190 likes | 320 Views
Integrity Through Mediated Interfaces PI Meeting: July 19-21, 2000. Bob Balzer Teknowledge balzer@ teknowledge.com. Legend: Turquoise Changes from July 99 PI meeting Green Changes from Feb 00 PI meeting. Technical Objectives. Wrap Data with Integrity Marks Insure its Integrity
E N D
Integrity Through Mediated InterfacesPI Meeting: July 19-21, 2000 Bob Balzer Teknowledge balzer@teknowledge.com Legend: TurquoiseChanges from July 99 PI meeting Green Changes from Feb 00 PI meeting
Technical Objectives • Wrap Data with Integrity Marks • Insure its Integrity • Record its processing history • Reconstruct it from this history if it is corrupted • by program bugs • by malicious attacks • Demo these capabilities on major COTS product • Microsoft Office Suite (PowerPoint & Word only) • Also demo on a mission critical military system
Existing Practice • Integrity Stove-Piped on Tool-by-Tool Basis • End-to-End Integrity Not Supported • Persistent Data only Safeguarded by OS • Corruption Detection is Ad-Hoc • Corruption Repair • Based on Backups • Not Integrated with Detection This Slide Intentionally Blank
M Mediation Cocoon Environment = Operating System External Programs M M M Change Monitor • Wrap Program • Detect access of integrity marked data & decode it • Monitor User Interface to detect change actions • Translate GUI actions into application specific modifications Technical Approach Program • Detect update of integrity marked data • Re-encode & re-integrity mark the updated data • Repair any subsequent Corruption from History • Build on existing research infrastructure
M Mediation Cocoon Environment = Operating System External Programs M M Program M Change Monitor => Generic Mediators + Tool Specific mapping Two Level Architecture Major Risks and Planned Mitigation • Ability to detect application-level modifications Application Openness Spectrum: • Event-Generators: Capture as transaction history • Scripting API: Examine state to infer action • Black-Box: Mediate GUI to infer action 1. Application Independent GUI Monitor signals action types 2. Application Dependent Change Monitor • Determines Action Parameters • Logs Modification History
Major Risks and Planned Mitigation • Ability to detect application-level modifications Application Openness Spectrum: • Event-Generators: Capture as transaction history • Scripting API: Examine state to infer action • Black-Box: Mediate GUI to infer action => Generic Mediators + Tool Specific mapping • Ability to protect transaction history => Hide the location of the transaction history • Virtual File System wrapper • System-level Randomization Techniques • Tool-Specific Modification Trackers Expensive => Automate common portions => Provide rule-based scripting language
Demo Demo Demo Accomplishments To Date • Corruption Detector • IDs Document Version on Save (in Document) • Records Document Cryptographic Digest on Save • Checks Document Cryptographic Digest on Load • Change Monitor for MS Word 2000 • Determines parameters for application-level action • Records transaction history (for possible Replay) • Corruption Repairer • Rebuilds document by replaying transaction history
Demo Accomplishments To DateSafe Email Attachments • Wrapper protects email attachment execution • Automatically spawned when attachment opened • Restricts • Files that can be read/written • Remote Sites that can be downloaded-from/uploaded-to • Portions of Registry that can be read/written • Processes that can be spawned • Planned Deployment • Aug: Alpha at Teknowledge/MitreTek • Sept: Beta at DARPA • Nov: Pilot at military command (TBD)
M M M M M M M M • 14 Blue Flags established (asset targets) • 12 captured by Red-Team • 2 uncaptured (protected by NT Wrappers) Accomplishments To DateIFE 2.3 ReRun Experiment (IA)
Accomplishments To DateOther IA Projects • IFE 2.3 ReRun: only uncaptured blue flags • NT Security Manager • Policy specifies • which processes can run • whether executables should be integrity checked • how processes should be wrapped • All processeswrapped before execution • New AIA Project :Enterprise Wrappers (Tek/ NAI) • Goal: Network Management of Host Wrappers Common NT/Linux Interface & Infrastructure
Measures of Success • Widespread Deployment of Integrity Manager for MS-Office • Extensibility of Integrity Manager to other COTS products • Ease of creating Modification Trackers • Resistance to Malicious Attacks • Corruption Avoidance • Corruption Detection • Corruption Repair => Red-Team Experiment
Expected Major Achievements • for Integrity Marked Documents: • End-To-End Data Integrity (through multiple tools/sessions) • Modifications Monitored, Authorized, & Recorded • Authorization Control of Users, Tools, and Operations • All Changes Attributed and Time Stamped • Assured Detection of Corruption • Ability to Restore Corrupted Data • Ability to operate with COTS products • MS-Office Documents Integrity Marked • Mission Critical Military System Integrity Marked
Task Schedule • Dec99: Tool-Level Integrity Manager • Monitor & Authorize Tool access & updates • Jun00: Operation-Level Integrity Manager • Monitor, Authorize, & Record Modifications • Dec00: Integrity Management for MS-Office • Jun01: Corruption Repair • Dec01: Integrity Management for Mission Critical Military System • Jun02: Automated Modification Tracking
Task ScheduleSafe Email-Attachments • July00: Demo at PI Meeting • Aug00: Alpha at Teknowledge/MitreTek • Sept00: Beta at DARPA • Nov00: Pilot at military command (TBD)
Enforced Policies • MS Word documents (PowerPoint next) • Attack: Document corrupted between usages • Policy: Check integrity when used. Rebuild if corrupted • Attack: Insider corrupts document using Word/PowerPoint • Policy: Log changes. Attribute changes to individuals • Suspect Programs • Attack: Program may harm persistent resources • Policy: Copy files just before they are modified. Rollback when requested • Email-Attachments (Web Browsers) • Attack: Program may harm resources • Policy: Restrict access/modification of resources • Executables • Attack: Unauthorized changes are made to executables • Policy: Integrity Check executables before loading Prohibit unauthorized modification of executables
(To Be) Enforced Policies • <Program> can only modify files it creates • <Program> can’t leave any persistent files after it terminates • <Program> can only create/access files in <directory> that are selected by user
Key Outstanding Issues • None Yet
Transition of Technology • Piggyback our Technology on a widely used Target Product (MS Office) • Integrity Manager automatically invoked as needed • Make technology available for COTS products • Work with Vendors to encouragepublication of modification events
Needed PM Assistance • Help identifying suitable mission critical military system (possibly at PACOM)