[cap-talk] Wall banging (was: Bellizzomi, Capabilities, Shapiro's focus, Coyotos, etc.)
Jonathan S. Shapiro
shap at eros-os.com
Wed Nov 29 23:24:42 CST 2006
On Wed, 2006-11-29 at 18:14 -0800, Jed at Webstart wrote:
> Can anyone tell me if there any systems where overt channels have
> been sufficiently controlled that time/effort have been spent working on
> controlling covert channels (e.g. by restricting the sorts of non deterministic
> inputs available to some set of programs/processes)?
Substantial work on this was done in the context of Vax/VMM. Prior to
that work, it was widely assumed (and still is, by many) that
suppressing covert channels in any meaningful sense had a (severe)
negative impact on performance. It is likely that this reputation was
due to the poor performance of MLS systems. In any case, the Vax/VMM
work noticeably *improved* the performance of Vax/VMM.
> Once you get to the point of auditing source code it seems to me that
> the costs are so high and the means of control so good that worrying
> about non deterministic inputs is likely a small part of the problem.
A similar sentiment is commonly expressed by people who worked on MLS
stuff. To wit: the best way to solve the covert channel problem is to
ensure that no Trojan Horses are present.
Note, however, that inspection is fallible. Consider the Thompson Turing
Award lecture, but note also that software verification can beat that
> Does anyone know of discussion of controls (e.g. process limits
> like no parallel, no clock, etc., etc.) that have been practically
> made available in systems to more safely run black box code
> so as to more likely be safe from wall listening?
Not specifically, but there was a set of papers on the subject area in
the IEEE Security&Privacy proceedings. It was either the 1990 or the
1991 conference; I can never recall.
More information about the cap-talk