Editing Covert channel (section)

==Characteristics==
A covert channel is so called because it is hidden from the access control mechanisms of secure operating systems since it does not use the legitimate data transfer mechanisms of the computer system (typically, read and write), and therefore cannot be detected or controlled by the security mechanisms that underlie secure operating systems.  Covert channels are exceedingly hard to install in real systems, and can often be detected by monitoring system performance. In addition, they suffer from a low [[signal-to-noise ratio]] and low data rates (typically, on the order of a few bits per second). They can also be removed manually with a high degree of assurance from secure systems by well established covert channel analysis strategies.

Covert channels are distinct from, and often confused with, legitimate channel exploitations that attack low-assurance pseudo-secure systems using schemes such as ''[[steganography]]'' or even less sophisticated schemes to disguise prohibited objects inside of legitimate information objects.  The legitimate channel misuse by steganography is specifically not a form of covert channel.{{Citation needed|date=December 2013}}

Covert channels can tunnel through secure operating systems and require special measures to control.  Covert channel analysis is the only proven way to control covert channels.{{Citation needed|date=April 2011}}  By contrast, secure operating systems can easily prevent misuse of legitimate channels, so distinguishing both is important.  Analysis of legitimate channels for hidden objects is often misrepresented as the only successful countermeasure for legitimate channel misuse.  Because this amounts to analysis of large amounts of software, it was shown as early as 1972 to be impractical.<ref name="anderson72">[http://seclab.cs.ucdavis.edu/projects/history/papers/ande72.pdf Computer Security Technology Planning Study] (James P. Anderson, 1972)</ref>  Without being informed of this, some are misled to believe an analysis will "manage the risk" of these legitimate channels.

===TCSEC criteria===

The [[TCSEC|Trusted Computer Security Evaluation Criteria]] (TCSEC) was a set of criteria, now deprecated, that had been established by the [[National Computer Security Center]], an agency managed by the United States' [[National Security Agency]].

Lampson's definition of a ''covert channel'' was paraphrased in the TCSEC<ref>[http://www.fas.org/irp/nsa/rainbow/tg030.htm NCSC-TG-030, ''Covert Channel Analysis of Trusted Systems (Light Pink Book)'', 1993] from the [[United States Department of Defense]] (DoD) [[Rainbow Series]] publications.</ref> specifically to refer to ways of transferring information from a higher classification compartment to a lower classification.  In a shared processing environment, it is difficult to completely insulate one process from the effects another process can have on the operating environment.  A covert channel is created by a sender process that modulates some condition (such as free space, availability of some service, wait time to execute) that can be detected by a receiving process.

The TCSEC defines two kinds of covert channels:
*[[Storage channels]] - Communicate by modifying a "storage location", such as a hard drive.
*[[Timing channels]] - Perform operations that affect the "real response time observed" by the receiver. 
The TCSEC, also known as the ''Orange Book'',<ref>[http://csrc.ncsl.nist.gov/publications/secpubs/rainbow/std001.txt 5200.28-STD], [[TCSEC|''Trusted Computer System Evaluation Criteria (Orange Book)'', 1985]]  {{Webarchive|url=https://web.archive.org/web/20061002160143/http://csrc.ncsl.nist.gov/publications/secpubs/rainbow/std001.txt |date=2006-10-02 }} from the DoD [[Rainbow Series]] publications.</ref> requires analysis of covert storage channels to be classified as a B2 system and analysis of covert timing channels is a requirement for class B3.