 |
 |
 |
|
| Annex 1 | |||
| 5.1 Category of Methods "Analysis of Covert Channels" (ACC) |
5.1.1 Overview
A covert channel means a communication channel that allows an information flow contrary to the security requirements. There is a distinction between time and storage channels.
A time channel is a communication path utilizing the time behavior of the system for the transmission of information. A storage channel utilizes the (finite) resources of a computer.
Example for a storage channel: there shall be two systems with different security levels (system "high" and system "low"), but it is not possible to have more files with the same name. In this case the following covert channel exists: System "high" creates a file if the information to be transmitted shall be "true". If it is possible for system "low" to create a file with the same name it gains exactly this information by the means of this storage channel.
Up to now there are known (almost) only methods for the systematic analysis of storage channels (partially it is possible to use the Shared Resource Methodology (SRM) for the analysis of time channels).
An Analysis is formal if it is done with formal (i. e. mathematical) means. Up to now there are no formal methods for the analysis of time channels. With formal means a formal specification or program is investigated in order to find possible communication paths that contradict the security requirements without braking the access authorizations.
ACC is a method primarily dealing with storage channels and only of significance with regard to IT security.
5.1.1.1 Appraisal Criteria
The following contains a list of criteria helping to select individual methods:- required precision of the analysis,
- kind of analysis (time channels or storage channels?),
- kind of presentation to be analyzed (program, (formal/informal) specification),
- availability of tools.
5.1.1.2 Individual Methods
The most known and applied methods for the Analysis of Covert Channels are presented in the following individual descriptions. In order to make it easier to distinguish between the individual methods, these methods are first compared with each other.5.1.1.3 Comparison of the individual Methods
The objective of the methods Information Flow Analysis and Shared Resource Methodology is very similar. Only the application area is different. While SRM can be applied even in early specification phases, the Information Flow Analysis can only be applied if a formal specification with variables or a program is available.With the Information Flow Analysis, the analysis of time channels is not possible. But the results gained with the Information Flow Analysis are more complete because of the formal derivation of all objects and subjects. With this method, on the other hand, also such covert channels are detected that are practically not relevant or that are not really covert channels (e. g. in y := x - x or y := x
| Information Flow Analysis | Shared Resource Methodology |
|---|---|
| Applicable only for formal specifications or programs | Applicable also for informal specifications |
| Analysis only possible for later design decisions or on program level | Analysis possible with the first specification |
| Analysis of storage channels possible | Analysis of storage channels and partial of time channels possible |
| Too many storage channels may be detected (some are none or are not usable) because of the information flow rules being too restrictive | It may be that not all storage channels are detected because only a limited set of subjects/objects is chosen |
| Formal derivation of the investigated objects and subjects, therefore the result is independent of the team performing the analysis | Informal derivation of the investigated objects and subjects, therefore the results depends on the team performing the analysis |
5.1.2 Individual Descriptions
5.1.2.1 Information Flow Analysis5.1.2.2 Shared Resource Methodology (SRM)
|
|
|
GDPA Online
Last Updated 01.Jan.2002
Updated by Webmaster
Last Revised 01.Jan.2002
Revised by Webmaster
|