Chapter 17: Confinement Problem Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate.edu http://csc.colstate.edu/summers
The Confinement Problem Confinement problem preventing a server from leaking information that the user of the service considers confidential Server must ensure that resources accessed on behalf of the client only include resources that client is authorized to access Server must ensure that it does not reveal client’s data to any other unauthorized entity Covert channel – path of communications not designed for communication Rule of transitive confinement – if confined process invokes a second process, the second process must be as confined as the caller
Isolation Virtual machine – program that simulates the hardware of a computer system Sandbox – environment in which the actions of the process are restricted according to a security policy
Covert Channels Covert storage channel uses an attribute of the shared resource Covert timing channel uses a temporal or ordering relationship among accesses to a shared resource Noiseless covert channel – covert channel that uses a resource available to only the sender and receiver Noisy covert channel – covert channel that uses a resource available to subjects in addition to the sender and receiver
Covert channels Requirements of covert storage channel Sending and receiving processes have access to the same attribute of a shared object Sending process is able to modify the attribute of the shared object Receiving process is able to references the attribute of the shared object Mechanism must exist for initiating both processes, and properly sequencing the respective accesses to the shared resource
Covert channels Requirements of covert timing channel Sending and receiving processes have access to the same attribute of a shared object Sending and receiving processes must have access to a time reference (e.g. clock, timer,…) Sending process must be able to control the timing of the detection of a change in the attribute by the receiving process Mechanism must exist for initiating both processes, and properly sequencing the respective accesses to the shared resource