|4.2 Category of Methods "Analysis of Covert Channels" (ACC)|
A covert channel means a communication channel that allows an information flow contrary to the security requirements. There is a distinction between time and storage channels.
A time channel is a communication path utilizing the time behavior of the system for the system for the transmission of information. A storage channel utilizes the (finite) resources of a computer.
Up to now there are known (almost) merely methods for the systematic analysis of storage channels (partially it is possible to use the Shared Resource Methodology (SRM) for the analysis of time channels).
An analysis is formal if it is done with formal (i. e. mathematical) means. Up to now there are no formal methods for the analysis of time channels. With formal means a formal specification or program is investigated in order to find possible communication paths that contradict the security requirements without breaking the access authorizations.
ACC is a method primarily dealing with storage channels and only of significance with regard to IT security.
A systematic is specified recording all access possibilities of subjects to objects and all rules (derived from the security requirements) that are necessary to prove the conformity of all the access possibilities to the security requirements.
Means of Representation
Within ACC security attributes are allocated to all objects and subjects. In order to determine covert channels predefined rules (of the security policy or the security requirements) are applied on the available specification, the available program (Information Flow analysis) or on a matrix derived from them. In this matrix the attributed objects are set into relation to the subjects accessing (Shared Resource Methodology (SRM)).
Within the Information Flow Analysis each variable (here, both, subjects an objects are variables) is allocated a security level an by means of the predefined rules it is checked whether inadmissible information flow is possible.
Within Shared Resource Methodology (SRM) the access authorizations of each subject to each object are recorded in the items of the matrix whose columns and lines represent the subjects and their clearance or respectively the objects and their classification. By means of the predefined rules the matrix is investigated in order to detect possible information flow that contradicts the security requirements.Shared Resource Methodology (SRM), detailed specifications or programs will result in too much subjects and objects, generally they are too much to be considered all. The success of the method strongly depends on the choice of the subjects and objects and to a large extend this choice is subject to the applier of the method.
Information Flow Analysis only is applied from the level of programming language or with a specification that explicitly uses variables (e. g. algorithmic specification). The effort depends on the number of variables and their relationships and therefore usually it is very high (the information flow has to be considered between all variables). Tool support is indispensable.
The application of ACC requires a sound mathematical education and good knowledge of IT security.
|The specifications of the individual functional units and their interfaces are investigated with regard to the existence of covert storage channels.
Method ACC does not cover the (sub-) activities and (sub-) products; it is used as supplement of listed analysis and design methods in case IT security aspects are of importance:
|4.2||SD5.2 - Analysis of Resources and Time Requirements||The subproducts SW Design (Module).Characteristic Quantities and SW Design (Database).Characteristic Quantities shall be investigated with regard to time channels.|
Coding of SW Modules,
The code is investigated with regard to the existence of covert storage channels.
|No.||Interface||Observation||Information in Annex 1|
ACC requires a specification or in activity SD6 - SW Implementation a program.
A sensible application of the Information Flow Analysis requires a formal specification or a program in a high programming language with information flow rules for each used programming language construct; on the other side Shared Resource Methodology (SRM) also can be applied to informal specifications.
For to do a formal analysis, ACC has to be applied to a program or a formal specification. To programs it is possible to apply Shared Resource Methodology (SRM) instead of the Information Flow Analysis, but because of the great number of subjects and objects this may be extensive.
|4.1 Interface ACC-FS|
|GDPA Online Last Updated 01.Jan.2002 Updated by Webmaster Last Revised 01.Jan.2002 Revised by Webmaster|