Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt
Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt
Page 1 A Guide to the Procurement of Trusted Systems: An ... - csirt
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
dependent system parameter, and a "receiving" process observes and<br />
interprets this effect as a bit <strong>of</strong> information.<br />
3.6.1 DETECTION<br />
Covert channels are easy <strong>to</strong> hypo<strong>the</strong>size, but difficult <strong>to</strong> detect, and <strong>of</strong>ten<br />
<strong>the</strong>y cannot be <strong>to</strong>tally eliminated. The next-best approach is <strong>to</strong> try <strong>to</strong><br />
identify <strong>the</strong>m, reduce <strong>the</strong>ir effectiveness, and provide a measure <strong>of</strong> control<br />
over <strong>the</strong>m. Execution flow analysis can sometimes detect s<strong>to</strong>rage channels,<br />
but no formal methods can detect timing channels at this time.<br />
3.6.2 RATES<br />
High covert channel transfer rates (over 100 bits/sec) are a major concern and<br />
are generally unacceptable. Low transfer rates (under 1 bit/sec) are <strong>of</strong> less<br />
concern because it would take <strong>to</strong>o long <strong>to</strong> Communicate significant amounts <strong>of</strong><br />
information. (It cannot be forgotten, however, <strong>the</strong>re are situations in which a<br />
single number or name can be highly classified.) Intermediate transfer rates<br />
introduce <strong>the</strong> need for <strong>the</strong> ISSO <strong>to</strong> moni<strong>to</strong>r covert channel activity. This<br />
procedure is done by auditing all known events that may be used <strong>to</strong> exploit <strong>the</strong><br />
covert channel. The <strong>Trusted</strong> Facility Manual should contain information on what<br />
events are audited and how <strong>the</strong>y should be interpreted.<br />
3.6.3 COVERT CHANNEL ANALYSIS<br />
A covert channel analysis is required for Classes B2, B3, and A1. In<br />
acquisitions requiring <strong>the</strong>se classes, a Statement <strong>of</strong> Work task should be<br />
included in <strong>the</strong> RFP that requires <strong>the</strong> contrac<strong>to</strong>r <strong>to</strong> conduct a covert channel<br />
analysis and <strong>the</strong> CDRL that lists <strong>the</strong> development <strong>of</strong> a Covert Channel <strong>An</strong>alysis.<br />
This process will require <strong>the</strong> contrac<strong>to</strong>r <strong>to</strong> deliver a technical report <strong>to</strong><br />
<strong>the</strong> Government that documents <strong>the</strong> results <strong>of</strong> <strong>the</strong> analysis. <strong>An</strong> assessment <strong>of</strong><br />
<strong>the</strong> report will reveal whe<strong>the</strong>r covert channels are sufficient <strong>to</strong> cause<br />
redesign or can be <strong>to</strong>lerated by using auditing techniques.<br />
3.7 MAGNETIC REMANENCE<br />
The retentive properties <strong>of</strong> magnetic s<strong>to</strong>rage media and <strong>the</strong> known risks in<br />
erasing and releasing such media should be considered in all AIS acquisitions.<br />
The correct procedures for clearing and declassifying AS magnetic media must<br />
be included in <strong>the</strong> design and implementation documentation <strong>of</strong> ASs.<br />
Contrac<strong>to</strong>r and Government personnel must both use NSA-approved standards for<br />
degaussing and overwriting. Degaussing equipment must be evaluated and<br />
approved <strong>to</strong> meet <strong>the</strong> standards. Auditing, record-keeping, testing and<br />
control <strong>of</strong> overwrite s<strong>of</strong>tware, and <strong>the</strong> handling <strong>of</strong> equipment malfunctions<br />
are risk areas that are <strong>of</strong>ten neglected.<br />
3.7.1 GUIDELINES<br />
NCSC-TG-025, "A <strong>Guide</strong> <strong>to</strong> Understanding Data Remanence in Au<strong>to</strong>mated Information<br />
<strong>Systems</strong>," should be included in all RFP requirements. <strong>An</strong>o<strong>the</strong>r excellent source<br />
document is Defense Intelligence Agency Manual 50-4, "Security <strong>of</strong><br />
Compartmented Computer Operations(U)," CONFIDENTIAL.<br />
3.7.2 REQUIREMENTS<br />
<strong>Page</strong> 48