Re: Covert Channels

["Timothy J. Miller" <cerebus () sackheads org>]

On Wednesday, October 23, 2002, at 02:57  PM, Richard Masoner wrote:

> I've only been following this thread peripherally, but
> isn't covert channel discussion limited to analyzing
> the assurance of Trusted Systems?

In a formal sense, yes you are correct.  Covert channels are only of 
note in systems with nondiscretionary access control models.  The light 
pink book (NCSC-TG-030, A Guide to Understanding Covert Channel 
Analysis of Trusted Systems) defines covert channels as:

"Given a nondiscretionary (e.g., mandatory) security policy model M and 
its interpretation I(M) in an operating system, any potential 
communication between two subjects I(Sh) and I(Si) of I(M) is covert if 
and only if any communication between the corresponding subjects Sh and 
Si of the model M is illegal in M."

I wasn't able to find a formal definition of covert channels in the 
Common Criteria documents; but it's pretty clear that the above 
definition is still in use (i.e., the covert channel analysis section 
states that the analysis is looking for communication between subjects 
in violation of the TSP).  Of course, CCA isn't required until EAL5.

However, in the real world "covert channel" has come to mean, 
effectively, "communication between subjects using any method not 
originally intended for this purpose."  This is obviously a much looser 
definition.  For example, using the unused 32bit word of an ICMP type 3 
(destination unreachable) datagram to communicate would commonly be 
considered a covert channel.  (I'm aware of one IDS that allegedly uses 
ICMP similarly to communicate between the remote sensor and the 
analysis server.)  Steganography would fall under this looser 
definition.

-- Cerebus