Covert flow trees: a technique for identifying and analyzing covert storage channels

Abstract

A technique for detecting covert storage channels using a tree structure called a covert flow tree (CFT) is introduced. By traversing the paths of a CFT a comprehensive list of scenarios that potentially support covert communication via particular resource attributes can be automatically constructed. CFTs graphically illustrate the process through which information regarding the state of one attribute is relayed to another attribute, and how in turn that information is relayed to a listening process. Algorithms for automating the construction of CFT and potential covert channel operation sequences are presented. Two example systems are analyzed and their results are compared to two other analysis techniques performed on identical systems. The CFT approach not only identified all covert storage channels found by the other techniques, but discovered a channel not detected by the other techniques.<>