## Covert Channels -- Here to stay?

### Cached

### Download Links

- [cmpe.emu.edu.tr]
- [cmpe.emu.edu.tr]
- [chacs.nrl.navy.mil]
- [www.itd.nrl.navy.mil]
- [chacs.nrl.navy.mil]
- DBLP

### Other Repositories/Bibliography

Citations: | 59 - 11 self |

### BibTeX

@MISC{Moskowitz_covertchannels,

author = {Ira S. Moskowitz and et al.},

title = {Covert Channels -- Here to stay?},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

We discuss the difficulties of satisfying high-assurance system requirements without sacrificing system capabilities. To alleviate this problem, we show how trade-offs can be made to reduce the threat of coved channels. We also clarify certain concepts in the theory of covert channels. Traditionally, a coved channel’s vulnerability was measured by the capacity. We show why a capacity analysis alone is not sufficient to evaluate the vulnerability and introduce a new metric referred to as the “small message criterion”.

### Citations

433 | A Note on the Confinement Problem
- Lampson
- 1973
(Show Context)
Citation Context ...made up of different time values corresponding to the same response. A mixed channel 4 is a combination of the two. Even though our definition of storage channel is not de jure identical to Lampson's =-=[12]-=-, it is de facto the same. Our definitions capture the operational differences between storage, timing, and mixed channels. For example, one type of of storage channel is given by Low requesting a res... |

149 |
On channel capacity per unit cost
- Verdú
- 1990
(Show Context)
Citation Context ...sage, is represented by E(T ). The mutual information in units of bits per tick I t (X; Y ) for a DMC is I t (X; Y ) = I u (X; Y ) E(T ) : The capacity in units of bits per tick for a DMC is given by =-=[23]-=- C t = max I u (X; Y ) E(T ) ; (1) maximized as before. Of course, if this is a constant time DMC the value E(T ) is distribution independent and we have our previous formula C t =s\Gamma1 Cu , wheres... |

116 | Security models and information flow
- McLean
- 1990
(Show Context)
Citation Context ...ls' work have attempted to capture ideas similar to ours. The various information flow models such as FM and AFM have concerned themselves with how Low probabilities are independent/dependent of High =-=[14, 9]-=-. A particularly interesting formal model has been put forth by Browne in his Zero Information Finite Sample Theorem [3]. His theorem captures the information theoretic essence of sending a message fo... |

97 |
The Mathematical Theory of Communication (University of Illinois
- Shannon
- 1949
(Show Context)
Citation Context ...m F (!) of f(t) is zero for ! ? W . Furthermore, the signal has an average power P . The output of this channel is the sum of the input signal with independent white noise of power N . Shannon showed =-=[22]-=- that C t = W log ` 1 + P N ' : Therefore, we see that it is wrong to refer to bandwidth or maximum bandwidth as capacity (e.g., [19], [6]) because the bandwidth is a separate characteristic of a cont... |

93 |
Toward a Mathematical Foundation for Information Flow Security
- Gray
- 1992
(Show Context)
Citation Context ...ls' work have attempted to capture ideas similar to ours. The various information flow models such as FM and AFM have concerned themselves with how Low probabilities are independent/dependent of High =-=[14, 9]-=-. A particularly interesting formal model has been put forth by Browne in his Zero Information Finite Sample Theorem [3]. His theorem captures the information theoretic essence of sending a message fo... |

66 | I.S.: A Pump for Rapid, Reliable, Secure Communication
- Kang, Moskowitz
- 1993
(Show Context)
Citation Context ...rom Low to High 1 . Two methods of information flow that do not violate BLP [1] are read-down and blind writeup. However, these methods have practical problems in terms of reliability and performance =-=[11]-=-. As the computing environment becomes more sophisticated, complicated operations are needed and other features, e.g., atomicity, become crucial requirements. One type of high-assurance system is a se... |

41 |
Integrating an object-oriented data model with multilevel security
- Jajodia, Kogan
- 1990
(Show Context)
Citation Context ...gh) to EMPLOYEE (Low) can be used as a covert timing channel by PAY INFO moderating the time at which the acknowledgement (4) is sent to EMPLOYEE. To overcome this security problem, Jajodia and Kogan =-=[10]-=- proposed a message filter that enforces the security policy in multilevel object-oriented systems. Sandhu, Thomas, and Jajodia [21] proposed a covert channel free implementation strategy of this mess... |

36 | Simple Timing Channels
- Moskowitz, Miller
- 1994
(Show Context)
Citation Context ... . Note that, in general, C t is not max Iu (X;Y ) maxE(T ) , see [15]. If we have a timing DMC that is also noiseless then we refer to it as a simple timing channel (STC). These have been studied in =-=[20]-=-. For a STC, I u (X; Y ) is simplysH(X) so C t = max H(X) E(T ) : (For timing channels Cu is not a useful concept and C t is understood.) Even for this very trivial type of timing channel, an exact ca... |

