Approaches to resolving covert storage channels in multilevel secure systems

The purpose of a "security model" is to provide a basis for determining whether or not a system is secure, and if not, for detecting its flaws. A computer system is said to be secure if it supports the policy of a security model in a demonstrable way. Two users are communicating covertly in such a system if they are communicating through means that violate the interpretation of the supported security model. The Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), the U.S. Trusted Computer System Evaluation Criteria (TCSEC), the Information Technology Security Evaluation Criteria, the harmonized criteria of France, Germany, The Netherlands, and The United Kingdom (ITSEC), and others have been developed for the analysis of computer systems to ensure that two processes at different security levels cannot directly communicate information in violation of security policies. Despite the guidelines in these criteria along with other techniques, many systems suffer from processes that communicate by means of covert channels.; The competitive edge of many companies and public trust in government institutions can often depend on the security of the information held in databases. Breaches of that security, whether deliberate or accidental, can be profoundly damaging. Therefore, security is a highly topical issue for both designers and users of database systems. Because there is only very little experience in building and evaluating trusted multilevel database systems--there is no multilevel database system available in the market today that is rated at the TCSEC B2 security requirement (or higher), there are therefore no established guidelines or expositions of exactly what constitutes a database covert channel.; This dissertation refers to covert storage channel elimination methods which help assure that existent covert channels do not compromise a system's secure operation. The dissertation introduces two approaches to resolving covert storage channels. The first approach is a design that is based on the idea that the true identity of any user in a system is hidden within that system. It resolves covert storage channels whose existence is known or unknown. The second approach is predicated on introducing spurious processes into the system so that the receiver of covert information is left in a predicament--he/she does not know whether the information received is the intended information from the sender process or is it information from some other process on the system.