From owner-freebsd-current  Thu Sep 24 09:18:58 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA24905
          for freebsd-current-outgoing; Thu, 24 Sep 1998 09:18:58 -0700 (PDT)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from mailgw1.lmco.com (mailgw1.lmco.com [192.31.106.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA24900
          for <freebsd-current@FreeBSD.ORG>; Thu, 24 Sep 1998 09:18:56 -0700 (PDT)
          (envelope-from George.W.Dinolt@lmco.com)
Received: from emss02g01.ems.lmco.com (relay2.ems.lmco.com [198.7.15.39])
	by mailgw1.lmco.com (8.8.8/8.8.8) with ESMTP id KAA15522;
	Thu, 24 Sep 1998 10:18:45 -0600 (MDT)
Received: from wdl1.wdl.lmco.com ([137.249.32.1]) by lmco.com (PMDF V5.1-10 #20543)
 with SMTP id <0EZS00MP9QN8CL@lmco.com>; Thu, 24 Sep 1998 10:18:45 -0600 (MDT)
Received: from lmco.com by wdl1.wdl.lmco.com (SMI-8.6/WDL-5.0) id JAA12058; Thu, 24 Sep 1998 09:18:37 -0700
Date: Thu, 24 Sep 1998 09:18:36 -0700
From: "George W. Dinolt" <George.W.Dinolt@lmco.com>
Subject: Re: Limit 'ps' to show only user's processes
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: Brian Tao <taob@risc.org>, FREEBSD-CURRENT <freebsd-current@FreeBSD.ORG>
Message-id: <360A70DC.29BE32C5@lmco.com>
Organization: Lockheed Martin Western Devlopment Labs
MIME-version: 1.0
X-Mailer: Mozilla 4.05 [en] (X11; U; SunOS 5.5.1 sun4u)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
References: <Pine.BSF.3.96.980924094715.27219B-100000@fledge.watson.org>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi:

There was some work done in the 1970's and 1980's studying the kinds of
things you are discussing in this thread.  The work was known as 'covert
channel' or 
'information flow' analysis. Some of the work was done in the context of
Multilevel Security although obviously the concepts apply to other
systems as well. The basic idea was that a "low" user should not be able
to determine "high" information by analyzing system behavior visible to
the low user. (In addition, there was the hope that one could prevent a
high user from signaling information to a low user via manipulations of
the system resources visible to low users. (It should not be surprising
that this sounds slightly convoluted.) 

If you are interested in this area you might find the section on
Information Flow Analysis in Morrie Gasser's book {\bf Building a Secure
Computer System} interesting. It gives a high level introduction to the
area and some pointers to other work. 

Several of my colleagues and I have done covert channels analysis on
systems. As you have pointed out, removing the channels entirely is
often impossible and limiting the bandwidth to "reasonable" levels is
difficult. The mechanisms needed to limit the bandwidth often interfere
with other features the system is supposed to provide. 
-- 
Regards,
George W. Dinolt

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message