At 07:01 PM 10/2/2008, Joe Touch wrote: >-----BEGIN PGP SIGNED MESSAGE----- >> A second single level process at SECRET also attempts to do a passive >> open to the same port - but gets blocked because the port resource is >> being held by the TOP SECRET process. The SECRET process now has one bit >> of information about the TOP SECRET part of the host. By grabbing and >> releasing port resources, the TS process can signal data to processes at >> lower security levels. > >Understood. However, the lower security process can't know whether it's >the TS process doing this or some other reason (port blocked, e.g.); all >it knows is that it can't connect at the level it wants on >the port it wants. MLS systems have a couple of mandatory access rules - one of them is that processes at higher levels can read things at lower levels (assuming the discretionary access controls permit it). This includes specifically, programs. Say you have an attacker - a contract programmer hired by Coke to write a couple of utility programs. He writes two - one program that almost everyone will use at some point, another for his own personal use. The former includes the signaling code to twiddle TCP ports. The latter contains the code to monitor that twiddling. The attacker completes his program, checks it in for use. Mr VP comes along, logs in at TOP SECRET and runs the utility program - maybe its a spell checker - and triggers the signaling process. The utility program has access to everything Mr VP has at that level. One of the things the trojan horse finds is the formula for New Coke (tm).. :-) The attacker (at the UNCLASSIFIED level) captures the signals and ultimately the formula and sells the formula to the highest bidder. The signaling program uses 10 ports - two to signal the presences or absence of data - and 8 others to represent one byte of data. (See the old 1822 protocol definitions). >... >> The fix was to virtualize TCP so that there was a complete set of TCP >> ports per distinct security domain. > >I agree that this fixes your problem, but what it does is create a new >naming dimension to the entire Internet, and I don't think that this is >feasible. Naming? Not really. Addressing maybe - but that's - as I said before - pretty local to only those hosts that implement MLS. >Perhaps you'd prefer to black-hole the SYNs at the wrong security level, >which would still modify 793, but would not create the naming dimension >problem that concerns me... Define "wrong security level" - both the attacker and victim are operating at their own security levels, its just the resource interactions that lead to the covert channel. Which SYN's - (need an exact filter definition here please) would you black hole, and how would that solve anything? _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf