INFORMATION HIDING -- AN ANNOTATED BIBLIOGRAPHY (6/10)

'A GUIDE TO UNDERSTANDING COVERT CHANNEL ANALYSIS OF TRUSTED SYSTEMS'

  • NCSC-TG-030 version 1, November 1993
  • This is the official NSA guide to the identification and elimination of covert channels in multilevel secure systems. Military multilevel secure systems -- at least at the higher levels of evaluation -- should limit covert channel bandwidth to about one bit per second. The techniques involved include both channel elimination and noise insertion.

    'Covert Channel Capacity'

  • J Millen, 1987 IEEE Symposium on Security and Privacy
  • This is one of the classic papers on calculating the capacity of a covert channel using entropy equations; it shows how information-theoretic properties can also be represented in automata-theoretic terms.

    'The Influence of Delay on an Idealized Channel's Bandwidth'

  • IS Moskowitz, AR Miller, 1992 IEEE Symposium on Security and Privacy pp 63--67
  • The authors analyse the relationship between the bandwidth of a covert channel and the underlying queueing parameters.

    041205 'An Entropy Conservation Law for Testing the Completeness of Covert Channel Analysys'

  • R Browne, Fairfax 94 pp 270 -- 281
  • The author defines a complete set of covert channels as one which can operate to produce the maximum covert information flow. He shows that such sets are characterised by their satisfying an entropy conservation law, in that a fully informed onlooker perceives an output uncertainty equal to the covert capacity plus the relevant noise. This in turn lets the system behaviour be expressed in a kind of normal form.

    021136 'Architectural Implications of Covert Channels'

  • N Proctor, P Neumann, Proc 15th NCSC pp 28 -- 43
  • This paper reviews covert channels: how they occur, what assumptions are needed to ignore them, how to eliminate them from resource allocation algorithms and what the tradeoffs are. It then proposes an architecture for eliminating them and describes a design for a multi-level disk drive using manual allocation. This drive can allow read-down and write-up operations which have no covert channel but still yield adequate performance. The authors argue that building secure operating systems is beyond today's technology, and argue that using single-level processors with a multi-level disk gives maximum assurance at a reasonable cost.

    021220 `The Channel Capacity of a Certain Noisy Timing Channel'

  • IS Moskowitz, AR Miller, IEEE Transactions on Information Theory v IT-38 no 4 (1992) pp 1339 -- 43
  • A covert timing channel may suffer noise generated by time sharing delays as other users compete for resources. Two strategies for communicating in the presence of this noise are analysed and the resulting channel capacity is determined.

    034217 `Covert Channels - Here to Stay?'

  • IS Moskowitz, MH Kang, Compass 94 pp 235 -- 243
  • Capacity is not the only measure of a covert channel, as channels may exist which have a one-off capability to send a fixed number of bits and thus possess zero capacity. One should rather measure the longest message which can be transmitted under realistic assumptions. There are a number of trade-offs in minimising this, and various mechanisms including pumps may be useful.