Page 116 - DCAP516_COMPUTER_SECURITY
P. 116
Computer Security
Notes data, it is exploiting a covert channel. It is extremely difficult to close all covert channels in a
practical computing system, and it may be impossible in practice. The process of identifying all
covert channels is a challenging one by itself. Most commercially available MLS systems do not
attempt to close all covert channels, even though this makes it impractical to use them in high
security applications.
Bypass is problematic when introduced as a means to treat a system high object as if it were MLS
trusted. A common example is to extract data from a secret system high object to be sent to an
unclassified destination, citing some property of the data as trusted evidence that it is ‘really’
unclassified (e.g., ‘strict’ format). A system high system cannot be trusted to preserve any trusted
evidence, and the result is that an overt data path is opened with no logical way to securely
mediate it. Bypass can be risky because, unlike narrow bandwidth covert channels that are
difficult to exploit, bypass can present a large, easily exploitable overt leak in the system. Bypass
often arises out of failure to use trusted operating environments to maintain continuous separation
of security domains all the way back to their origin. When that origin lies outside the system
boundary, it may not be possible to validate the trusted separation to the origin. In that case, the
risk of bypass can be unavoidable if the flow truly is essential.
A common example of unavoidable bypass is a subject system that is required to accept secret IP
packets from an untrusted source, encrypt the secret userdata and not the header and deposit the
result to an untrusted network. The source lies outside the sphere of influence of the subject
system. Although the source is untrusted (e.g. system high) it is being trusted as if it were MLS
because it provides packets that have unclassified headers and secret plaintext userdata, an MLS
data construct. Since the source is untrusted, it could be corrupt and place secrets in the unclassified
packet header. The corrupted packet headers could be nonsense but it is impossible for the
subject system to determine that with any reasonable reliability. The packet userdata is
cryptographically well protected but the packet header can contain readable secrets. If the
corrupted packets are passed to an untrusted network by the subject system they may not be
routable but some cooperating corrupt process in the network could grab the packets and
acknowledge them and the subject system may not detect the leak. This can be a large overt leak
that is hard to detect. Viewing classified packets with unclassified headers as system high
structures instead of the MLS structures they really are presents a very common but serious
threat.
Most bypass is avoidable. Avoidable bypass often results when system architects design a
system before correctly considering security, then attempt to apply security after the fact as add-
on functions. In that situation, bypass appears to be the only (easy) way to make the system
work. Some pseudo-secure schemes are proposed (and approved!) that examine the contents of
the bypassed data in a vain attempt to establish that bypassed data contains no secrets. This is not
possible without trusting something about the data such as its format, which is contrary to the
assumption that the source is not trusted to preserve any characteristics of the source data.
Assured “secure bypass” is a myth, just as a so-called High Assurance Guard (HAG) that
transparently implements bypass. The risk these introduce has long been acknowledged; extant
solutions are ultimately procedural, rather than technical. There is no way to know with certainty
how much classified information is taken from our systems by exploitation of bypass.
9.4.2 Applications of MLS
Infrastructure such as trusted operating systems are an important component of MLS systems,
but in order to fulfill the criteria required under the definition of MLS by CNSSI 4009 (paraphrased
at the start of this article), the system must provide a user interface that is capable of allowing a
user to access and process content at multiple classification levels from a single system. The
UCDMO ran a track specifically focused on MLS at the NSA Information Assurance Symposium
in 2009, in which it highlighted several accredited (in production) and emergent MLS systems.
110 LOVELY PROFESSIONAL UNIVERSITY
