information flow and covert channels november, 2006
TRANSCRIPT
![Page 1: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/1.jpg)
Information Flow and Covert Channels
November, 2006
![Page 2: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/2.jpg)
Objectives
• Understand information flow principles• Understand how information flows can be
identified• Understand the purpose of modeling
information access• Understand covert channels and how to
prevent them
![Page 3: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/3.jpg)
Why Model?• What is an information security model? Why use one?
• “A security policy is a statement that partitions the states of the system into a set of authorized, or secure, states and a set of unauthorized, or nonsecure, states” Bishop, pg. 95
• “A security mechanism is an entity or procedure that enforces some part of the security policy.” Bishop, pg. 98
• “A security model is a model that represents a particular policy or set of policies.” Bishop, pg. 99
Excerpts from Computer Security by Matt Bishop
![Page 4: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/4.jpg)
Examples• Security Policy – e.g. Those described for use in
the military
• Security Model – e.g. Bell La Padula Model
• Security Mechanism – e.g. Virtual memory (page tables) that support access protection checking
or Tagging mechanism that tags all variables with
security access information
![Page 5: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/5.jpg)
Why Formal Models?
• Regulations are generally descriptive rather than prescriptive, so they don’t tell you how to implement
• Systems must be secure– security must be demonstrable --> proofs– therefore, formal security models
• For “real systems” this is not easy to do.
![Page 6: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/6.jpg)
Categories of InfoSec Models
• Two major categories of information security models: – Access Control models: protect access to data*– Integrity Control models: verify that data* is not
changed
* applies to data in storage or in transit
![Page 7: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/7.jpg)
Traditional Models
• Chinese Wall– Prevent conflicts of interest
• Bell-LaPadula (BLP)– Address confidentiality
• Biba– Address integrity with static/dynamic levels
• Information flow– Close “some” covert channels
![Page 8: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/8.jpg)
Bell-LaPadula Security Model
The Bell-LaPadula (BLP) model is about information confidentiality, and this model formally represents the long tradition of attitudes about the flow of information concerning national secrets.
.
![Page 9: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/9.jpg)
Bell – LaPadula - Details• Earliest formal model • Each user subject and information object
has a fixed security class – labels• Use the notation ≤ to indicate dominance• Simple Security (ss) property:
the no read-up property– A subject s has read access to an object iff the class of
the subject C(s) is greater than or equal to the class of the object C(o)
– i.e. Subjects can read Objects iff C(o) ≤ C(s)
![Page 10: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/10.jpg)
Access Control: Bell-LaPadula
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
Read OK
Read OK
Read O
K
![Page 11: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/11.jpg)
Access Control: Bell-LaPadula
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
Read OKRead Forbidden
Read OK
![Page 12: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/12.jpg)
Access Control: Bell-LaPadula
Top Secret
Secret
Unclassified
Top Secret
Secret
UnclassifiedRead OK
Read
Forb
idde
n
Read Forbidden
![Page 13: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/13.jpg)
Bell - LaPadula (2)
• * property (star): the no write-down property
– While a subject has read access to object O, the subject can only write to object P ifC(O) ≤ C (P)
• Leads to concentration of irrelevant detail at upper levels
• Discretionary Security (ds) property If discretionary policies are in place, accesses are
further limited to this access matrix – Although all users in the personnel department can read all
[personnel] documents, the personnel manager would expect to limit the readers of some documents, e.g. file for the Prez !
![Page 14: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/14.jpg)
Access Control: Bell-LaPadula
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
Write OKWrite Forbidden
Write Forbidden
![Page 15: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/15.jpg)
Access Control: Bell-LaPadula
Top Secret
Secret
Unclassified
Top Secret
Secret
Unclassified
Write OK
Write O
K
Write Forbidden
![Page 16: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/16.jpg)
Access Control: Bell-LaPadula
Top Secret
Secret
Unclassified
Top Secret
Secret
UnclassifiedWrite OK
Writ
e O
K
Write OK
![Page 17: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/17.jpg)
Security Models - Biba
• Based on the Cold War experiences, information integrity is also important, and the Biba model, complementary to Bell-LaPadula, is based on the flow of information where preserving integrity is critical.
