A Practical Approach to Identifying Storage and Timing Channels

Recognizing and dealing with storage and timing channels when performing the security analysis of a computer system is an elusive task. Methods of discovering and dealing with these channels for the most part have been ad hoc, and those that are not are restricted to a particular specification language. This paper outlines a practical methodology for discovering storage and timing channels that can be used through all phases of the software life cycle to increase the assurance that all channels have been identified. The methodology is presented and its application to three different descriptions (English, formal specification, and high order language implementation) are discussed.