Lattice scheduler method for reducing the impact of covert-channel countermeasures

US 5,574,912 A
Filed: 05/04/1990
Issued: 11/12/1996
Est. Priority Date: 05/04/1990
Status: Expired due to Term

First Claim

Patent Images

1. A machine executed method of sequentially allocating the availability of a computer system resource among a plurality of consumers to inhibit use of the resource as a covert communications channel,each said consumer having a respective class that is a member of plurality of classes organized according to a partial ordering scheme wherein a first class A is in a dominance relationship with a second class B,said method comprising the steps of:

(a) defining a scheduling cycle comprising a plurality of sequentially ordered time slots, each said time slot having a respective beginning time and ending time;

(b) assigning at least one said class (designated as class X) to a said time slot (designated as time slot X);

(c) at the beginning of said time slot X, making said resource available for use by a class-X consumer in said class X (subject to termination of said availability at the ending time of said time slot X); and

(d) if said class-X consumer, referred to as consumer C₀, gives up the resource prior to the ending time of said time slot X, then making said resource available for use by a plurality of consumers, referred to as consumers C₁ through C_N, where N may be any integer greater than 1, in one or more classes that dominate said class X (subject to termination of said availability at the ending time of said time slot X) in a sequence wherein the class of any consumer C_i, i being any integer from 1 to N, dominates the class of the immediately preceding consumer C_i-1 in said sequence such that consumers in classes not dominating class X are prevented from using said resource during the period after the consumer C₀ gives up the resource and before the end of time slot X unless a covert-channel counter-measure is performed, thereby inhibiting the use of the resource as a covert communications channel.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for scheduling processes for execution in a computer system organizes the processes into run queues in accordance with the respective secrecy classes of the processes. A CPU time slot is assigned to each run queue. If all processes in a run queue give up the CPU before the expiration of the run queue'"'"'s assigned time slot, the leftover time is given to a run queue whose secrecy class dominates that of the previous run queue. Covert-channel countermeasures are not taken in between two run queues if the secrecy class of the second run queue dominates the secrecy class of the first run queue.

63 Citations

View as Search Results

20 Claims

1. A machine executed method of sequentially allocating the availability of a computer system resource among a plurality of consumers to inhibit use of the resource as a covert communications channel,each said consumer having a respective class that is a member of plurality of classes organized according to a partial ordering scheme wherein a first class A is in a dominance relationship with a second class B,said method comprising the steps of:
- (a) defining a scheduling cycle comprising a plurality of sequentially ordered time slots, each said time slot having a respective beginning time and ending time;
  
  (b) assigning at least one said class (designated as class X) to a said time slot (designated as time slot X);
  
  (c) at the beginning of said time slot X, making said resource available for use by a class-X consumer in said class X (subject to termination of said availability at the ending time of said time slot X); and
  
  (d) if said class-X consumer, referred to as consumer C₀, gives up the resource prior to the ending time of said time slot X, then making said resource available for use by a plurality of consumers, referred to as consumers C₁ through C_N, where N may be any integer greater than 1, in one or more classes that dominate said class X (subject to termination of said availability at the ending time of said time slot X) in a sequence wherein the class of any consumer C_i, i being any integer from 1 to N, dominates the class of the immediately preceding consumer C_i-1 in said sequence such that consumers in classes not dominating class X are prevented from using said resource during the period after the consumer C₀ gives up the resource and before the end of time slot X unless a covert-channel counter-measure is performed, thereby inhibiting the use of the resource as a covert communications channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein each said class includes (i) a level that is a member of a set of levels ranked in ascending order and (ii) a set of zero or more categories.
  - 3. The method of claim 2, wherein said first class A dominates said second class B if (1) the level of class A is equal to or greater than the level of class B and (2) the set of categories of class B is identical to or a subset of the set of categories of class A.
  - 4. The method of claim 3, wherein said class A "directly dominates" said class B if (i) said class A dominates said class B, and (ii) no class A'"'"' exists such that class A dominates class A'"'"' and class A'"'"' dominates class B.
  - 5. The method of claim 2, wherein each said class, level, and category is a secrecy class, secrecy level, and secrecy category, respectively.
  - 6. The method of claim 1, wherein said resource comprises CPU time in a computer system.
  - 7. The method of claim 1, wherein each said consumer is a process being executed by a computer system.
  - 8. The method of claim 1, wherein a single said class is assigned to each said time slot.
  - 9. The method of claim 1, wherein a plurality of classes are assigned to said time slot X.
  - 10. The method of claim 1, wherein if said class-X consumer gives up the resource prior to the ending time of said time slot X, then:
    - (a) if a second consumer exists in said class X, then making said resource available for use by said second consumer (subject to termination of said availability at the ending time of said time slot X),(b) else making said resource available, until the end of said time slot X, to one or more consumers in respective classes that dominate said class X other than class X itself.
  - 11. The method of claim 10, wherein in step (a), said second consumer is selected for running in accordance with a consumer-running selection method.
  - 12. The method of claim 11, wherein said consumer-running selection method comprises a queueing selection method.
  - 13. The method of claim 1, wherein if said resource is given up by a yielding consumer, said resource is made available for use by a consumer in a class that dominates the class of said yielding consumer as follows:
    - (a) if only a single class exists that (i) directly dominates the class of the yielding consumer, and (ii) is associated with one or more existing consumers, then making said resource available for use by a consumer in said single class;
      
      (b) else if a plurality of directly-dominating classes exist that (i) directly dominate the class of the yielding consumer and (ii) are associated with existing consumers, then making said resource available for use by a consumer in a selected one of said plurality of directly-dominating classes.
  - 14. The method of claim 13, wherein said selected one of said plurality of directly-dominating classes is selected through the use of a selection method that approximates a random process.
  - 15. The method of claim 13, wherein said said selected one of said plurality of directly-dominating classes is selected deterministically.
  - 16. The method of claim 1, wherein said time slots are of uniform duration.
  - 17. The method of claim 1, wherein said time slots are selectively assigned among said classes in accordance with said partial ordering scheme.
  - 18. The method of claim 1, further comprising the step, performed at the ending time of said time slot X, of making said resource available for use by a process in a class Y assigned to a time slot Y whose beginning time is immediately subsequent to the ending time of time slot X.
  - 19. The method of claim 1, further comprising the steps of:
    - (e) performing a covert channel countermeasure operation; and
      
      (f) making said resource available for use by a consumer ("subsequent consumer") whose class does not dominate the class of said class-X process.
  - 20. A program storage device that is readable by the machine of a specified one of claims 1 through 19, said program storage device encoding a program of instructions including instructions for executing the machine executed method steps of said specified one of claims 1 through 19.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Digital Equipment Corporation (HP Inc.)
Inventors
Hu, Wei-Ming, Mason, Andrew H.
Primary Examiner(s)
Amsbury, Wayne
Assistant Examiner(s)
WANG, PETER

Application Number

US07/519,238
Time in Patent Office

2,384 Days
Field of Search

395/650, 395/600, 395/700, 395/186, 395/187.1, 395/726, 395/728
US Class Current

712/220
CPC Class Codes

G06F 21/556 involving covert channels, ...

Lattice scheduler method for reducing the impact of covert-channel countermeasures

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Lattice scheduler method for reducing the impact of covert-channel countermeasures

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links