Previous Next Methods Allocation  
4.2 Category of Methods "Analysis of Covert Channels" (ACC)  

  4.2 Methodenkategorie "Analyse verdeckter Kanšle" (AVK)

Contents  
  • 1 Identification/Definition of the Method
  • 2 Brief Characteristic of the Method
  • 3 Limits of the Methods Application
  • 4 Specification of the Methods Allocation
  • 5 Interfaces
  • 6 Further Literature
  • 7 Functional Tool Requirements
  • 1 Identification/Definition of the Method

    ACC is a category of methods; the individual applicable methods are described in more detail in ACC - Analysis of Covert Channels (in Annex 1) by listing the selection criteria. A special method is only defined within the scope of the operationalization.

    A covert channel means a communication channel that allows an information flow contrary to the security requirements. There is a distinction between time and storage channels.

    A time channel is a communication path utilizing the time behavior of the system for the system for the transmission of information. A storage channel utilizes the (finite) resources of a computer.

    Up to now there are known (almost) merely methods for the systematic analysis of storage channels (partially it is possible to use the Shared Resource Methodology (SRM) for the analysis of time channels).

    An analysis is formal if it is done with formal (i. e. mathematical) means. Up to now there are no formal methods for the analysis of time channels. With formal means a formal specification or program is investigated in order to find possible communication paths that contradict the security requirements without breaking the access authorizations.

    ACC is a method primarily dealing with storage channels and only of significance with regard to IT security.

    2 Brief Characteristic of the Method

    Objective and Purpose

    A systematic is specified recording all access possibilities of subjects to objects and all rules (derived from the security requirements) that are necessary to prove the conformity of all the access possibilities to the security requirements.

    Means of Representation

    Within ACC security attributes are allocated to all objects and subjects. In order to determine covert channels predefined rules (of the security policy or the security requirements) are applied on the available specification, the available program (Information Flow analysis) or on a matrix derived from them. In this matrix the attributed objects are set into relation to the subjects accessing (Shared Resource Methodology (SRM)).

    Operational Sequence

    Within the Information Flow Analysis each variable (here, both, subjects an objects are variables) is allocated a security level an by means of the predefined rules it is checked whether inadmissible information flow is possible.

    Within Shared Resource Methodology (SRM) the access authorizations of each subject to each object are recorded in the items of the matrix whose columns and lines represent the subjects and their clearance or respectively the objects and their classification. By means of the predefined rules the matrix is investigated in order to detect possible information flow that contradicts the security requirements.

    3 Limits of the Methods Application

    For Shared Resource Methodology (SRM), detailed specifications or programs will result in too much subjects and objects, generally they are too much to be considered all. The success of the method strongly depends on the choice of the subjects and objects and to a large extend this choice is subject to the applier of the method.

    Information Flow Analysis only is applied from the level of programming language or with a specification that explicitly uses variables (e. g. algorithmic specification). The effort depends on the number of variables and their relationships and therefore usually it is very high (the information flow has to be considered between all variables). Tool support is indispensable.

    The application of ACC requires a sound mathematical education and good knowledge of IT security.

    4 Specification of the Methods Allocation

    No. Activity Description
    4.1 SD2.5
    Interface Description
    ,

    SD4.1
    SW Architecture Design
    ,

    SD4.2
    Design of Internal and External SW Interfaces
    ,

    SD5.1
    Description of SW Component/Module/Database

    The specifications of the individual functional units and their interfaces are investigated with regard to the existence of covert storage channels.

    Method ACC does not cover the (sub-) activities and (sub-) products; it is used as supplement of listed analysis and design methods in case IT security aspects are of importance:

    4.2 SD5.2 - Analysis of Resources and Time Requirements The subproducts SW Design (Module).Characteristic Quantities and SW Design (Database).Characteristic Quantities shall be investigated with regard to time channels.
    4.1 SD6.1
    Coding of SW Modules
    ,

    SD6.2
    Realization of Database
    ,

    SD6.3
    Self-Assesment of the SW Module/Database
    .

    The code is investigated with regard to the existence of covert storage channels.

    5 Interfaces

    No. Interface Observation Information in Annex 1
    5.1 ACC-FS ACC requires a specification or in activity SD6 - SW Implementation a program.

    A sensible application of the Information Flow Analysis requires a formal specification or a program in a high programming language with information flow rules for each used programming language construct; on the other side Shared Resource Methodology (SRM) also can be applied to informal specifications.

    For to do a formal analysis, ACC has to be applied to a program or a formal specification. To programs it is possible to apply Shared Resource Methodology (SRM) instead of the Information Flow Analysis, but because of the great number of subjects and objects this may be extensive.

    4.1 Interface ACC-FS

    6 Literature

    /Denning, 1982/ Crypography and Data Security
    /Kemmerer, 1983/ The Shared Resource Methodology: An Approach to Identifying Storage and Timing channels

    7 Functional Tool Requirements

    SSD31 - Analysis of Covert Channels

    Previous Next GDPA Online Last Updated 01.Jan.2002 Updated by Webmaster Last Revised 01.Jan.2002 Revised by Webmaster