## Simple Timing Channels (1994)

Venue: | Proceedings 1994 IEEE Computer Society Symposium on Research in Security and Privacy |

Citations: | 34 - 9 self |

### BibTeX

@INPROCEEDINGS{Moskowitz94simpletiming,

author = {Ira S. Moskowitz and Ira S. Moskowitz and Allen R. Miller and Allen R. Miller},

title = {Simple Timing Channels},

booktitle = {Proceedings 1994 IEEE Computer Society Symposium on Research in Security and Privacy},

year = {1994},

pages = {56--64}

}

### Years of Citing Articles

### OpenURL

### Abstract

the proof of Corollary 1.1 in the actual published paper. We havechanged the bottom index of the second sum from a0toa1. As of Sept. 21, 1994 another typo has been xed. page 60, column 2, beginning of line 9 should read C T(a;a+d) instead of T (a; a + d).

### Citations

556 | Concrete Mathematics
- Graham, Knuth, et al.
- 1989
(Show Context)
Citation Context ... jz n\Gammat j + 1 = X j z t j 1 X n=0 jS n jz n + 1 : These give us the formal equation 1 X n=0 jS n jz n = 1 1 \Gamma P j z t j ; where 1 1\Gamma P j z t j is referred to as the generating function =-=[11]-=- of the power series P 1 n=0 jS n jz n . The above series manipulations and formal equations are valid in the disk about the origin where P 1 n=0 jS n jz n is analytic. Recall the root test for conver... |

421 | A Note on the Confinement Problem
- Lampson
- 1973
(Show Context)
Citation Context ...he time at which Low receives the response that forms the output alphabet. If Low receives different responses, all taking the same amount of time, then we are in the situation of a "storage chan=-=nel" [17]-=-. If Low receives different responses at different times, then the resulting covert channel is termed a mixed channel. We will examine mixed channels in future work. EXAMPLE 1: Say that Low wishes to ... |

176 |
Science and Information Theory
- Brillouin
- 1956
(Show Context)
Citation Context ... = 0. The solution in the interval (1; 2) is the same as the solution in the interval (1; 2) of x n \Gamma x n \Gamma1 x\Gamma1 = 0. Therefore, ! must obey the equation ! = 2 \Gamma 1 ! n , (also see =-=[3]-=-)and because ! is bounded away from 1 we see that ! ! 2 as n ! 1 and hence C ! 1.sNote 3 The above can be extended to mixed channels, or, in general, to finite state discrete noiseless channels (see [... |

147 |
On channel capacity per unit cost
- Verdú
- 1990
(Show Context)
Citation Context ...sion). The mutual information in units of bits per tick for a discrete memoryless channel is I t = I(X; Y ) E(T ) (4) where E(T ) is the mean time for a symbol to be transmitted over the channel, see =-=[25, 26, 28]-=-. Of course, for a STC this reduces to I t = H(X) E(T ) : (Since the channel is memoryless, the distribution on X is stationary; this corresponds to the unconstrained symbol condition mentioned in the... |

93 |
The mathematical theory of communication (University of Illinois
- Shannon, Weaver
- 1949
(Show Context)
Citation Context ...ated [28]. As mentioned, an important measure of the potential damage of a STC is the (channel) capacity. In our studies of STC capacity, we noticed some inconsistencies in the definition of capacity =-=[27]-=-. We discuss this and also offer a novel and simple proof of one of the major theorems concerning the capacity of STC's (and certain communication channels in general), thus providing a firm theoretic... |

66 |
Reducing Timing Channels with Fuzzy Time
- Hu
- 1991
(Show Context)
Citation Context ... bound on capacity will suffice. We have given an example of this in previous work [13]. However, when one institutes system modifications to lessen the capacity of STC's, performance tends to suffer =-=[12, 13]-=-. Therefore, the tighter we can make the capacity bounds, the better. We make a detailed study of both upper and lower bounds by examining the roots of trinomials. Finally, we apply our work to STC's ... |

