COVERT FLOW TREES - A VISUAL APPROACH TO ANALYZING COVERT STORAGE CHANNELS

This paper introduces a technique for detecting covert storage channels using a tree structure called a Covert Flow Tree (CFT). The benefits of using Covert Flow Trees to perform a covert channel analysis are twofold. First, by traversing the paths of a Covert Flow Tree, a comprehensive list of scenarios that potentially support covert communication via particular resource attributes can be automatically constructed. Secondly, Covert Flow Trees graphically illustrate the process through which information regarding the state of one attribute is relayed to another attribute, and how in turn that information is relayed to a listening process. Using this visual model to examine the routes by which information travels during covert communication enhances the analyst's understanding of the storage channel and may provide insight into the formation of countermeasures. Algorithms for automating the construction of Covert Flow Trees and potential covert channel operation sequences are presented. To illustrate this technique, two example systems are analyzed and their results compared to two currently accepted analysis techniques performed on identical systems. This comparison shows that the CFT approach not only identified all covert storage channels found by the other analysis techniques, but discovered a channel not detected by the other techniques.