Question

You work in a classified environment where Bell LaPadula MLS (Multilevel Security) model is employed. Your clearance is "SECRET" (on a scale TOP SECRET > SECRET > CLASSIFIED > UNCLASSIFIED). Your company is furnished with a shared and synchronized cloud drive, where: >>A user, any clearance, can send a document, accessible by any computer in the same network, no matter the clearance. >>The document can be printed by any employees, using a computer with the right clearance. >>All the computers connected to the same network can see the documents in the drive. >>The user's computer clearance is the same as the user's clearance. >>The document is added to the print queue of the station without any delay. >>The classification of the document to print is the same as the clearance of the computer used to upload it. Please, describe a potential covert channel to disclose SECRET documents to someone with CLASSIFIED clearance. PROBLEM: If you print SECRET documents, you go directly to jail, without passing GO. The system, in fact, checks any document added to the drive. If documents with clearance higher than UNCLASSIFIED are printed, it raises an alarm.

Answer 1

Answer:

The answer is by using a covert channel like shared memory objects such as files, directories,messages, etc since both  the user and the sender of the document are on same network of the company.

Explanation:

The Bell LaPadula MultiLevel Security model was a security policy developed by Bell and LaPadula in 1973 in response to a security issue raised by the US Air Force regarding file-sharing mainframe computers . Actually, many people with networked systems have realized by early 1970s that the protection purportedly offered by many commercial operating systems was poor, and wa not getting better any time soon. This was observed when it was noticed that as one operating system error was fixed, some other vulnerability would be discovered. There was also the constant worry that various unskilled users would discover loopholes in the operating system during usage and use them to their own advantage.

 Information release may take place via shared memory objects such as files, directories, messages, and so on. Thus, a Trojan Horse acting on behalf of a user could release user-private information using legitimate operating system requests. Although developers can build various mechanisms within an operating system to restrict the activity of programs (and Trojan Horses) operating on behalf of a user  , there is no general way, short of implementing nondiscretionary policy models, to restrict the activity of such programs. Thus, given that discretionary models cannot prevent the release of sensitive information through legitimate program activity, it is not meaningful to consider how these programs might release information illicitly by using covert channels.

For example, for someone with higher integrity level (SECRET) to send an accounts payable application to a user, if the untrusted accounts payable application contains a Trojan Horse, the Trojan Horse program could send a (legal) message to the said user process running at a lower integrity level (CONFIDENTIAL), thereby initiating the use of a covert channel. In this covert channel, the Trojan Horse is the receiver of (illegal) lower integrity-level input and the user process is the sender of this input.