66 | I.S.: A Pump for Rapid, Reliable, Secure Communication
- Kang, Moskowitz
- 1993
(Show Context)
Citation Context ...crop up on their own, e.g. in the disk arm channel [8], or as in the recent paper by Mathur and Keefe [20]. Further, STC's can be used as capacity bounds for more complicated types of timing channels =-=[13]-=-; i.e. STC's may give a worst case scenario. STC's therefore warrant special attention. Implicit in the study of timing channels is the assumption that Low always receives the same response; it is the... |

62 | An analysis of covert timing channels
- Wray
- 1991
(Show Context)
Citation Context ...for High to interfere with the system response time to an input by Low. Therefore, a timing channel is a communication channel where the output alphabet is constructed from different time values (see =-=[30]-=-). Timing channels with noise and/or memory have been studied by the security community, for example [22]. However, the thrust of this paper is the analysis of timing channels that are discrete, memor... |

38 | On the entropy of context-free languages - Kuich - 1970 |

35 |
Information theory
- Goldman
- 1953
(Show Context)
Citation Context ...e, C is welldefined and bounded from above by log m. Others have gotten around the problem with the ordinary limit versus the limit superior by slightly redefiningsjS n j so that it is non-decreasing =-=[9, 5]-=-. In fact, in [6], where the problem with the ordinary limit is also noted, Csisz'ar goes into a detailed analysis of different measures of jS n j leading to equivalent definitions of capacity. Since ... |

35 |
Finite-State Noiseless Covert Channels
- Millen
- 1989
(Show Context)
Citation Context ...communication channel where the output alphabet is constructed from different time values (see [30]). Timing channels with noise and/or memory have been studied by the security community, for example =-=[22]-=-. However, the thrust of this paper is the analysis of timing channels that are discrete, memoryless, and noiseless. We will call such a timing channel a simple timing channel (STC). From a security v... |

31 |
Fundamentals of Performance Modeling
- Molloy
- 1989
(Show Context)
Citation Context ...nce relation jS n j = X j jS n\Gammat j j + ffi 0n (3) where ffi 0n is the Kronecker delta which is needed to make both sides of the equation equal to one when n = 0. Now let us apply the z-transform =-=[24]-=- to both sides of Equation (3) and we arrive at the formal equations 1 X n=0 jS n jz n = X j 1 X n=0 jS n\Gammat j jz n + 1 X n=0 ffi 0n z n = X j z t j 1 X n=0 jS n\Gammat j jz n\Gammat j + 1 = X j z... |

28 | Basic complex analysis - Marsden, Hoffman - 1987 |

28 |
The Channel Capacity of a Certain Noisy Timing Channel
- Moskowitz, Miller
- 1992
(Show Context)
Citation Context ... between specific users/processes of different security levels. Such covert channels can thwart efforts to prevent higher level information from being accessible to a lower level. Specifically, as in =-=[26]-=-, we consider a multi-user computer system, where there are two specific user/processes designated High and Low. We assume that Bell-LaPadula type security procedures [2] have been set up so that Low ... |

25 |
A note on the con nement problem
- Lampson
- 1973
(Show Context)
Citation Context ...the time at which Low receives the response that forms the output alphabet. If Low receives di erent responses, all taking the same amount of time, then we are in the situation of a \storage channel" =-=[17]-=-. If Low receives di erent responses at di erent times, then the resulting covert channel is termed a mixed channel. We will examine mixed channels in future work. EXAMPLE 1: Say that Low wishes to pl... |

24 |
Channels which transmit letters of unequal duration
- Krause
- 1962
(Show Context)
Citation Context ...::;t k ) . Shannon's original paper used the ordinary limit instead of the limit superior. The ordinary limit does not exist for many channels of interest. Our definition is a restatement of Krause's =-=[15]-=- definition of capacity (see also [29]). The following example shows the problem of using the ordinary limit. EXAMPLE 2: Say that we only have two symbols s 1 and s 2 , and that t 1 = a and t 2 = b. T... |

20 |
A security retrofit of VM/370
- Gold, Linde, et al.
- 1979
(Show Context)
Citation Context ...to measure its potential damage. In fact, the value of the capacity leads to different levels of secure system certification [7]. However, STC's may crop up on their own, e.g. in the disk arm channel =-=[8]-=-, or as in the recent paper by Mathur and Keefe [20]. Further, STC's can be used as capacity bounds for more complicated types of timing channels [13]; i.e. STC's may give a worst case scenario. STC's... |

