COVERT-CHANNEL ANALYSIS IN SECURE COMPUTER SYSTEMS

A computer system is said to be secure if it supports the policies of a security model in a demonstrable way. Communication between two users in such a system is said to be covert if such communication is prohibited by the supported security model. Covert communication channels use system variables that cannot be included as the system's data objects to transfer information. Covert communication channels must be identified, analyzed, and handled because information can be leaked through these channels despite the system's support of a sound security model.; Information flow analysis must be applied to the source code to identify all covert channels and not to top-level system specifications as practiced currently. A new method for the identification of covert storage channels in source code has been developed. The method can identify all storage channels in a computer system and can be automated. It has been applied to the kernel and trusted processes of Secure Xenix* and has led to the discovery of 24 types of storage channels.; Covert-channel handling is based either on the elimination of covert channels, whenever possible, or on delay placement within each channel to lower its bandwidth under a predetermined value. The placement of large delay values, unrelated to the actual bandwidth degradation under different system and program behavior, is inadequate because it causes unnecessary performance degradation for the entire system. Accurate bandwidth and delay computation are, therefore, necessary for appropriate covert-channel handling.; A Markov model has been developed to compute the maximum bandwidth of the identified covert storage channels under different system loads. Formulas for computing the maximum bandwidth and, implicitly, the minimum necessary delay have been derived. A tool for maximum bandwidth computation, and for the computation of the maximum bandwidth degradation, under different system loads has been developed in Lisp on the Unix{dollar}dagger{dollar} BSD 4.3 operating system. The factors affecting the bandwidth degradation in Secure Xenix, and the minimum delay for storage channels, have been identified using this tool. They are the number of users in the system and their "think times." However, the noise introduced by unconfined processes does not degrade the covert-channel bandwidth significantly. ftn * Xenix is a trademark of the Microsoft, Inc. {dollar}spdagger{dollar}Unix is a trademark of the AT&T Bell Laboratories.