• The “dual” of Bell-LaPadula
![Page 18: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/18.jpg)
Integrity Control: Biba
• Designed to preserve integrity, not limit access
• Three fundamental concepts:– Simple Integrity Property – no read down– Star Integrity Property (*) – no write up– No execute up
![Page 19: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/19.jpg)
Integrity Control: Biba
High Integrity
Medium Integrity
Medium Integrity
High Integrity
Medium Integrity
Medium Integrity
Read OKRead Forbidden
Read Forbidden
![Page 20: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/20.jpg)
Integrity Control: Biba
High Integrity
Medium Integrity
Low Integrity
High Integrity
Medium Integrity
Low IntegrityWrite OKWrit
e Forbidden
Writ
e Fo
rbid
den
![Page 21: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/21.jpg)
Basic Security Theorem
• A state transition is secure if both the initial and the final states are secure, so
• If all state transitions are secure and the initial system state is secure, then every subsequent state will also be secure, regardless of which inputs occur.
• This is information flow!
![Page 22: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/22.jpg)
Implementation Question
• What are “all” of the information flows?– Files– Memory– Page faults– CPU use– ?
![Page 23: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/23.jpg)
Information Flow• Information Flow: transmission of
information from one “place” to another. Absolute or probabilistic.
• How does this relate to confidentiality policy?– Confidentiality: What subjects can see what
objects. So, confidentiality specifies what is allowed.
– Flow: Controls what subjects actually see. So, information flow describes how policy is enforced.
![Page 24: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/24.jpg)
Information Flow
• Next: How do we measure/capture flow?– Entropy-based analysis
• Change in entropy flow
– Confinement• “Cells” where information does not leave
– Language/compiler based mechanisms?– Guards
![Page 25: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/25.jpg)
What is Entropy?
• Idea: Entropy captures uncertainty
• If there is complete uncertainty, is there an information flow?
![Page 26: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/26.jpg)
Information Flow – Informal
• What do we mean by information flow?– y = x; // what do we know before & after assignment?– y = x/z;
• A command sequence c causes a flow of information from x to y if the value of y after the commands allows one to deduce information about the value of x before the commands executed.– tmp = x; – y = tmp; – Transitive
![Page 27: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/27.jpg)
Information Flow – Informal
• Consider a conditional statement– if x == 1 then y = 0 else y = 1– what do we know before & after execution? – What about: if x == 1 then y = 0 – No explicit assignment to y in one case
• This is called implicit information flow
![Page 28: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/28.jpg)
Information Flow Models
• Two categories of information flows– explicit – opn’s causing flow are independent
of value of x, e.g. assignment operation, x=y– implicit - conditional assignment
• (if x then y=z)
• Components– Lattice of security levels (L, – Set of labeled objects– Security policy
![Page 29: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/29.jpg)
Information-Flow Model
• Flow relation forms a lattice
• A program is secure if it does not specify any information flows that violate the given flow relation
![Page 30: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/30.jpg)
Security Levels
• Linear– Top secret– Secret– Confidential– Unclassified
• Lattice– Security level– Compartment
![Page 31: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/31.jpg)
Security Level Examples
• Linear– Marking contains the name of the level– Each higher level dominates those below it
• Lattice– Marking contains name of level + name of
compartment (e.g. TOPSECRET OIF)– Only those “read into” the compartment can
read the information in that compartment, and then only at the level of their overall access
![Page 32: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/32.jpg)
Who Can Read What?
• In a linear system?
• In a lattice system?
![Page 33: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/33.jpg)
Universally bounded lattice
• What is a universally bounded lattice?
• “a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set.”
• So, what is a partially ordered set?
![Page 34: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/34.jpg)
What’s a Partial Ordering?
• Partial ordering on a set L is a relation where:– for all a L, a a holds (reflexive)– for all a,b,c L, if a b, b c, then a c
(transitive)– for all a,b L, if a b, b a, then a b
(antisymmetric)
![Page 35: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/35.jpg)
Universally Bounded Lattice
• So, what are least upper and greatest lower bounds?
• Suppose <= is the dominates relation. C is an upper bound of A and B if A <= C and B <= C. C is a least upper bound of A and B if for any upper bound D of A and B, C <= D. Lower bounds and greatest lower bounds work the same way.
• See next example using Bell-LaPadula Model
![Page 36: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/36.jpg)
B-LP Security Level Lattice
• S is the set of all security levels– Suppose the classifications are T, S, U – Suppose the categories are NATO and SIOP. Then
the possible category sets are• {}, {NATO}, {SIOP}, {NATO, SIOP}
– Then S = [ (T, {}), (T,{NATO}), (T,{SIOP}), (T,{NATO,SIOP}), (S, {}), (S,{NATO}), (S,{SIOP}), (S,{NATO,SIOP}), (U, {}) ].