20 |
The limiting behavior of the z-channel
- Golomb
- 1980
(Show Context)
Citation Context ...re are other users besides High, and Low cannot distinguish them from High, then this transmission is noisy. In fact, if we look at capacity in units of bits/transmission, we simply have the Zchannel =-=[10, 4]-=- (a two symbol channel where one of the symbols is transmitted perfectly). However, the capacity in terms of bits/ms is more complicated [28]. As mentioned, an important measure of the potential damag... |

17 |
Simple Proofs of Some Theorems on Noiseless Channels
- Csiszar
(Show Context)
Citation Context ...e, C is welldefined and bounded from above by log m. Others have gotten around the problem with the ordinary limit versus the limit superior by slightly redefiningsjS n j so that it is non-decreasing =-=[9, 5]-=-. In fact, in [6], where the problem with the ordinary limit is also noted, Csisz'ar goes into a detailed analysis of different measures of jS n j leading to equivalent definitions of capacity. Since ... |

11 |
Fonctions hypergéométriques de plusieurs variables et résolution analytique des équations algébraiques générales, Mémorial des sciences mathématiques CXLV
- Belardinelli
- 1960
(Show Context)
Citation Context ...at the lower bound for any of the cases. 6 Roots of the Trinomial Although many authors have investigated the solutions of algebraic trinomial equation (see the extensive bibliography in Belardinelli =-=[1]-=-), the positive root of Equation (7) may be expressed elegantly by employing Mellin's result [21] and Wright's Psi function. Thus, for real k the positive root of the trinomial equation y N + ky N \Ga... |

9 | Reductions of a class of Fox-Wright Psi functions for certain rational parameters
- Miller, Moskowitz
(Show Context)
Citation Context ...unction in Equation (9) is defined by the series representation 1 \Psi 1 (ff; A); (fi; B); z = \Gamma(fi) \Gamma(ff) 1 X n=0 \Gamma(ff + An) \Gamma(fi +Bn) z n n! : Miller and Moskowitz have shown in =-=[23]-=- that the Wright function 1 \Psi 1 [z] may be expressed in various ways as a finite sum of generalized Gaussian hypergeometric functions when A and B are rational numbers. Hence, setting k = \Gamma1 i... |

8 | The concurrency control and recovery problem for multilevel update transactions in mls systems
- Mathur, Keefe
- 1993
(Show Context)
Citation Context ... Presumably they are limiting themselves to channels with two symbols. If, in fact, High can send more than two symbols the capacity increases. (Keefe and Mathur have noted this problem in later work =-=[14]-=-) Our Corollary 3.1 shows the limits of this increase. Let us examine the Mathur and Keefe delayed reader subtransaction STC in detail. The delayed reader subtransaction STC: In this series of subtran... |

8 |
Variable Noise Effects Upon a Simple Timing Channel
- Moskowitz
- 1991
(Show Context)
Citation Context ...sion). The mutual information in units of bits per tick for a discrete memoryless channel is I t = I(X; Y ) E(T ) (4) where E(T ) is the mean time for a symbol to be transmitted over the channel, see =-=[25, 26, 28]-=-. Of course, for a STC this reduces to I t = H(X) E(T ) : (Since the channel is memoryless, the distribution on X is stationary; this corresponds to the unconstrained symbol condition mentioned in the... |

7 |
Discrete noiseless coding
- Marcus
- 1957
(Show Context)
Citation Context ...lue of I t is the channel capacity. However, for a finite state discrete noiseless channel Shannon states and proves that the maximumvalue of I t is the channel capacity in [27, appendix 4], see also =-=[18]-=-. Krause [15] gave a beautiful proof of the following theorem solely by relying on the inequality log xsx \Gamma 1. Theorem 2 (Shannon) For a STC, maxI t = log !, where ! is the positive root of the c... |

