1 / 19

Integrity Through Mediated Interfaces PI Meeting: July 19-21, 2000

Integrity Through Mediated Interfaces PI Meeting: July 19-21, 2000. Bob Balzer Teknowledge balzer@ teknowledge.com. Legend: Turquoise Changes from July 99 PI meeting Green Changes from Feb 00 PI meeting. Technical Objectives. Wrap Data with Integrity Marks Insure its Integrity

brendy
Download Presentation

Integrity Through Mediated Interfaces PI Meeting: July 19-21, 2000

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Integrity Through Mediated InterfacesPI Meeting: July 19-21, 2000 Bob Balzer Teknowledge balzer@teknowledge.com Legend: TurquoiseChanges from July 99 PI meeting Green Changes from Feb 00 PI meeting

  2. Technical Objectives • Wrap Data with Integrity Marks • Insure its Integrity • Record its processing history • Reconstruct it from this history if it is corrupted • by program bugs • by malicious attacks • Demo these capabilities on major COTS product • Microsoft Office Suite (PowerPoint & Word only) • Also demo on a mission critical military system

  3. Existing Practice • Integrity Stove-Piped on Tool-by-Tool Basis • End-to-End Integrity Not Supported • Persistent Data only Safeguarded by OS • Corruption Detection is Ad-Hoc • Corruption Repair • Based on Backups • Not Integrated with Detection This Slide Intentionally Blank

  4. M Mediation Cocoon Environment = Operating System External Programs M M M Change Monitor • Wrap Program • Detect access of integrity marked data & decode it • Monitor User Interface to detect change actions • Translate GUI actions into application specific modifications Technical Approach Program • Detect update of integrity marked data • Re-encode & re-integrity mark the updated data • Repair any subsequent Corruption from History • Build on existing research infrastructure

  5. M Mediation Cocoon Environment = Operating System External Programs M M Program M Change Monitor => Generic Mediators + Tool Specific mapping Two Level Architecture Major Risks and Planned Mitigation • Ability to detect application-level modifications Application Openness Spectrum: • Event-Generators: Capture as transaction history • Scripting API: Examine state to infer action • Black-Box: Mediate GUI to infer action 1. Application Independent GUI Monitor signals action types 2. Application Dependent Change Monitor • Determines Action Parameters • Logs Modification History

  6. Major Risks and Planned Mitigation • Ability to detect application-level modifications Application Openness Spectrum: • Event-Generators: Capture as transaction history • Scripting API: Examine state to infer action • Black-Box: Mediate GUI to infer action => Generic Mediators + Tool Specific mapping • Ability to protect transaction history => Hide the location of the transaction history • Virtual File System wrapper • System-level Randomization Techniques • Tool-Specific Modification Trackers Expensive => Automate common portions => Provide rule-based scripting language

  7. Demo Demo Demo Accomplishments To Date • Corruption Detector • IDs Document Version on Save (in Document) • Records Document Cryptographic Digest on Save • Checks Document Cryptographic Digest on Load • Change Monitor for MS Word 2000 • Determines parameters for application-level action • Records transaction history (for possible Replay) • Corruption Repairer • Rebuilds document by replaying transaction history

  8. Demo Accomplishments To DateSafe Email Attachments • Wrapper protects email attachment execution • Automatically spawned when attachment opened • Restricts • Files that can be read/written • Remote Sites that can be downloaded-from/uploaded-to • Portions of Registry that can be read/written • Processes that can be spawned • Planned Deployment • Aug: Alpha at Teknowledge/MitreTek • Sept: Beta at DARPA • Nov: Pilot at military command (TBD)

  9. M M M M M M M M • 14 Blue Flags established (asset targets) • 12 captured by Red-Team • 2 uncaptured (protected by NT Wrappers) Accomplishments To DateIFE 2.3 ReRun Experiment (IA)

  10. Accomplishments To DateOther IA Projects • IFE 2.3 ReRun: only uncaptured blue flags • NT Security Manager • Policy specifies • which processes can run • whether executables should be integrity checked • how processes should be wrapped • All processeswrapped before execution • New AIA Project :Enterprise Wrappers (Tek/ NAI) • Goal: Network Management of Host Wrappers Common NT/Linux Interface & Infrastructure

  11. Measures of Success • Widespread Deployment of Integrity Manager for MS-Office • Extensibility of Integrity Manager to other COTS products • Ease of creating Modification Trackers • Resistance to Malicious Attacks • Corruption Avoidance • Corruption Detection • Corruption Repair => Red-Team Experiment

  12. Expected Major Achievements • for Integrity Marked Documents: • End-To-End Data Integrity (through multiple tools/sessions) • Modifications Monitored, Authorized, & Recorded • Authorization Control of Users, Tools, and Operations • All Changes Attributed and Time Stamped • Assured Detection of Corruption • Ability to Restore Corrupted Data • Ability to operate with COTS products • MS-Office Documents Integrity Marked • Mission Critical Military System Integrity Marked

  13. Task Schedule • Dec99: Tool-Level Integrity Manager • Monitor & Authorize Tool access & updates • Jun00: Operation-Level Integrity Manager • Monitor, Authorize, & Record Modifications • Dec00: Integrity Management for MS-Office • Jun01: Corruption Repair • Dec01: Integrity Management for Mission Critical Military System • Jun02: Automated Modification Tracking

  14. Task ScheduleSafe Email-Attachments • July00: Demo at PI Meeting • Aug00: Alpha at Teknowledge/MitreTek • Sept00: Beta at DARPA • Nov00: Pilot at military command (TBD)

  15. Enforced Policies • MS Word documents (PowerPoint next) • Attack: Document corrupted between usages • Policy: Check integrity when used. Rebuild if corrupted • Attack: Insider corrupts document using Word/PowerPoint • Policy: Log changes. Attribute changes to individuals • Suspect Programs • Attack: Program may harm persistent resources • Policy: Copy files just before they are modified. Rollback when requested • Email-Attachments (Web Browsers) • Attack: Program may harm resources • Policy: Restrict access/modification of resources • Executables • Attack: Unauthorized changes are made to executables • Policy: Integrity Check executables before loading Prohibit unauthorized modification of executables

  16. (To Be) Enforced Policies • <Program> can only modify files it creates • <Program> can’t leave any persistent files after it terminates • <Program> can only create/access files in <directory> that are selected by user

  17. Key Outstanding Issues • None Yet

  18. Transition of Technology • Piggyback our Technology on a widely used Target Product (MS Office) • Integrity Manager automatically invoked as needed • Make technology available for COTS products • Work with Vendors to encouragepublication of modification events

  19. Needed PM Assistance • Help identifying suitable mission critical military system (possibly at PACOM)

More Related