A term from computer security, a convert channel refers to a communications channel which allows two processes to talk to each other, when otherwise they would not be allowed to do so. Often these are based around affecting the system on which they are both running (for example, using up all of the CPU time); every few moments (some pre-agreed upon time), the receiver can check and see if that condition is present and mark it as a 1 or 0 bit, depending on the conditions presence or absence. This is a fairly noisy communications channel, and error correcting codes are usually necessary.

A large amount of system engineering goes into preventing covert channels. In particular, eliminating high bandwidth covert channels is a must for systems in high security environments (often such systems use mandatory access control security policies). A high bandwidth covert channel is generally considered to be one that supports transmitting at least a 100 bits per second. That is 100 bits / second after doing the error correcting: a very noisy channel that supported 100 bits / second of "raw" bandwidth would only actually support perhaps 10 bits / second of real data due to overhead from the coding. In the mid-80s, a terminal would often run at about 100 bits / second, and it was felt that no covert channel should be able to transmit as fast or faster than a standard communications technique. You cannot get a very high rating in the TCSEC or Common Criteria schemes if your system supports large covert channels.

Removing all covert channels from a system is probably impossible (at least from a practical standpoint), so for high security systems the general policy is to find all possible covert channels (so their use can be audited) and make sure the bandwidth supported by them is not too large.

Covert channels are distinct from, though similar to, subliminal channels.


Here is a rough outline of your typical covert channel. Process #1, which is highly privileged, wants to divulge some top secret information to process #2, which wouldn't ordinarily be allowed to have it. In most high security systems, there will be mechanisms in place so that process #1 cannot talk to process #2 at all. So how to get around this restriction, and leak those nude JPEGs of Kylie Minogue? (or whatever)

Every 10 seconds, process #1 either does nothing, or starts thrashing the hard drive as hard as it possibly can for 5 seconds. While this is happening, process #2 is reading and writing to a large set of memory (larger than physical RAM, so the system has to page some out). While it's doing this, process #2 keeps track of how long the averge memory access takes. If, around the 10 second mark, it notices a slow down (because the disk is thrashing and it takes more time to page in some memory), it marks that as a 1 bit. Otherwise, it marks it as a 0 bit.

This is a very low bandwidth covert channel: about 1 bit every 10 seconds. It would take about 3 days to send the text of this writeup through the channel. There are many enhancements to increase the bandwidth and reliability, but hopefully this makes the general idea more clear. The best (ie highest bandwidth) covert channels tend to rely heavily on the design and implementation of the operating system.

Log in or register to write something here or to contact authors.