Re: Covert Channels (was dns outbound)

[Andrew Brown <atatat () atatdot net>]

> > higher grades of security cannot easily be
> > retrofitted onto a unix system.
>
> True.  B2 and above (generally) requires designing it in from the beginning,
> although there have been a few cases of B2 retrofit (Trusted Xenix, and
> AT&T's ultimately unsuccessful effort with UNIX System V ES come to mind).

yep.  david curry's book on unix security (1992) covers this topic
rather well.

> > defeating covert channels is a requirement of a system that's rated
> > "b2".  the other "points" are:
>
> Yes, but even at B1 you need to make a crude effort at identifying them.

yep.

> > B2
> >             formal security policy model
> >             device labels
> >             DAC and MAC (Message Authentication Code) (fancy 
> > checksums)
>
> Actually that's MAC = Mandatory Access Control (bad case of acronym
> overload), and it's an access control policy based on classification of
> objects (e.g., files) and clearances of subjects (e.g., processes).  As
> typically implemented (not the only possible implementation), every process
> and every file has a MAC label.  If a process with a "Top Secret" label
> tries to read a file with a "Secret" label, that's OK, but if a process with
> an "Unclassified" label tries to read the same file it would be rejected,
> regardless of file permissions.  [This is a gross simplification, but it's
> enough to show that it's not "fancy checksums".]

actually...i just cutted and pasted from a web page.  i didn't edit.
and...to embellish on what you've said about labeling...i believe that
"secret" processes can also write to "top secret" files, since that
doesn't violate the information "leakage" you're trying to prevent.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
andrew () crossbar com       * "information is power -- share the wealth."