**Covert communication** uses mechanisms that are not designed for communication or information transfer. - Based on alteration/observation of [[TCB - Trusted Computing Base|TCB]] variables that define shared resource state or allocated policy - Given [[Authorization#Mandatory access control|MAC]] policy $M$, any potential information flow from subject $S_m$ to $S_n$ is covert if it is forbidden by $M$ ### Formal definition Interference implies covert communication. We have non-interference when a higher privileged process is entirely unaware of the existence of lower privileged processes. - $i$ = instruction stream in a system - $l =$ security level - $π (i, l)$ is instruction stream after removing instructions of subjects dominated by $l$ in stream $i$ - $A(i,σ)$ is state resulting from the execution of instructions in $i$ in state $σ$ - $σ.v(s)$ is subject $s$’s view of $σ$ >[!info]- Non-interference iff $∀ \space i \space ∀ \space s$ $A(π(i,l(s), σ).v(s) = A(i, σ).v(s)$ >The high process doesn’t know if the low process is around or not. Here *$A(i, σ).v(s)$* is the case where low process instructions are included, and *$A(π(i,l(s), σ).v(s)$* where high process instructions are included. >Essentially, since the high process is unaware of the presence of a low process, it will not try to communicate anything to it. ### Side channels In covert channels, two processes cooperate to undermine a MAC policy. **Side channels** do not rely on such a cooperation. $S_n$ can infer something about $S_m$‘s sensitive data based on its activity that can be observed by $S_n$. Examples: - Acoustic or electromagnetic emanations to figure out passwords or keys - Guessing bits in a key based on the power consumed when an operation using a key is performed ### What do we do about covert channels?