A communications channel that allows transfer of information
in a manner that violates the system’s security policy
Storage Channel
Information is leaked by operating
system messages, file names, etc
The existence of a document called 'topsecretplansforinvasionofIguanaland .doc'
conveys quite a lot of information, even if you cannot actually read the document!
Even a simple 'access denied' message can give you some information.
Increases in amount of traffic on communications
channels can be a sign of activity. Traffic flow
analysis is a useful weapon
Timing Channel
Information is leaked by observing system performance
covert channels are not
detected by BLP modelling.
even if BLP correctly models the stated security policy (in
terms of 'no read-up, no write-down') there may well be ways,
such as covert channels, by which the policy may be violated
Limitations
Confidentiality
BLP relates only to confidentiality
However, there are many cases where a
security policy relates to integrity. IE Biba
Tranquility
BLP assumes that security levels are static
Subjects access / document
classification both subject to change
Covert channels
Sometimes, it is not sufficient to hide only the contents
of objects. Their very existence may need to be hidden