Capacity estimation and auditability of network covert channels

Classical covert channel analysis has focused on channels available on a single computer: timing channels and storage channels. We characterize network covert channels. Potential network covert channels are exploited by modulating transmission characteristics. We distinguish between spatial covert channels, caused by a variation in the relative volume of communication between nodes in the network, and temporal covert channels caused by a variation in transmission characteristics over time, extending the work of Girling (1987). A model for obtaining a spatially neutral transmission schedule was given by Newman-Wolfe and Venkatraman (1991, 1992). Temporally neutral transmissions are characterized and scheduling policies to generate temporally neutral transmission schedules were given by Venkatraman and Newman-Wolfe (1993). We estimate the covert channel capacity using an adaptive scheduling policy, modeling the system as a mode secure system. Based on our measurements on the University of Florida campus-wide backbone network (UFNET), we discuss the auditability of network covert channels and suggest some handling policies to reduce the capacity of these covert channels to TCSEC acceptable levels