35 |
Finite-State Noiseless Covert Channels
- Millen
- 1989
(Show Context)
Citation Context ...s is a constant time DMC the value E(T ) is distribution independent and we have our previous formula C t =s\Gamma1 Cu , wheres= E(T ) . Note that, in general, C t is not max Iu (X;Y ) maxE(T ) , see =-=[15]-=-. If we have a timing DMC that is also noiseless then we refer to it as a simple timing channel (STC). These have been studied in [20]. For a STC, I u (X; Y ) is simplysH(X) so C t = max H(X) E(T ) : ... |

29 |
The Channel Capacity of a Certain Noisy Timing Channel
- Moskowitz, Miller
- 1992
(Show Context)
Citation Context ... usually the case in covert channel analysis. The choice of alphabets often approximates the actual physical process. This is especially true when the output alphabet is made up of time values, e.g., =-=[18]-=-. In general, the alphabets need not have anything in common. However, if no noise exists in the channel then what the transmitter puts in is what the receiver gets out, and thus the alphabets are ide... |

25 |
A note on the con nement problem
- Lampson
- 1973
(Show Context)
Citation Context ...s made up of di erent time values corresponding to the same response. A mixed channel 4 is a combination of the two. Even though our de nition of storage channel is not de jure identical to Lampson's =-=[12]-=-, it is de facto the same. Our de nitions capture the operational di erences between storage, timing, and mixed channels. For example, one type of of storage channel is given by Low requesting a resou... |

20 |
The limiting behavior of the z-channel
- Golomb
- 1980
(Show Context)
Citation Context ...ctual question of delaying the votes is more complicated and will not be looked at here.) (1 - p) n 1 - (1 - p) n High Low 0 1 0 1 1 Figure 5: Z-Channel This set-up forms what is known as a Z-channel =-=[8]-=-. P (Low = 0 j High = 0) = (1 \Gamma p) n , since all of the other n users must vote to commit; High sending 240 a 0 and Low getting a 1 comes about as the complement of all of the other users voting ... |

10 |
The turing test and non-information flow
- Browne
- 1991
(Show Context)
Citation Context ...ned themselves with how Low probabilities are independent/dependent of High [14, 9]. A particularly interesting formal model has been put forth by Browne in his Zero Information Finite Sample Theorem =-=[3]-=-. His theorem captures the information theoretic essence of sending a message for a limited amount of time. We believe that designing a system that satisfies a model is at least as important as buildi... |

10 |
Security models and information ow
- McLean
- 1990
(Show Context)
Citation Context ...dels' work have attempted to capture ideas similar to ours. The various information ow models such as FM and AFM have concerned themselves with how Low probabilities are independent/dependent of High =-=[14, 9]-=-. A particularly interesting formal model has been put forth by Browne in his Zero Information Finite Sample Theorem [3]. His theorem captures the information theoretic essence of sending a message fo... |

9 | Reductions of a class of Fox-Wright Psi functions for certain rational parameters
- Miller, Moskowitz
(Show Context)
Citation Context ...capacity is difficult. The problem is analogous to finding roots of a polynomial --- an easy task if you do it numerically but a very difficult task if you require closed form solutions for the roots =-=[16, 20]-=-. In general, for timing and mixed channels, the capacity analysis is quite difficult. Capacity Yes, Bandwidth No Now let us leave the arena of covert channels and just look at one very complicated bu... |

8 | The concurrency control and recovery problem for multilevel update transactions in mls systems
- Mathur, Keefe
- 1993
(Show Context)
Citation Context ...l components of highassurance computing. In the following, we show how difficult it is to eliminate totally covert channels in today 's sophisticated high-assurance computer systems. Mathur and Keefe =-=[13]-=- showed that conflicts exist between atomicity and security in the case of multilevel transaction execution [4]. In other words, there may be no concurrency controller that can schedule multilevel tra... |

7 |
The Influence of Delay upon an Idealized Channel’s Bandwidth
- Moskowitz, Miller
- 1992
(Show Context)
Citation Context ...ut signal with independent white noise of power N . Shannon showed [22] that C t = W log ` 1 + P N ' : Therefore, we see that it is wrong to refer to bandwidth or maximum bandwidth as capacity (e.g., =-=[19]-=-, [6]) because the bandwidth is a separate characteristic of a continuous channel and the capacity is in fact a function of the bandwidth! We should not reinvent the wheel and use the standard termino... |

6 |
Analysis of a storage channel in the two-phase commit protocol
- Costich, Moskowitz
- 1991
(Show Context)
Citation Context ...ecture database system (MLS-RA DBS) using the two phase commit protocol (2PC) for atomic commitment results in a storage channel. This is no surprise and its mathematical details have been studied in =-=[5]-=-. We will briefly summarize a simple idealized version of it here. In a MLS-RA DBS, copies of lower data are retained in replicated higher copies. When a particular low user (we will use the term user... |

