Printing service covert channel example

This is an example of a printing service covert channe.

A trusted line printer service correctly tags each submitted job with the MAC label of the requesting process and maintains that label with the queued jobs for use in eventual printing. Jobs with relatively long names are allowed.

A status program allows the user to see all of the jobs that are queued for the user, including the user-assigned job name, regardless of the label of the job. This can be used as a covert channel since the sender process can then create jobs whose name contains data to be covertly passed to receivers that operate on behalf of the same user.

Note: The only criteria for covert exploitation is that the receiver's label does not dominate the sender's label and that both the sender and receiver are untrusted. Both sender and receiver will commonly be on behalf of the same user.

This channel is closed by allowing the user to only view jobs that are dominated by the user's current MAC label. This forces the MAC label of the receiver to dominate that of the sender and the channel can only be used for a legal upgrade. As a matter of courtesy, the status program could give the user an "other jobs exist" message if non-dominated jobs existed. This represents a much smaller channel with a good operational reason for existence.

Note: Auditing the detection of higher-level jobs can be useful, since this detection will probably be rare in normal operation.

This is a common example of a covert channel where multilevel named data objects (queued printing jobs in this case) are accessible by processes at different MAC labels. The channel is effectively removed by applying the MAC label of the object to the name also. Attributes other than name, such as size, can also carry covert information.