integrity through mediated interfaces pi meeting: feb 22-23, 2000
DESCRIPTION
Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000. Bob Balzer Information Sciences Institute [email protected]. Legend: Changes from previous PI meeting. Technical Objectives. Wrap Data with Integrity Marks Insure its Integrity Record its processing history - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/1.jpg)
Integrity Through Mediated Interfaces
PI Meeting: Feb 22-23, 2000
Bob Balzer
Information Sciences Institute
Legend: Changes from previous PI meeting
![Page 2: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/2.jpg)
Technical Objectives
• Wrap Data with Integrity Marks– Insure its Integrity– Record its processing history– Reconstruct it from this history if it is corrupted
• by program bugs
• by malicious attacks
• Demo these capabilities on major COTS product– Microsoft Office Suite (PowerPoint & Word only)– Also demo on a mission critical military system
![Page 3: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/3.jpg)
This Slide Intentionally Blank
Existing Practice
• Integrity Stove-Piped on Tool-by-Tool Basis
• End-to-End Integrity Not Supported
• Persistent Data only Safeguarded by OS
• Corruption Detection is Ad-Hoc
• Corruption Repair– Based on Backups– Not Integrated with Detection
![Page 4: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/4.jpg)
• Wrap Program– Detect access of integrity marked data & decode it
M
M
M
M
Mediation Cocoon
Environment = Operating System External Programs
Program
ChangeMonitor
– Monitor User Interface to detect change actions• Translate GUI actions into application specific modifications
Technical Approach
– Detect update of integrity marked data • Re-encode & re-integrity mark the updated data
• Repair any subsequent Corruption from History• Build on existing research infrastructure
![Page 5: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/5.jpg)
Major Risks and Planned Mitigation
• Ability to detect application-level modificationsApplication Openness Spectrum:– Event-Generators: Capture as transaction history– Scripting API: Examine state to infer action– Black-Box: Mediate GUI to infer action=> Generic Mediators + Tool Specific mapping
Two Level ArchitectureM
M
M
M
Mediation Cocoon
Environment = Operating System External Programs
Program
ChangeMonitor
1. Application Independent GUI Monitor signals action types
2. Application Dependent Change Monitor• Determines Action Parameters
• Logs Modification History
![Page 6: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/6.jpg)
Major Risks and Planned Mitigation
• Ability to detect application-level modificationsApplication Openness Spectrum:– Event-Generators: Capture as transaction history– Scripting API: Examine state to infer action– Black-Box: Mediate GUI to infer action=> Generic Mediators + Tool Specific mapping
• Ability to protect transaction history=> Hide the location of the transaction history
• Virtual File System wrapper• System-level Randomization Techniques
• Tool-Specific Modification Trackers Expensive=> Automate common portions=> Provide rule-based scripting language
![Page 7: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/7.jpg)
Accomplishments To Date
• Corruption Detector (for MS Word 2000)– IDs Document Version on Save (in
Document)– Records Document Cryptographic Digest on Save– Checks Document Cryptographic Digest on Load
• GUI Monitor– Application Independent– Signals types of actions (e.g. buttonclick, typing)
Demo
Demo
• Prototype Change Monitor for MS Word– Determines parameters for application-level action– Records transaction history (for possible Replay)
![Page 8: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/8.jpg)
Accomplishments To DateOther IA Projects
• IFE 2.3 ReRun:
![Page 9: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/9.jpg)
IFE 2.3 ReRun Experiment
• 14 Blue Flags established (asset targets)
• 1 in dispute• 13 captured by Red-Team
![Page 10: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/10.jpg)
– Execution of detected modified executables
IFE 2.3 ReRun Wrapper DefensesDetection
AttacksPrevention
Layered Protection
Tolerance
• Prevent modification of– Database by anyone other than DB Manager– EDI Orders by anyone other than FTP Server – Executables by anyone (during “production”)– Execution of unauthorized processes
• Detect modification of– Executables by checking hidden digital
signature• Tolerate modification of
– Executables by reinstalling hidden saved copy
![Page 11: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/11.jpg)
Accomplishments To DateOther IA Projects
• IFE 2.3 ReRun: only uncaptured blue flag(in dispute)
Demo
• NT Security Manager– Policy specifies
• which processes can run• whether executables should be integrity checked• how processes should be wrapped
– All processes wrapped before execution• New AIA Project :Enterprise Wrappers (ISI/ NAI)
– Goal: Network Management of Host Wrappers Common NT/Linux Interface & Infrastructure
![Page 12: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/12.jpg)
Measures of Success
• Widespread Deployment of Integrity Manager for MS-Office
• Extensibility of Integrity Manager to other COTS products
• Ease of creating Modification Trackers• Resistance to Malicious Attacks
– Corruption Avoidance– Corruption Detection– Corruption Repair=> Red-Team Experiment
![Page 13: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/13.jpg)
Expected Major Achievements
• for Integrity Marked Documents:– End-To-End Data Integrity (through multiple tools/sessions)
– Modifications Monitored, Authorized, & Recorded• Authorization Control of Users, Tools, and Operations • All Changes Attributed and Time Stamped
– Assured Detection of Corruption– Ability to Restore Corrupted Data
• Ability to operate with COTS products• MS-Office Documents Integrity Marked• Mission Critical Military System Integrity Marked
![Page 14: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/14.jpg)
Task Schedule
• Dec99: Tool-Level Integrity Manager– Monitor & Authorize Tool access & updates
• Jun00: Operation-Level Integrity Manager – Monitor, Authorize, & Record Modifications
• Dec00: Integrity Management for MS-Office• Jun01: Corruption Repair• Dec01: Integrity Management for
Mission Critical Military System• Jun02: Automated Modification Tracking
![Page 15: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/15.jpg)
Key Outstanding Issues
• None Yet
![Page 16: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/16.jpg)
Transition of Technology
• Piggyback our Technology on a widely used Target Product (MS Office)– Integrity Manager automatically invoked as needed
• Make technology available for COTS products
• Work with Vendors to encouragepublication of modification events
![Page 17: Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000](https://reader036.vdocuments.mx/reader036/viewer/2022070400/5681355f550346895d9cc4aa/html5/thumbnails/17.jpg)
Needed PM Assistance
• None Yet
Watch this space (Summer PI meeting) Help identifying suitable mission critical military system