6 |
Analysis of a storage channel in the two-phase commit protocol
- Costich, Moskowitz
- 1991
(Show Context)
Citation Context ...re are other users besides High, and Low cannot distinguish them from High, then this transmission is noisy. In fact, if we look at capacity in units of bits/transmission, we simply have the Zchannel =-=[10, 4]-=- (a two symbol channel where one of the symbols is transmitted perfectly). However, the capacity in terms of bits/ms is more complicated [28]. As mentioned, an important measure of the potential damag... |

3 |
Controlled signalling systems and covert channels
- Wittbold
- 1989
(Show Context)
Citation Context ...ed the ordinary limit instead of the limit superior. The ordinary limit does not exist for many channels of interest. Our definition is a restatement of Krause's [15] definition of capacity (see also =-=[29]-=-). The following example shows the problem of using the ordinary limit. EXAMPLE 2: Say that we only have two symbols s 1 and s 2 , and that t 1 = a and t 2 = b. Take any s 2 Sn , where s consists of c... |

3 |
Secure Computer System: Uni ed Exposition and
- Bell, Padula
- 1976
(Show Context)
Citation Context ...a lower level. Speci cally, asin[26], we consider amulti-user computer system, where there are twospeci c user/processes designated High and Low. We assume that Bell-LaPadula type security procedures =-=[2]-=- have been set up so that Low may not read High's les and High may not write to Low's les. However, it may be possible for High to pass information to Low overacovert channel that unintentionally exis... |

2 |
Zur theorie der trinomischengleichungen
- Mellin
- 1915
(Show Context)
Citation Context ...estigated the solutions of algebraic trinomial equation (see the extensive bibliography in Belardinelli [1]), the positive root of Equation (7) may be expressed elegantly by employing Mellin's result =-=[21]-=- and Wright's Psi function. Thus, for real k the positive root of the trinomial equation y N + ky N \GammaQ \Gamma 1 = 0 ; N ? Q ? 0 (8) is given by y = 1 \Psi 1 ( 1 N ; N \GammaQ N ) ; (1 + 1 N ; \Ga... |

2 |
A security retro t of VM/370
- Gold, Linde, et al.
- 1979
(Show Context)
Citation Context ...h to measure its potential damage. In fact, the value of the capacity leads to di erent levels of secure system certi cation [7]. However, STC's may crop up on their own, e.g. in the disk arm channel =-=[8]-=-, or as in the recent paper by Mathur and Keefe [20]. Further, STC's can be used as capacity bounds for more complicated types of tim56 ing channels [13]; i.e. STC's may give aworst case scenario. STC... |

2 |
Variable Noise E ects Upon a Simple Timing Channel
- Moskowitz
- 1991
(Show Context)
Citation Context ...ssion). The mutual information in units of bits per tick for a discrete memoryless channel is It = I(X; Y ) E(T ) (4) where E(T ) is the mean time for a symbol to be transmitted over the channel, see =-=[25, 26, 28]-=-. Of course, for a STC this reduces to 59 It = H(X) E(T ) : (Since the channel is memoryless, the distribution on X is stationary; this corresponds to the unconstrained symbol condition mentioned in t... |

1 |
Noiseless channels. Problemy Peredachi Informatsii, 6:3--15, October-December
- Csisz'ar
- 1970
(Show Context)
Citation Context ...and bounded from above by log m. Others have gotten around the problem with the ordinary limit versus the limit superior by slightly redefiningsjS n j so that it is non-decreasing [9, 5]. In fact, in =-=[6]-=-, where the problem with the ordinary limit is also noted, Csisz'ar goes into a detailed analysis of different measures of jS n j leading to equivalent definitions of capacity. Since log is an increas... |

1 |
Noiseless channels
- Csiszar
- 1970
(Show Context)
Citation Context ...ed and bounded from above by log m. Others have gotten around the problem with the ordinary limit versus the limit superior by slightly rede ning jSnj so that it is non-decreasing [9, 5]. In fact, in =-=[6]-=-, where the problem with the ordinary limit is also noted, Csiszar goes into a detailed analysis of di erent measures of jSnj leading to equivalent de nitions of capacity. Since log is an increasing f... |