• R dominates, as described for B-LP– Convince yourself that the dominates relation is
reflexive, antisymmetric and transitive.
![Page 37: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/37.jpg)
Bell-LaPadula Example
U,{ }
S,{SIOP}S,{NATO}
T,{ }
T,{NATO,SIOP}
T,{SIOP}T,{NATO}
S,{NATO,SIOP}
S, { }
Least upper bound: T,{NATO,SIOP}
Greatest Lower Bound: U,{ }
![Page 38: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/38.jpg)
End of Lattice modeling discussion
Consider what can be done at compile time and execution time
![Page 39: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/39.jpg)
• Compiler-based – Verifies that information flows throughout a
program are authorized. Determines if a program could violate a flow policy.
• Execution-based– Prevents information flows that violate policy.
• Both analyze code• Execution-based typically requires tracking
the security level of the PC as the program executes.
Recognizing Information Flows
![Page 40: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/40.jpg)
Compiler Mechanisms
• Declaration approach– x: integer class { A,B }– Specifies what security classes of information are allowed in x
• Function parameter: class = argument• Function result: class = parameter classes
– Unless function verified stricter
• Rules for statements– Assignment: LHS must be able to receive all classes in RHS– Conditional/iterator: then/else must be able to contain if part
• Verifying a program is secure becomes type checking!
![Page 41: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/41.jpg)
• Assignments: – x = w+y+z;– lub{w,y,z} x
• Compound Statements:beginx = y+z;a = b+c –x
endlub{y,z} x and lub{b,c,x} a
Examples
![Page 42: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/42.jpg)
int sum (int x class{x}) {int out class{x, out};
out = out + x;
}
What is required for this to be a secure flow?x out and out out
Compiler-Based Mechanisms
![Page 43: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/43.jpg)
• Iterative statements - Information can flow from the absence of execution.while f(x1, x2, …, xn) do
S;
• Which direction are the flows?– from var’s in the conditional stmt thru assignments to
variables in S
• For iterative statements to be secure:1. Statement terminates2. S is secure
3. lub {x1, x2, …, xn } glb {target of an assignment of S}
Compiler-Based Mechanisms
![Page 44: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/44.jpg)
Execution Mechanisms
• Problem with compiler-based mechanisms– May be too strict– Valid executions not allowed
• Solution: run-time checking• Difficulty: implicit flows
– if x=1 then y:=0;– When x:=2, does information flow to y?
• Solution: Data mark machine– Tag variables– Tag Program Counter– Any branching statement affects PC security level
• Affect ends when “non-branched” execution resumes
![Page 45: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/45.jpg)
Data Mark: Example
• Statement involving only variables x– If PC ≤ x then statement
• Conditional involving x:– Push PC, PC = lub(PC,x), execute inside– When done with conditional statement, Pop PC
• Call: Push PC• Return: Pop PC• Halt
– if stack empty then halt execution
![Page 46: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/46.jpg)
Covert Channels
• Covert channels are found in everyday life
• Name some!
![Page 47: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/47.jpg)
Covert Channels
• A path of communication that was not designed to be used for communication
• An information flow that is not controlled by a security mechanism
• Can occur by allowing low-level subjects to see names, results of comparisons, etc. of high-level objects
• Difficult to find, difficult to control, critical to success
![Page 48: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/48.jpg)
Covert Channels• Program that leaks confidential information
intentionally via secret channels.
• Not that hard to leak a small amount of data– A 64 bit shared key is quite small!
• Example channels– Adjust the formatting of output: use the “\t”
character for “1” and 8 spaces for “0”– Vary timing behavior based on key
![Page 49: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/49.jpg)
Definition of convert channel• Definition 1 : A communication channel is covert if it is neither designed
nor intended to transfer information at all• Definition 2 : A communication channel is covert if it is based on
transmission by storage into variables that describe resource states• Definition 3 : Those channels that are a result of resource allocation
policies and resource management implementation• Definition 4 : Those that use entities not normally viewed as data objects
to transfer information from one subject to another• Definition 5 : Given a non-discretionary security policy model M and its
interpretation I(M) in an operating system, any potential communication
between two subjects I(S1) and I(S2) of I(M) is covert if and only if any
communication between the corresponding subjects S1 and S2 of the
model M is illegal in M.
