This Article 
 Bibliographic References 
 Add to: 
On the Identification of Covert Storage Channels in Secure Systems
June 1990 (vol. 16 no. 6)
pp. 569-580

A practical method for the identification of covert storage channels is presented and its application to the source code of the Secure Xenix kernel is illustrated. The method is based on the identification of all visible/alterable kernel variables by using information-flow analysis of language code. The method also requires that, after the sharing relationships among the kernel primitives and the visible/alterable variables are determined, the nondiscretionary access rules implemented by each primitive be applied to identify the potential storage channels. The method can be generalized to other implementation languages, and has the following advantages: it helps discover all potential storage channels is kernel code, thereby helping determine whether the nondiscretionary access rules are implemented correctly; it helps avoid discovery of false flow violations and their unnecessary analysis; and it helps identify the kernel locations where audit code and time-delay variables need to be placed for covert-channel handling.

[1] J. H. Saltzer and M. Schroeder, "The protection and control of information sharing in computer systems,"Proc. IEEE, vol. 63, no. 9, Sept. 1975.
[2] D. E. Denning, "A lattice model of secure information flow,"Commun. ACM, vol. 19, no. 5, pp. 236-242, 1976.
[3] D. E. Bell and L. J. LaPadula, "Computer security model: Unified exposition and multics interpretation," MITRE Corp., Bedford, MA, Tech. Rep. ESD-TR-75-306, June 1975.
[4] J. Whitmoreet al., "Design for multics security enhancements," Honeywell Information Systems, Inc., HQ Electronic Systems Division, Hanscom AFB, MA, Tech. Rep. ESD-TR-74-176, Dec. 1973.
[5] M. Schaefer, B. Gold, R. Linde, and J. Scheid, "Program confinement in KVM/370," inProc. 1977 Annu. ACM Conf., Seattle, WA. New York: ACM, Oct. 1977, pp. 404-410.
[6] T. A. Berson and G. L. Barksdale, "KSOS development methodology for a secure operating system," inProc. Nat. Comput. Conf., New York, June 1979.
[7] L. J. Fraim, "SCOMP: A solution to the multilevel security problem,"Computer, pp. 26-34, July 1983.
[8] S. Blotcky, K. Lynch, and S. Lipner, "SE/VMS: Implementing mandatory security in VAX/VMS," inProc. 9th Nat. Comput. Security Conf., Gaithersburg, MD, Sept. 1986, pp. 47-54.
[9] V. D. Gligoret al., "Design and implementation of secure Xenix,"IEEE Trans. Software Eng., vol. SE-13, no. 2, pp. 208-221, Feb. 1987.
[10] B. W. Lampson, "A note on the confinement problem,"Commun. ACM, vol. 16, pp. 613-615, Oct. 1973.
[11] S. B. Lipner, "A comment on the confinement problem,"ACM Operat. Syst. Rev., vol. 9, no. 5, pp. 192-196, Nov. 1975.
[12] A. K. Jones and R. J. Lipton, "The enforcement of security policies for computation,"ACM Operat. Syst. Rev. (Proc. 5th Symp. Operat. Syst. Principles), vol. 9, no. 5, pp. 197-206, Nov. 1975.
[13] E. Cohen, "Information transmission in computational systems," inProc. Sixth ACM Symp. Operating System Principles, Nov. 1977, pp. 133-139.
[14] National Computer Security Center, "Department of Defense trusted computer system evaluation criteria," Rep. CSC-STD-001-83, Dec. 1985.
[15] K. J. Biba, "Integrity considerations for secure computer systems," USAF Electron. Syst. Division, Bedford, MA, Tech. Rep. ESD-TR- 76, 372, Apr. 1977.
[16] D. D. Clark and D. R. Wilson, "A comparison of commercial and military computer security policies," inProc. 1987 IEEE Symp. Security and Privacy, Oakland, CA, Apr. 1987, pp. 184-194.
[17] J. K. Millen, "Security kernel validation in practice,"Commun. ACM, vol. 19, no. 5, May 1976.
[18] T. J. Haigh, R. A. Kemmerer, J. McHugh, and W. D. Young, "An experience using two covert channel analysis techniques on a real system design,"IEEE Trans. Software Eng., vol. SE-13, Feb. 1987.
[19] R. A. Kemmerer, "Shared resource matrix methodology: An approach to identifying storage and timing channels,"ACM Trans. Comput. Syst., vol. 1, no. 3, pp. 256-277, Aug. 1983.
[20] T. C. Vickers-Benzel, "Analysis of a kernel verification," inProc. 1984 IEEE Symp. Security and Privacy, Oakland, CA, Apr. 1984, pp. 125-131.
[21] C. R. Tsai, "Covert-channel analysis in secure computer systems," Ph.D. dissertation, Dep. Elec. Eng., Univ. Maryland, College Park, Aug. 1987.
[22] M. Schaefer, "Symbol security condition considered harmful," inProc. 1989 IEEE Symp. Security and Privacy, Oakland, CA, Apr. 1989, pp. 20-46.
[23] J. K. Millen, "An example of a formal flow violation," inProc. IEEE Int. Conf. Computer Software and Applications. Chicago, IL, 1978, pp. 204-208.
[24] D. E. Denning and P. J. Denning, "Certification of programs for secure information flow,"Commun. ACM, vol. 20, no. 7, pp. 504- 513, July 1977.
[25] G. R. Andrews and R. P. Reitman, "An axiomatic approach to information flow in parallel programs,"ACM Trans. Program. Lang. Syst., vol. 2, no. 1, pp. 56-76, Jan. 1980.
[26] G. Luckenbaughet al., "The interpretation of the Bell-LaPadula model in Secure Xenix," inProc. 9th DOD/NBS Nat. Computer Security Conf., Gaithersburg, MD, Sept. 1986, pp. 113-125.
[27] K. Loepere, "Resolving covert channels within a B2 class secure system,"ACM Operating Syst. Rev., vol. 19, no. 3, pp. 4-28, July 1985.
[28] R. G. Gallager,Information Theory and Reliable Communication. New York: Wiley, 1972, p. 80.

Index Terms:
identification; covert storage channels; secure systems; source code; Secure Xenix kernel; visible/alterable kernel variables; information-flow analysis; language code; sharing relationships; nondiscretionary access rules; implementation languages; false flow violations; kernel locations; audit code; time-delay variables; covert-channel handling; operating systems (computers); security of data; software engineering.
C.-R. Tsai, V.D. Gligor, C.S. Chandersekaran, "On the Identification of Covert Storage Channels in Secure Systems," IEEE Transactions on Software Engineering, vol. 16, no. 6, pp. 569-580, June 1990, doi:10.1109/32.55086
Usage of this product signifies your acceptance of the Terms of Use.