Lecture 22 Notes; May 19, 1997; Notetaker: Scott Miller Bell LaPadula Model - Revisited ------------------------------- What does it mean to read or write - can transmit information without directly writing then reading - "Covert Channel" - can occur anytime disks are shared; in Orange Book, recommended not to eliminate covert channels, but to at least minimize bandwidth against storage covert channel - partition disks against timing covert channel - partition CPU time randomization can also help - throw in random information into the channel redefine illegal read as whenever high transmits info to low Non-Deducibility Security (NDS) low cannot deduce anything about high - Is this feasible? A system is NDS if for every label x and trace, there is another trace visible to users with labels <= x but which has no inputs not <= x; i.e. high inputs don't affect the low outputs In his paper McCullough creates two systems which are independently NDS, but when linked to each other produce a system which is not NDS. Non-Interference Security (NIS) u1, u2,... , un users with labels w1, w2,..., wn inputs from ui w - merged input stream {[w,1]...[w,n]} - output sequences Purgej([w,i]) All input from user j is removed from i's output stream u1 __w1___ |_____[w,1]___> u1 . \ | . . \___w___>| . . / | . . / | . un __wn___ |_____[n,n]___> un if for all users the output sequences are the same when all input from higher inputs is purged, then the system is NIS.