Re: Covert Channels (was dns outbound)

["Epstein, Jeremy" <Jeremy_Epstein () NAI com>]

> [...]
> higher grades of security cannot easily be
> retrofitted onto a unix system.

True.  B2 and above (generally) requires designing it in from the beginning,
although there have been a few cases of B2 retrofit (Trusted Xenix, and
AT&T's ultimately unsuccessful effort with UNIX System V ES come to mind).
 
> defeating covert channels is a requirement of a system that's rated
> "b2".  the other "points" are:

Yes, but even at B1 you need to make a crude effort at identifying them.

> B2
>             formal security policy model
>             device labels
>             DAC and MAC (Message Authentication Code) (fancy 
> checksums)

Actually that's MAC = Mandatory Access Control (bad case of acronym
overload), and it's an access control policy based on classification of
objects (e.g., files) and clearances of subjects (e.g., processes).  As
typically implemented (not the only possible implementation), every process
and every file has a MAC label.  If a process with a "Top Secret" label
tries to read a file with a "Secret" label, that's OK, but if a process with
an "Unclassified" label tries to read the same file it would be rejected,
regardless of file permissions.  [This is a gross simplification, but it's
enough to show that it's not "fancy checksums".]

>             covert channel control
>             more extensive testing