Covert flow trees: a visual approach to analyzing covert storage channels

The authors introduce a technique for detecting covert storage channels using a tree structure called a covert flow tree (CFT). CFTs are used to perform systematic searches for operation sequences that allow information to be relayed through attributes and eventually detected by a listening process. When traversed, the paths of a CFT yield a comprehensive list of operation sequences which support communication via a particular resource attribute. These operation sequences are then analyzed and either discharged as benign or determined to be covert communication channels. Algorithms for automating the construction of CFTs and potential covert channel operation sequences are presented. To illustrate this technique, two example systems are analyzed and their results compared to two currently accepted analysis techniques performed on identical systems. This comparison shows that the CFT approach not only identified all covert storage channels found by the other analysis techniques, but discovered a channel not detected by the other techniques