On Wednesday, October 23, 2002, at 02:57 PM, Richard Masoner wrote: > I've only been following this thread peripherally, but > isn't covert channel discussion limited to analyzing > the assurance of Trusted Systems? In a formal sense, yes you are correct. Covert channels are only of note in systems with nondiscretionary access control models. The light pink book (NCSC-TG-030, A Guide to Understanding Covert Channel Analysis of Trusted Systems) defines covert channels as: "Given a nondiscretionary (e.g., mandatory) security policy model M and its interpretation I(M) in an operating system, any potential communication between two subjects I(Sh) and I(Si) of I(M) is covert if and only if any communication between the corresponding subjects Sh and Si of the model M is illegal in M." I wasn't able to find a formal definition of covert channels in the Common Criteria documents; but it's pretty clear that the above definition is still in use (i.e., the covert channel analysis section states that the analysis is looking for communication between subjects in violation of the TSP). Of course, CCA isn't required until EAL5. However, in the real world "covert channel" has come to mean, effectively, "communication between subjects using any method not originally intended for this purpose." This is obviously a much looser definition. For example, using the unused 32bit word of an ICMP type 3 (destination unreachable) datagram to communicate would commonly be considered a covert channel. (I'm aware of one IDS that allegedly uses ICMP similarly to communicate between the remote sensor and the analysis server.) Steganography would fall under this looser definition. -- Cerebus
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 14:46:01 PDT