Firewalls: Covert Channels

Firewalls
(October 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Covert Channels
From:	Rick Smith <smith @ sctc . com>
Date:	Fri, 21 Oct 1994 15:07:14 -0500
To:	firewalls @ greatcircle . com

I don't like this line of discussion because we're redefining an
important concept. "Covert channel" means more than a nasty,
unexpected security flaw.

pp> page 5:
pp> Definition 4 - Covert channels are those that "use entities not
pp> normally viewed as data objects to transfer information from one
pp> subject to another."

Yes, this definition is correct, but I question the following
interpretations:

pp> At Baltimore, many vendors from Microsquish on down were pushing C2
pp> and while "C2 in 92" made a nice catch phrase, *every* major attack
pp> I have seen this year from the Panix password sniffing incident to
pp> the Rahul intrusion  to  the SGI login "help" business has been via
pp> "covert channels" as defined  above and not covered by C2
pp> accreditation. If the "Iraqi Printer Attack" had  really happened,
pp> it would have been via a covert channel.

I'm not familiar with all of these attacks, but the ones I am familiar
with are _not_ covert channels. The Panix attack was a single program
installed in a sensitive place that took information in packets
("information objects") containing passwords and put it in other
packets ("information objects") for delivery.  If I understand the
Rahul intrusion correctly, the same was true.  The alleged Iraqi
incident can't be a covert channel attack because no information
transfer was involved, just denial of service.

The term is correctly used only in terms of bypassing an immovable
security barrier.  The traditional example is to bypass mandatory
access controls intended to separate classified and unclassified
information.  This is not to say that Covert Channel discussions only
belong in military security contexts.  If an organization has a policy
saying that certain information shall never exist outside a particular
security perimiter, and installs access controls to enforce this
policy independent of user specified access permissions, then we can
start talking covert channels.

In fact, some commercial sites might be using application level
firewalls right now to enforce this sort of mandatory access control.
If so, we might soon see covert channels to try to sneak stuff through
the firewall via signalling tricks instead of via direct FTP or mail.
But that's not what was described here.

Indexed By Date	Previous:	Spoofed Mail vs. Stolen Accounts From: "Robert G. Resino" <pnh1rgr @ pnh10 . med . navy . mil>
Indexed By Date	Next:	Re: validity of RFC 1597 ... From: lear @ yeager . corp . sgi . com (Eliot Lear)
Indexed By Thread	Previous:	Covert Channels From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread	Next:	Covert Channels From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)