Vulnerability Development mailing list archives

Re: Covert Channels

From: Jose Nazario <jose () monkey org>
Date: Thu, 24 Oct 2002 12:35:58 -0400 (EDT)

most of the examples in this thread have focused on spycraft type stuff,
deliberate signalling via communications channels. know also that covert
channels can be an inherent design flaw, not tied to deliberate actions,
such as timing channels. they can reveal as much information, if not more.

as an example, consider the timing attack on cryptography. you can roughly
estimate the size of cryptographic keys by watching processor timings.
this is an information leak, because now you have some sensitive
information about the characteristics of the encryption keys. see "hevia,
a, and kiwi, m, 'strength of two data encryption standard implementations
under timing attacks', ACM transactions on information and systems
security, november, 1999".

consider, also, power consumption analysis of smart cards.

___________________________
jose nazario, ph.d.                     jose () monkey org
                                        http://www.monkey.org/~jose/

Current thread:

RE: Covert Channels, (continued)
- RE: Covert Channels Chris Anley (Oct 22)
- RE: Covert Channels Frank Knobbe (Oct 23)
  - RE: Covert Channels Michal Zalewski (Oct 23)
    - RE: Covert Channels Richard Masoner (Oct 23)
    - RE: Covert Channels Omar Herrera (Oct 23)
    - Re: Covert Channels Timothy J. Miller (Oct 23)
    - Re: Covert Channels David Wagner (Oct 24)
- RE: Covert Channels Brooke, O'neil (EXP) (Oct 23)
- RE: Covert Channels Anton Aylward (Oct 23)
  - RE: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Jose Nazario (Oct 24)
  - Re: Covert Channels David Wagner (Oct 24)