Consider a client using the services of some server that it does not trust. It needs to, however, disclose some information to the server to get the job done. For instance, the server may help a client with tax computations, given some financial data from the client. The client is worried that the server may record this information and sell it to an interested party.
One step the system can take to protect the client is to ensure that there is no possible way for the server to record information. This may be achieved by ensuring that that the server does not write information to any external file. However, the server may communicate the information to another process, called the collaborator. Now the object of the system is to make sure that there is no way for the server to leak information to the collaborator. Butler Lampson calls this the confinement problem.
The system may be able to ensure that the server cannot pass information to the collaborator by writing to shared memory, a shared file, or using IPC facilities. However, more subtle communication channels may exist between the server and the client. For instance, the server can try to communicate a binary bit stream as follows. To send a 1, it does computation for a fixed interval of time. To send a 0, it goes to sleep for the same interval of time. The collaborator can try to detect the bit stream by carefully monitoring the system load. The load will be lower when a 0 is being sent and higher when a 1 is being sent. The covert communication channel thus established is a noisy one, but enough redundant information can be sent to extract the information.
Modulating the CPU usage is not the only covert channel. The paging rate can also be modulated (many page faults for a 1, no page faults for a 0). Acquiring and releasing dedicated resources (tape drives, plotters, etc) can be used for signalling. (Acquiring a resource can mean a 1, and releasing a resource a 0). In Unix, the server could create a file to indicate a 1, and remove it to signal a 0. The collaborator can then use the open call to see if the file exists. This call can be used even if the collaborator has no permission to use the file.
Lampson also mentions a way for the server to leak the information to its human owner. Assume that the client needs to pay for the services of the server. Then the server process will need to send its owner a copy of the bill so that he knows how much to expect. The information can be encoded in the bill. For instance if the actual computing bill is 100 dollars and the client's income is 53K, then the server could report the bill as 100.53.
Just finding all the covert channels,
let alone blocking them,
is extremely difficult.