A modular covert channel analysis methodology for trusted DG/UX/sup TM/

The covert channel analysis (CCA) approach presented in the paper leverages off of the subsystem architecture of the DG/UX kernel. The kernel is structured so that each of the elements of the system state is under the control of a single subsystem. That is, these elements can only be referenced or modified by functions of the controlling subsystem; thus, each subsystem can be thought of as an abstract object. In order to make the covert channel analysis task for the Trusted DG/UX kernel more manageable and, in particular, to deal with the Ratings Maintenance Program (RAMP), a modular approach that takes advantage of the subsystem architecture is used. The CCA approach used for analyzing DG/UX is to first perform an SRM analysis for each of the subsystems that contain an exported function directly invoked from one of the system calls. These subsystems are called "peer subsystems". The information from the SRMs for all of the peer subsystems is then used to build the kernel-wide SRM.