2 definitions it seems obvious to start with a definition of the terms we are discussing however since the introduction of the term covert channel there has been a variety of definitions used for the term here we present a collection of the definitions that various researchers have used and discuss the nuances involved in each afterward we state the definition we use throughout the rest of this paper and provide several associated definitions 2 1 evolution of covert channel butler lampson introduced the concept of a covert channel in 1973 in the context of discussing the confinement of information flow in a single system multi programming environment in this situation a channel is any mechanism that provides a possible information transfer between processes executing programs his definition for the term was as follows definition 1 covert channels are those not intended for information transfer at all such as a service program s effect on the system load lamp73 lampson was considering various forms of unwanted information transfers he defined covert channels in a very restrictive way and completely separated them from storage channels a mechanism in which the information being transferred is represented in some stored form although not in a traditional place such as a file and legitimate channels normal communication between two processes with hidden content he was considering only what today is referred to as a timing channel in which information is represented in the temporal behavior of a system although lampson does discuss improper information flows using storage and legitimate channels he does not refer to these as covert channels millen also notes that lampson s definition excludes some uses of legitimate channels to transfer information between two parties who are permitted to communicate but are restricted in what information may be sent mill99 for this situation lampson s definition is clearly not inclusive enough however if millen had considered a security model implementation with respect to lampson s definition he would not have raised the issue security policy would have excluded communication of the type to which millen refers regardless of the limitations lipner accepted lampson s definition and attempted to provide a solution for closing all of the improper channels lipn75 he bases his suggestions on the security policy model of bell and lapadula bell73a bell73b in so doing lipner notes that closing the timing covert channels which lampson describes would impose a significant performance penalty on the system however lipner believed that closing the storage channels would be relatively easy in another discussion of information confinement schaefer introduces an alternative definition for a covert channel definition 2 a covert channel is a communication channel that is based on transmission by storage into variables that describe resource states scha77 this is a swing in the other direction timing is not being considered at all schaefer is considering only information transfers that involve storage particularly the use of state information maintained by the operating system from lampson s point of view this is a storage channel in fact he uses this type of information flow to illustrate what a storage channel is lamp73 kemmerer describes convert channels as those that use entities not normally viewed as data objects to transfer information from one subject to another kemm83 this idea is completely consistent with schaefer s definition the variables that represent resource states can be viewed as data objects to transfer information huskamp provides a definition for covert channels that is stated broadly enough to include both storage and timing channels definition 3 covert channels are those channels that are the result of resource allocation policies and resource management implementation husk78 that is the channels are not designed for the transmission of information they are the result of the way in which the operating system is managing resources one can infer that the degree to which covert channels are present in a system is inversely dependent on how well the operating system does its managing tsai suggests that huskamp s definition did not take into account the security model or its implementation used in the system tsai87a rather tsai suggests that huskamp assumed that the security model used could prevent noiseless covert channels from being created regardless of whether or not tsai is correct about preventing noiseless channels it must be acknowledged that the security model implementation may or may not be effective in limiting covert channels huskamp focused on noisy covert channels he did this because he notes that real channels are normally not error free husk78 Noisy channels result in messages being communicated that are partially corrupted by other system elements and process actions from 1981 through 1985 the department of defense put out dod 5200 28 std its standard for trusted computer system evaluation criteria in several revisions in this document commonly referred to as the orange book or by the acronym tcsec we find a covert channel definition in the context of security policy definition 4 a covert channel is any communication channel that can be exploited by a process to transfer information in a manner that violates the system s security policy tcse85 the orange book defines a system s security policy as a statement of intent with regard to control over access to and dissemination of information and states that must be precisely defined and implemented for each system because security policies reflect an institution s general policies and procedures and applicable laws and regulations we can see that this definition is based on the legal aspects of using a covert channel in addition to the system mechanisms that make them possible the orange book also addresses bandwidth of a covert channel the quantity of information transmitted over a channel per unit of time primarily driven by the capabilities of the slowest devices of the early 1980 s the book suggests that a bandwidth of more than 100 bits/second should be regarded as being unacceptably high thus we begin to see criteria for measuring the seriousness of a security violation that a particular channel