On the Identification of Covert Storage Channels in Secure Systems

A practical method for the identification of covert storage channels is presented and its application to the source code of the Secure Xenix kernel is illustrated. The method is based on the identification of all visible/alterable kernel variables by using information-flow analysis of language code. The method also requires that, after the sharing relationships among the kernel primitives and the visible/alterable variables are determined, the nondiscretionary access rules implemented by each primitive be applied to identify the potential storage channels. The method can be generalized to other implementation languages, and has the following advantages: it helps discover all potential storage channels is kernel code, thereby helping determine whether the nondiscretionary access rules are implemented correctly; it helps avoid discovery of false flow violations and their unnecessary analysis; and it helps identify the kernel locations where audit code and time-delay variables need to be placed for covert-channel handling. >

[1]  Chii-Ren Tsai Covert-channel analysis in secure computer systems , 1987 .

[2]  M. Schaefer,et al.  Symbol security condition considered harmful , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[3]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[4]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[5]  Steven B. Lipner,et al.  A comment on the confinement problem , 1975, SOSP.

[6]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[7]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[8]  Gregory R. Andrews,et al.  An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[9]  Paul Green,et al.  Design for Multics Security Enhancements , 1973 .

[10]  Jonathan K. Millen,et al.  Security Kernel validation in practice , 1976, CACM.

[11]  Jonathan K. Millen Example of a formal flow violation , 1978, COMPSAC.

[12]  Richard A. Kemmerer,et al.  Shared resource matrix methodology: an approach to identifying storage and timing channels , 1983, TOCS.

[13]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[14]  Virgil D. Gligor,et al.  Design and Implementation of Secure Xenix , 1987, IEEE Transactions on Software Engineering.

[15]  R. Gallager Information Theory and Reliable Communication , 1968 .

[16]  Marvin Schaefer,et al.  Program confinement in KVM/370 , 1977, ACM '77.

[17]  Terry V. Benzel Analysis of a Kernel Verification , 1984, IEEE Symposium on Security and Privacy.

[18]  T. A. BERSON,et al.  KSOS—Development methodology for a secure operating system , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[19]  John McHugh,et al.  An Experience Using Two Covert Channel Analysis Techniques on a Real System Design , 1986, IEEE Transactions on Software Engineering.

[20]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[21]  L. J. Fraim Scomp: A Solution to the Multilevel Security Problem , 1983, Computer.

[22]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[23]  Richard J. Lipton,et al.  The enforcement of security policies for computation , 1975, J. Comput. Syst. Sci..

[24]  Keith Loepere Resolving covert channels within a B2 class secure system , 1985, OPSR.