1 Introduction
A classic problem of computer security is the mitigation of covert channels. First introduced by Lampson [1], a covert channel in a (single-host or distributed) computer system can be roughly defined as any means by which two processes or users can exchange information in violation of security policy. While the exact detection of usable covert channels in a system is undecidable, many conservative approaches exist to detect and eliminate all potential covert channels; for example, the US Department of Defense "Light Pink Book" [2] on covert channel analysis includes detailed procedures to find and eliminate covert channels. Unfortunately, the cost of such elimination is often prohibitive; in this case, the Light Pink Book recommends techniques to limit the bandwidth of covert channels and requires auditing to detect any use of the covert channel. A natural question that arises from this suggestion is whether it is feasible for an auditor to do so.