![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0066: Definition Of ``Communication Channel'' And ``Endpoint''
NUMBER: I-0066 STATUS: Ready to Prepare for Management/CCIMB TITLE: Definition Of ``Communication Channel'' And ``Endpoint'' FIRST POST: [criteria 2305] MOST RECENT REPOST: [criteria 2356] REQUIREMENT: Definition CRITERIA CLASSES: B1, B2, B3, A1 DOCUMENT(S): <None> RELATED TO: <None>
STATEMENT:
The following adds a TCSEC GLOSSARY definition for the term ``communication channel'':A communication channel is a mechanism for communication between a transmitter and a receiver, where the information flow transits the NTCB partition boundary.
The following adds a TCSEC GLOSSARY definition for the term ``endpoint'':
An endpoint is the terminus of a communication path between a transmitter and a receiver. With a communication channel, the "transmitter" is the entity that is writing to the endpoint, and the "receiver" is the entity that is reading from the endpoint.
PROJECTED IMPACT:
This interpretation may contradict terminology used informally in past evaluation reports.SUPPORT:
The classic definition of a Communication Channel [Shannon, Claude and Weaver, Warren; The Mathematical Theory of Communication, University of Illinois Press, Urbana IL, 1949] is the medium used to transmit a signal from transmitter to receiver. The definitions in this interpretation are a translation of this definition into the TCB paradigm. The notion of the transmitter and receiver having to be in different NTCB partitions derives from the fact that the TCSEC uses "communication channel" exclusively in the context of importation and exportation. In order to import or export, one end must be outside of the TCB under evaluation.The TNI defines a Communication Channel as "The physical media and devices which provide the means for transmitting information from one component of a network to (one or more) other components." On the surface, the TNI definition has a greater orientation towards the physical aspects of the connection. However, the term "device" has traditionally been treated as including both hardware and software (i.e., driver) aspects of the device. It is a reasonable generalization to include the interface to the mechanism as part of the mechanism. Thus, for example, in UNIX systems where Internet-domain sockets are viewed as communication channels, the channel from the TNI point-of-view includes the socket, the underlying network and device drivers, the supporting hardware, and the physical transmission medium.
Unless the policy enforced by a TCB considered a communication channel mechanism (such as a socket) as an object, the communication channel is subject only to those criteria requirements levied on communication channels.
Communication channels exhibit a number of characteristics:
- The action of reading a message from a communication channel is typically destructive.
- The channel itself provides no storage for transmissions, although the TCB may provide storage for endpoints.
The specific nature of an endpoint may vary depending on the product and type of endpoint. Endpoints could be modeled as active untrusted subjects or TCB subjects (with respect to the receiving NTCB partition). They could also be modeled as objects, with subjects reading and writing to the endpoint. The receiving endpoint might also be modelled as a resource out of control of the transmitting NTCB partition, and thus neither subject nor object with respect to the transmitting NTCB partition. The general notion is that communication channels in and of themselves provide no passive storage, and are not objects. Endpoints can be objects. This moves much of the burden of access control from the communication channel to the endpoint (subject and/or object). Note that the communication channel would still be subject to any criteria requirements on communication channels.
A typical model of a communication channel is communication across a network. In this model, an untrusted subject in the transmitting NTCB partition is communicating with some other entity in the receiving NTCB partition (the transmitting subject has no specific knowledge of the nature of the receiving entity). The transmitting subject, acting as sender, composes a message and uses a TCB mechanism to "transmit" the message through the communication channel to an endpoint (for example, an IP address and port combination). The TCB of the transmitting NTCB partition, acting on behalf of the destination endpoint, accepts the message and (using appropriate protocols) places the message on the network media. The TCB of the receiving NTCB partition (acting on behalf of the transmitter) receives the message from the network media and uses a communication channel on the receiving NTCB partition to transmit the message to the receiving entity. The overall transmission, at the composite network (i.e., what the TNI calls an "external model") level, forms a logical communication channel between the transmitter and receiver. A full duplex channel could be modelled as two communication channels.
The determination of whether a communication channel is single-level or multilevel depends on the protocol used to communicate with the endpoint. If the protocol is one that with appropriate assurance allows transmissions of security attributes such that the attributes may be reliably used by the receiving TCB, then the communication channel should be considered multilevel. However, if the protocol allows attribute information to be modified without detection (for example, standard IP across the Internet), the communication channel should be considered a single-level communication channel. In such cases, the administrator must specify a security label to be applied to any information received from a particular endpoint; if the administrator does not specify such a label, the information must be discarded.
Importation and exportation across a communication channel is subject to the auditability requirements for such channels in the TCSEC.