The confinement problem

If Alice shares sensitive information with user Bob, can we guarantee that it will not be shared by Bob with anyone else? - [[Authorization#Mandatory access control|MAC]] helps but cannot completely eliminate the possibility of such information sharing [[Covert channels]] can be used to propagate it - These channels are not explicitly meant for communication. They do not rely on normal information sharing mechanisms and can be used to propagate sensitive information. [[TCSEC - Trusted Computer System Evaluation Criteria|TCSEC]] mentioned covert channels and their analysis - Class B1 requires MAC and B2 addresses covert channels ### How can sensitive information leakage occur? Client shares data with a service but access control prevents further sharing. > [!info]- Assume a service wants to leak just one bit of information. > Suppose a file can only be read by a single process at a time. We can communicate a single bit (True/False) between a sending and receiving process by having the sending process read a file to represent `True`. In the code below the sending process makes sure it has the file open to send true, and it makes sure the file is closed to send false. The receiving process tries to open the file, if it can't open the file it knows that the sending process has it open and is sending true. This is an example of a covert channel, communication through means not meant for communication. **Sending process** ``` Proc SetTrue(File) Begin loop1: open(File, loop1)* End; Proc SetFalse(File) Begin close(File) End; # Keep trying until open() is successful ``` **Receiving process** ```Python Proc CheckValue(File) Begin Value := True; Open (File, loop2); Value := False; loop2: ; End; ``` Here we are not reading/writing information, just opening or closing the file. However, sensitive information can be made to flow by: 1. Abusing the file system to communicate information. Assume concurrent open file requests are now allowed. 2. We can send 1/0 with SetTrue/SetFalse > Any shared resource (mainly between a low and high process) potentially can lead to a covert channel → Storage and timing covert channels #### Examples 1. Presence and absence of a file - Top secret user can create a TS file - Secret user tried to read it - “file does not exist” communicates 0 - “access denied” communicates 1 2. Round-robin CPU scheduling - Get control of CPU quickly transmits 0 - Get control of CPU after full quantum transmits 1