The Integrity Lock Architecture and Its Application to Message Systems: Reducing Covert Channels

Abstract

The integrity lock architecture provides a means of constructing a secure database management system with a relatively small amount of trusted code, using a trusted filter which verifies the integrity of security labels on data from an untrusted DBMS by computing cryptographic checksums. However, since the trusted filter can only check whether or not an individual item of data has been tampered with, and not whether or not that item is a correct answer to a particular database query, a covert channel exists through which a Trojan Horse in the DBMS can leak classified information by encoding it in various incorrect (but unclassified) answers to seemingly innocuous queries. in this paper we discuss a possible solution to this covert channel problem for message systems.