Foundations of Computer SecurityLecture 16: Detecting Covert ChannelsDr. Bill YoungDepartment of Computer SciencesUniversity of Texas at AustinLecture 16: 1 Detecting Covert ChannelsFinding Covert Storage ChannelsSenderReceiverModifyattributeReferenceRecall that several conditions must holdfor there to be a covert storage channel:1Both senderand receiver must have accessto some attribute of a shared object.2The sender must be able to modifythe attribute.3The receiver must be able toreference (view) that attribute.4A mechanism for initiating bothprocesses, and sequencing theiraccesses to the shared resource,must exist.Lecture 16: 2 Detecting Covert ChannelsDetecting Covert ChannelsRichard Kemmerer (UC Santa Barbara) introduced the SharedResource Matrix Methodology (SRMM). The idea is to build atable describing system commands and their potential effects onshared attributes of objects.READ WRITE DESTROY CREATEfile existence R M Mfile size R M M Mfile levelR M MAn R means the operation References (provides information about)the attribute under some circumstances. An M means theoperation Modifies the attribute under some circumstances.Note that this works for storage channels, not for timing channels.Lecture 16: 3 Detecting Covert ChannelsA Subtlety of SRMMSuppose you have the following operation:CREATE (S, O): if no object with name O exists anywhere on thesystem, create a new object O at level LS; otherwise,do nothing.For the attribute file existence, should you have an R or not forthis operation or not? Consider this: after this operation, youknow that the file exists. Why?That’s not enough. It’s not important that you know somethingabout the attribute; what’s important is that the operation tellsyou something about the attribute.Lecture 16: 4 Detecting Covert ChannelsWorking with the SRMMSenderReceiverModifyattributeReferenceIf you see an R and M in the same row,that indicates a potential channel. Why?SRMM doesn’t identify covert channels,but suggests where to look for them.Any shared resource matrix is for aspecific system. Other systems may havedifferent semantics for the operations.Lecture 16: 5 Detecting Covert ChannelsCovert Channels and System AnalysisHow might you use this methodology?1Use an access control policy like Bell and LaPadula to controlstandard information flows.2Use a separate technique like Kemmerer’s SRMM to identifycovert channels.3Deal with covert channels by closing them, restricting them,or monitoring them.Lecture 16: 6 Detecting Covert ChannelsLessonsKemmerer’s Shared Resource Matrix Methodology provides asystematic way to investigate potential covert channels.However, using it effectively requires a lot of knowledge aboutthe semantics and implementation of system operations.Covert channel analysis can be used to close some of thesecurity holes of an access control policy like BLP.Next lecture: Non-InterferenceLecture 16: 7 Detecting Covert
View Full Document
Unlocking...