6 | Supporting timing-channel free computations in multilevel secure object-oriented databases
- Sandhu, Thomas, et al.
- 1991
(Show Context)
Citation Context ...t to EMPLOYEE. To overcome this security problem, Jajodia and Kogan [10] proposed a message filter that enforces the security policy in multilevel object-oriented systems. Sandhu, Thomas, and Jajodia =-=[21]-=- proposed a covert channel free implementation strategy of this message filter in the kernelized architecture [7]. The proposed covert channel free solution is as follows (the heavy blocks in the diag... |

6 |
Toward a mathematical foundation for information ow security
- Gray
- 1992
(Show Context)
Citation Context ...dels' work have attempted to capture ideas similar to ours. The various information ow models such as FM and AFM have concerned themselves with how Low probabilities are independent/dependent of High =-=[14, 9]-=-. A particularly interesting formal model has been put forth by Browne in his Zero Information Finite Sample Theorem [3]. His theorem captures the information theoretic essence of sending a message fo... |

3 |
Secure Computer System: Uni ed Exposition and
- Bell, Padula
- 1976
(Show Context)
Citation Context ...oratory Washington, DC 20375 235 2 Practical High-Assurance Multilevel Systems All multilevel systems require information ow from Low to High 1 . Two methods of information ow that do not violate BLP =-=[1]-=- are read-down and blind writeup. However, these methods have practical problems in terms of reliability and performance [11]. As the computing environment becomes more sophisticated, complicated oper... |

3 |
The Turing Test and non-information ow
- Browne
- 1991
(Show Context)
Citation Context ...ned themselves with how Low probabilities are independent/dependent of High [14, 9]. A particularly interesting formal model has been put forth by Browne in his Zero Information Finite Sample Theorem =-=[3]-=-. His theorem captures the information theoretic essence of sending a message for a limited amount of time. We believe that designing a system that satis es a model is at least as important as buildin... |

2 | Toward a multilevel-secure, best-effort realtime scheduler
- Boucher, Clark, et al.
- 1994
(Show Context)
Citation Context ...ty of the messages goes up, the SMC can be tightened up so we can have trade-offs between security and performance. In other words, distinctions should be made between High and Very High, or Critical =-=[2]-=-. We note that previous formal models' work have attempted to capture ideas similar to ours. The various information flow models such as FM and AFM have concerned themselves with how Low probabilities... |

1 |
Maintaining transaction atomicity in multilevel secure database systems with kernelized architecture
- Costich, Jajodia
- 1993
(Show Context)
Citation Context ...rt channels in today 's sophisticated high-assurance computer systems. Mathur and Keefe [13] showed that conflicts exist between atomicity and security in the case of multilevel transaction execution =-=[4]-=-. In other words, there may be no concurrency controller that can schedule multilevel transactions, and guarantee the atomicity of transactions and security simultaneously. Let us consider the potenti... |

1 |
et el. The seaview security model
- Lunt
- 1990
(Show Context)
Citation Context ...he security policy in multilevel object-oriented systems. Sandhu, Thomas, and Jajodia [21] proposed a covert channel free implementation strategy of this message filter in the kernelized architecture =-=[7]-=-. The proposed covert channel free solution is as follows (the heavy blocks in the diagram represent the message filters): Low High EMPLOYEE WORK_INFO - Name - Weekly_pay - Hourly_rate -SS# -Address -... |

1 |
Private Communication and comments at various meetings
- Morris
(Show Context)
Citation Context ... 15 ticks. Knowing that the capacity is zero does not tell us that we are in a secure situation. The lesson learned from the above example is an important one and its ideas have been discussed before =-=[17]-=-. If one has a very sensitive but short message then the capacity is not a sufficient measure of security. Also we have previously discussed examples such as these with Wittbold [24]. There are many o... |

1 |
Towardamultilevel-secure, best-e ort realtime scheduler
- Boucher, Clark, et al.
- 1994
(Show Context)
Citation Context ...ivityofthe messages goes up, the SMC can be tightened up so we can have trade-o s between security and performance. In other words, distinctions should be made between High and Very High, or Critical =-=[2]-=-. We note that previous formal models' work have attempted to capture ideas similar to ours. The various information ow models such as FM and AFM have concerned themselves with how Low probabilities a... |

1 | Secure Computer System: llnzfied Exposition and Multics Interpretation, MTR-2997. MITRE - Bell, Padula - 1976 |

1 | Analysis of a storage channel in the two-phase commit protocol - ostic, h, et al. - 1991 |

1 | Toward a mathematicalfoundation for information flow security - Gray - 1992 |

1 | S1l:jhil Jodia. Supporting timing-channel free cornput ations in multilevel secure ohject-oriented databases - Sandhu, Thomas - 1992 |

1 | The Matheiriatical Theory of Co?nmunication. I;niversity of Illinois Press - Shannon, Weaver - 1949 |

1 | On channel capacity per unit c.os t . I EEE Trans a c t ions on Inform a t io n Y'h eory - Verdti - 1990 |