[E-Lang] Summary for Practical Programming
Jonathan S. Shapiro
Mon, 05 Feb 2001 11:39:12 -0500
Tyler Close wrote:
> MarkM wrote:
> > At 04:35 AM Saturday 2/3/01, Tyler Close wrote:
> > >> >It follows that everyone also agrees that the
> > capability model is
> > >> >theoretically sound.
> > >[...]
> > >By "theoretically sound" I meant that the model can enforce the
> > >prohibitions that it expresses.
> Agreed. How annoying.
This is all true but irrelevant. The issue of covert channels is
entirely orthogonal to the issue of access controls. It has nothing to
do with whether you use ACLs, capabilities, or deaf mutes as your
security platform. This is part of why I am so careful in my papers to
be specific that I am not addressing covert channel issues.
The reasons that it still matters which system we use are:
a) covert channels are harder to use
b) overt channels have much higher bandwidth
c) a large class of attacks cannot be perpetrated
via covert channels.
The last is the most important. We are not concerned only with data
leakage. We are also concerned with malicious behavior. Maliciousness is
not a covert channel problem.
> Do we have a list of the walls in a capability system that can be
> banged on?
The answer has nothing to do with whether the system is a capability
sytem or not. There are at least two reasonable methodologies for
enumerating all of the potential covert channels in a system. Note that
there are more categories than wall banging to concern ourselves with.
Readers interested in this area are strongly encouraged to hunt down a
copy of Proceedings of the 1991 IEEE Symposium on Security and Privacy
and read all of the papers there on this topic. Collectively they are
> Off-hand, the only one I can think of is the CPU....
Regrettably not. The disk arm, the external interrupt sources, the
ageing mechanism.... Basically, any source of a "clock" (by which is
meant in this context a linear sequence of probabilistically
distinguishable events) is a potential covert channel source. If the
sequencing is only statistically detectable, you need to add error