscation scheme. No biggie. If the model of acceptable traffic is lacking, it has to be refined, and in most cases, there's a way to do it without catching too much of a valid traffic.
All I'm saying is that a covert channel detector can do as well as IDS' do today, which means basically catching some set of known stuff. IDS' don't catch everything, and they have utility. All you have to do is write a program that checks to see if ICMP echo request and reply packets match the dozen or so different ping implementations, and if not, then flag it. There, you've got a program that catches *some* covert channel action. You might even be able to make a commercial product out of it.
Just because some (most?) covert channels won't be detected doesn't mean that you should give up trying to spot the known ones. Otherwise, IDS' and virus scanners are useless too, because they can always be bypassed. Some people may think that they *are* useless, given their needs or environment, which is why I said "If someone thinks an IDS is useful ... then there is no reason to think a covert channel detector wouldn't be useful for the same reason."
BB
Current thread:
- Re: Covert Channels, (continued)
- Re: Covert Channels CJ Oster (Oct 17)
- Re: Covert Channels Rohit Sharma (Oct 17)
- Re: Covert Channels Chris Reining (Oct 18)
- Re: Covert Channels Darryl Luff (Oct 18)
- Re: Covert Channels Valdis . Kletnieks (Oct 18)
- Re: Covert Channels Jeff Nathan (Oct 19)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Jose Nazario (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- RE: Covert Channels Omar Herrera (Oct 23)
- RE: Covert Channels Cade Cairns (Oct 24)
- Re: Covert Channels Jose Nazario (Oct 23)
- Re: Covert Channels Roland Postle (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Message not available
- Message not available
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)