The purpose of this paper is to show that typical information flow policies can be enforced by enforcement mechanisms that work by monitoring a system execution at run time. the system execution represent an event sequence in the system. Our enforcement mechanism has extra structure. In this paper the extra structure become an emulator to work on a subsequence of the observed sequence in order ...

Virtualization is a key enabling technology in cloud computing. Multiple tenants can share computing resource of cloud provider on demand. While sharing can reduce the expenses of computing, it brings security vulnerability as well since the isolation between different VMs could be violated through side-channel attacks. Recent researches point out that by leveraging memory bus contention, two c...

When assessing the security of security-critical systems, it is crucial to consider conceptually new attacks, as appropriate countermeasures can only be implemented against known threats. Consequently, in this thesis we explore new classes of attacks and evaluate countermeasures. Our contribution is three-fold. We identify two previously unknown side channel attacks, i.e., attacks that exploit ...

Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a commun...

The concurrency control lock (e.g. file lock, table lock) has long been used as a canonical example of a covert channel in a database system. Locking is a fundamental concurrency control technique used in many kinds of computer systems besides database systems.Locking is generally considered to be interfering and hence unsuitable for multilevel systems. In this paper we show how such locks can ...

Covert channels are illicit means of leaking sensitive or private information through system global variables that usually are not part of the interpretation of data objects in the security model. We discovered that some covert channels can be modeled as finite-state graphs while others cannot. By using various techniques given in the paper, multiple bits of information can be simultaneously tr...

We review our recent work on the reliability function of the timing channel associated to the first in first out exponential-server queue. This result may be of use in understanding the limits to communication over covert timing channels arising in networks.

Measures for anonymity in systems must be on one hand simple and concise, and on the other hand reflect the realities of real systems. Such systems are heterogeneous, as are the ways they are used, the deployed anonymity measures, and finally the possible attack methods. Implementation quality and topologies of the anonymity measures must be considered as well. We therefore propose a new measur...

Protocol specificationsmake various assumptions. These assumptionsmay concern the operation of trusted principals, the operation of principals under failure, the practical capabilities of an intruder or particular properties of the encryption system etc. Although some assumed properties may be ’obvious’, many may not be. Furthermore, such properties are rarely stated explicitly (we often lack a...

We view Multi-Level Secure (MLS) real-time systems as systems in which MLS real-time tasks are scheduled and execute, according to a scheduling algorithm employed by the system. From this perspective, we develop a general trace-based framework that can carry out a covert-timing channel analysis of a real-time system. In addition, we propose a set of covert-timing channel free policies: If a sys...