![Page 50: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/50.jpg)
Covert Channels Result From
Sender
Receiver
Legitimate information flow
Unauthorized information flowinformation
encodinginformation
decoding
•Transfer unauthorized information
•Do not violate access control and other security mechanisms
•Available almost anytime
•Result from following conditions
•Design oversight during system or network implementation
• Incorrect implementation or operation of the access control mechanism
•Existence of a shared resource between the sender and the receiver
•The ability to implant and hide a Trojan horse
![Page 51: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/51.jpg)
Covert Channels
client, server and collaborator processes
encapsulated server can still leak to collaborator
via covert channels
![Page 52: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/52.jpg)
Covert storage channel
• Involves the direct or indirect writing to storage location by one process and direct or indirect reading of the storage by another process.
• Example storage mechanisms•Disk space•Print spacing•File naming
SenderSender ReceiverReceiver
Storage area(e.g. disk, memory)
![Page 53: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/53.jpg)
Covert Channels
A covert channel using file locking
![Page 54: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/54.jpg)
Covert timing channel
•Covert timing channel•Signals information to another by modulating its own use of system resource is such way that this manipulation affects the real response time observed by second process.
•Sequence of events•CPU utilization•Resource availability
SenderSender ReceiverReceiverEvent Event Event Event Event
![Page 55: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/55.jpg)
Differential Power Analysis• Read the value of a DES password off
of a smartcard by watching power consumption!
• This figure shows simple power analysis of DES encryption. The 16 rounds are clearly visible.
![Page 56: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/56.jpg)
Covert channel identification:Shared resource matrix (SRM) method
Four steps1. Analyze all Trusted Computing Base primitive operations2. Build a shared resource matrix3. Perform a transitive closure on the entries of the SRM4. Analyze each matrix column containing row entries with either ‘R’ or ‘M’ L : legal channel exists N : one cannot gain useful information from channel S : sending and receiving processes are the same P : potential channel exists
primitives
access
chmod
write
link
mode mode file table
shared global variables
R
RM
RM M
RM
... ... ... ...
R : ReadM : Modify
![Page 57: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/57.jpg)
Covert channel identification: Shared resource matrix (SRM) method
Conditions1. Two or more process must have access to a common resource2. At least One process must be able to alter the condition of the resource3. The other process must be able to sense if the resource has been altered4. There must be a mechanism for initiating and sequencing communications over this channel
AdvantagesCan be applied to both formal and informal specificationsDoes not differentiate between storage and timing channelsDoes not require that security levels be assigned to internal TCP variables
DrawbacksIndividual TCB primitives cannot be proven secure in isolationMay identify potential channels that could otherwise be eliminated automatically by information flow analysis
![Page 58: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/58.jpg)
Covert Channel Mitigation
• Can covert channels be eliminated?– Eliminate shared resource?
• Severely limit flexibility in using resource– Otherwise we get the halting problem– Example: Assign fixed time for use of
resource• Closes timing channel
• Not always realistic– Do we really need to close every channel?
![Page 59: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/59.jpg)
Covert Channel Analysis
• Solution: Accept covert channel– But analyze the capacity
• How many bits/second can be “leaked”
• Allows cost/benefit tradeoff– Risk exists– Limits known
• Example: Assume data time-critical– Ship location classified until next commercial satellite
flies overhead– Can covert channel transmit location before this?
![Page 60: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/60.jpg)
Conclusion
• Have you ever used or even seen a language with security types?
• Why not?
• Under what circumstances would you worry about covert channels?
![Page 61: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/61.jpg)
Back Ups
![Page 62: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/62.jpg)
Formal Definition
• Flow from x to y if H(xs | yt) < H(xs | ys)
• Has the uncertainty of xs gone down from knowing yt?
• Examples showing possible flow from x to y:– y := x
• No uncertainty – H(x|y) = 0
– y := x / z• Greater uncertainty (we only know x for some values of y)
– Why possible?– Does information flow from y to x?
![Page 63: Information Flow and Covert Channels November, 2006](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649c575503460f948fd9f4/html5/thumbnails/63.jpg)
while i < n do
begin
a[i] = b[i]; // S1
i = i + 1; // S2
end;
– List the requirements for this to be a secure flow. May want to draw a lattice.
– Reqt’s for each stmt S1, S2.– Reqt’s for conditional– “Combine” the requirements – See homework
Iteration Example