Mittwoch, 23. Februar 2011

Covert Channels out of date?

Within the last days some "security experts" told me that covert channels are something that was important within the past. I do not agree this. Covert channels are nowerdays more important than they have been ever before.

(Date/Datum: 2008-11-15-23:17, Hits: 1085) While writing and working on my diploma thesis (I cannot talk about the topic until it is finished but after I received my mark (in a few months) I upload a pdf of it) that is focused on some special parts of covert communication, I was just wondering why there are so few people which are interested in covert channels. I also submitted a research paper to a conference (I will not name it here) what was just rejected due to not fully comprehensible arguments (including the "out of date" thing).

On a talk about my thesis I gave on Thursday at kempten university of applied science a person of the audience (not a computer scientist and not one of these "security experts", what means that his question does not disqualify himself) asked me why I do reasach on this topic and if the only reason of this is to "hack some PC". I replied that if there is a person (for example in China) that wants to read critical news about the local government via internet, this person will maybe get into jail if someone will notice this. But if he uses covert communication, he will stay much safer!

I am sure that the importance of covert communication will increase within the next decades! At least it will increase in combination with cryptologic techniques.



Von: Dave Howe
of course - but while many people no doubt design and use covert channels, and would love objective (and informed) evaluations of its performance and detectability, such discussion instantly reduces the covertness of the channel...

as an example, I have a utility I wrote here that acts as a port forwarder - running on an arbitrary port, it listens for inbound connections, and then in turn opens a second connection to another instance of itself (again, on an arbitrary port) whose location is defined in the config of the forwarder. If the source IP is one for which it holds a message, then encoded in the sequence number increments during the tcp conversation will be the message; once all traffic held for that IP is passed, it reverts to random offsets in keeping with good practice.

externally, nothing much is visible - a packet capture will show a normal tcp transaction or transactions of some generic type (I usually forward to a webserver) and the message itself (once extracted from the header info) is not encrypted (although it is arbitrary binary data so could be externally encrypted). There are (at least) two downsides.

First, the channel itself is relatively slow - one byte per packet, with the first few packets constituting overhead. MTU is used to shrink the packet size down to increase traffic, for this reason (and to reduce messages being lost if non-proxied connections occur). The second is.. I just posted about it to a public webserver, so anyone interested in why a webserver is only accepting an MTU of 512 bytes is going to be looking at header fields to decode them...... (obviously, this was a toy to illustrate a method, and is not in use, or I wouldn t be disclosing it)

Security Though Obscurity is seldom the answer in any security field, but for covert channels, where even a reasonable suspicion can be considered grounds for at least further investigation (or in repressive countries possibly even rubber hose cryptography , discussing openly what approaches you take is probably not good practice if you are active in that field.

Keine Kommentare:

Kommentar veröffentlichen