might represent gasser describes covert channels as paths not intended for communication and not normally protected by mandatory controls gass88 this comment is partly influenced by the orange book s emphasis on mandatory controls a structure in which security attributes used to determine access cannot be change in the evaluation criteria moskowitz describes covert channels as communication channels that exist contrary to design in a computer system mosk94a both gasser and moskowitz address the communications components designed into the system and the intended purpose of the processes involved in the communications the tcsec definition also implies that there is a clear distinction between the designed communications and that which is part of a covert channel by labeling the use of the covert channels as an exploitation moskowitz levin and others note that a covert channel exists in a multi level secure system when communication occurs from a high security level to a lower security level mosk94a levi04 a multi level secure system is one that uses military classification of security levels unclassified confidential secret etc information sent to a lower security level is clearly a violation of the security policy for a multi level system however the mechanism used for the information transfer is significant if some process were capable of disabling the security controls in a multi level system thus allowing normal communications from high level to low level those communications cannot be regarded as a covert channel as defined in definitions 1 3 because the path used is intended for communications the tcsec definition does not clearly specify what the mechanism for the covert channel is and consequently is using covert in the more traditional sense of concealed secretive or forbidden mchugh attempts to make a finer distinction regarding the use of covert channels based on intent of the user he classifies the channels as either innocuous or harmful mchu95 the idea is that an innocuous covert channel is consistent with the intent of the system s security policy and is only technically a violation of that policy he suggests that such channels may result in surprising system behavior but not place the system or its information at risk on the other hand a harmful covert channel is one that is both a de facto and a de jure violation of the security policy mchugh suggests another covert channel definition definition 5 a covert channel is any mechanism that can be used to transfer information from one user to another using means not intended for this purpose by the system developers mchu95 mchugh acknowledges that this is a somewhat vague definition because it involves only intent as opposed to policy which would be written however his attempt to make an intuitive definition although consistent with the above discussion has the side effect of completely muddying the identification of covert channels because anything that might be a covert channel must be examined in terms of designer intent alone making the innocuous harmful distinction may be useful from a legal perspective however it should not be considered further any covert channel has the potential for being harmful when used by someone with an appropriate motive ruighaver examines the use of covert channels in a network environment in particular looking at the security of firewalls his definition of covert channels is influenced by this environment definition 6 a covert channel is any mechanism that can be used to communicate between two parties through secured boundaries of data ruig96 in a way this definition is self contradictory if the data boundaries are secured there can be no communication between parties on opposite sides of the boundaries with no mention of a security policy it is not possible to define what secured boundaries are there appears to be no appreciation that security cannot be absolute in a network environment it may well be that communications used to break through a firewall are not anticipated but that is the nature of covert channels marone adds one other idea to the notion of a covert channel he makes the following definition definition 7 a covert channel is simply the transfer of data between two processes that are not permitted or not known to be in touch with each other maro03 the idea that the transfer of data is not permitted is consistent with the tcsec definition because part of the security policy would define what is permitted and what is not tsai takes this a step further in saying that communications between processes is covert if and only if that communications is in violation of the security model implementation tsai90 the second element of the definition refers to the system not being aware of the transfer of data it seems odd to consider that an information transfer might be regarded as a covert channel simply because the system has no record of it for example if a normal communication from process a to process b transfers information about individual elements of some type and process b produces an aggregate result and passes that on to process c the system might well regard processes a and c as not known to be in touch but the transitive information flow clearly has transferred data from a to c perhaps one can improve marone s definition by referring to data transfers between processes that are not permitted and not known to be in touch finally at the first workshop on covert channel analysis a distinguished group of researchers came up with what they describe as a necessary but not sufficient definition definition 8 a covert channel is a channel between a sender and receiver at different levels and there is a trojan horse present that uses a communication medium other than a named object ieee89 this definition suffers somewhat by being committee created and therefore lacks the formality that might be present in a journal paper the different levels refer to different security classification as in a multi level system the presence of a trojan horse presumes that the sender is a victim and not a collaborator in the transmission of information the fact that a named object is not the medium reflects that the system did not intend the medium to be used for communication this definition was not considered