Zusammenfassung der Ressource
U4. Further Aspects of BLP
- Covert Channel
- A communications channel that allows transfer of information
in a manner that violates the system’s security policy
- Storage Channel
- Information is leaked by operating
system messages, file names, etc
- The existence of a document called 'topsecretplansforinvasionofIguanaland .doc'
conveys quite a lot of information, even if you cannot actually read the document!
Even a simple 'access denied' message can give you some information.
- Increases in amount of traffic on communications
channels can be a sign of activity. Traffic flow
analysis is a useful weapon
- Timing Channel
- Information is leaked by observing system performance
- covert channels are not
detected by BLP modelling.
- even if BLP correctly models the stated security policy (in
terms of 'no read-up, no write-down') there may well be ways,
such as covert channels, by which the policy may be violated
- Limitations
- Confidentiality
- BLP relates only to confidentiality
- However, there are many cases where a
security policy relates to integrity. IE Biba
- Tranquility
- BLP assumes that security levels are static
- Subjects access / document
classification both subject to change
- Covert channels
- Sometimes, it is not sufficient to hide only the contents
of objects. Their very existence may need to be hidden