At 08:03 AM 05/11/2000 +0530, Udhay Shankar N wrote:
>http://www.firstmonday.dk/issues/issue2_5/rowland/
>
>The TCP/IP protocol suite has a number of weaknesses that allow an attacker
>to leverage techniques in the form of covert channels to surreptitiously
>pass data in otherwise benign packets. This paper attempts to illustrate
>these weaknesses in both theoretical and practical examples.
This is an interesting piece of work and I'm glad that we now have a
"worked example" of how to do steganography just with TCP/IP. For years,
folks have made the theoretical argument that this is possible. It's nice
to have a worked example to point to, the same as it's nice to have the DES
Cracker to show unequivocally that one *can* crack DES.
However, I have three observations and/or quibbles:
First, note that the attacks only work against packet filtering. If the
firewall implements a circuit level or application level gateway, then the
TCP/IP connections get rebuilt at the gateway. This discards the encoded
information. I doubt it's practical for 'stateful inspection' to capture
such things, since they only monitor connection establishment and don't
directly participate in it.
Second, these are not *weaknesses* of TCP/IP. It's not possible to build a
practical protocol without including similar properties. This seems
intuitively obvious from information theory, though I can't immediately
point to a formal workup of it.
Third, this not a "covert channel". This is "steganography".
Rowland quotes the TCSEC/Orange Book definition: "any communication channel
that can be exploited by a process to transfer information in a manner that
violates the systems security policy".
Superficially, this definition may seem to match what Rowland is talking
about, but it doesn't match the TCSEC's meaning. His mistake isn't
surprising, because the TCSEC concepts are subtle and poorly articulated.
In particular, the TCSEC only talked about "information transfer" and
"security policy" together in very limited ways. If a "policy" explicitly
allowed any kind of "information transfer" between two domains, then it was
*not* a covert channel. The TCSEC didn't admit the existence of content
filtering policies, so it's not a "TCSEC covert channel" to subvert such a
policy.
It's true that the term "covert channel" has mostly fallen into disuse, and
its traditional meaning is pretty subtle in the context of modern
information security practice. Rowland's usage of the term seems well
intentioned: it isn't a self-serving obfuscation like the abuse of "one
time pad" by snake oil marketeers. But I'd prefer to to describe such
things as "steganography" since it's an accurate usage of an existing term.
Rick.
[EMAIL PROTECTED]