sufficient because the members of the group felt that some covert channels were the result of system flaws these flaws were generally considered the result of the system implementation not exactly following the formal system specification another source of possible flaws is in the hardware implementation investigations of several systems have revealed undocumented opportunities for exploitations even to the extent of discovering methods for bypassing hardware protection mechanisms karg04 the definition above covers only exploitations of correctly implemented systems on correctly functioning hardware 2 2 our definition of covert channel from our perspective the key elements to be addressed in the definition of covert channels are that we need to encompass both storage and timing channels and we need to associate the use of these channels with a violation of security policy to do this we combine elements of definitions 3 and 4 a covert channel is an unintentional communication path which results from a system s resource allocation and management implementation and violates the system s security policy With this definition we include the concepts that a covert channel cannot involve any mechanism that is intended for communication files messages etc that the elements or effects of operating system management are vehicles of information transmission and that transfer of information using this path is contrary to the security model implementation no judgment is imposed regarding whether the security breach is harmful or not no particular system organization single host network or multiprocessor is assumed no normal communication channel whether containing a hidden message or not can be regarded as a covert channel also we assume that the system implementation reflects the system design and that the hardware functions according to specifications this is a rather large assumption however without it one could postulate almost any flaw in the implementation even one as outrageous as permitting a process executed by the maintenance engineer to change the global hardware state between microinstruction steps scha93 in a later chapter we address some of the issues related to system flaws based on our definition we can define the following terms which are used in subsequent discussion a storage covert channel is one in which the information being transferred is stored in memory or a register since the stored information cannot be part of some file image or normal message content we would find storage channels using system flag settings file status buffer status error indicators normally unused network protocol elements or shared hardware registers aside from the name this definition is completely consistent with lampson s terminology for storage channels a timing covert channel is one in which the information being transferred has the form of coded activity durations usually the sending process interferes with the system in such a way that the receiver can detect recognizable differences in response time to its requests mosk94a however a more general notion is that the receiver can recognize time variations in some system activity which the sender can affect a mixed covert channel is one in which information is transferred through a combination of stored values and activity durations this definition is nearly identical to that given by moskowitz mosk94a however he admits that he was using the term loosely we use the term to address covert channels that are not exclusively based on either timing or storage gligor also addresses using more than one mechanism simultaneously to transfer information when he discusses aggregated channels glig93 he does not require that aggregated channels contain both storage elements and duration elements however they could tsai and shieh also discuss the use of aggregated channels however they were both using exclusively storage covert channels tsai87a shie99 we need to add definitions of the attributes of covert channels these elements will be essential in discussing channel performance later on the bandwidth of a covert channel is the rate in bits per time unit at which information is communicated this is the definition that the tcsec uses and gasser and others repeat tcse85 gass88 moskowitz points out shortcomings with this definition in several of his papers mosk94a mosk94c mosk02 he prefers to use capacity to measure a channel s information carrying ability he shows that for continuous communication capacity is a function of bandwidth but does not directly relate the two terms for discrete communications admittedly bandwidth may not be the more appropriate measure of channel performance if very short messages are used because the bandwidth could be near 0 and the channel could still be significant also bandwidth does not measure the total usage of a channel a very low bandwidth channel used for an extended period may transmit a very large quantity of information finally bandwidth is difficult to apply to timing channels simply because it is through time durations that information is received consequently the bandwidth would actually vary with the particular message sent the orange book does acknowledge this variability by defining maximum bandwidth for such situations regardless of these problems bandwidth as defined above remains a common performance metric even if it is an abuse of shannon s bandwidth definition we use gligor s definition of capacity glig93 almost verbatim the capacity of a covert channel is its maximum possible error free information rate in bits per time unit this is equivalent to the maximum bandwidth as defined above because we introduced error possibilities into the transmission we must also define a reliability attribute for covert channels glig93 a noiseless covert channel is one in which the probability that the receiver receives exactly the message the sender sends is 1 many elements may interfere with the transmission of information from sender to receiver on a covert channel actions of other processes management functions of the operating systems network routing actions device errors and more a covert channel for which the probability of receiving what was sent is less than one is said to be noisy the lower the probability the noisier the channel