Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000 Bob Balzer Information Sciences Institute Legend: Changes from previous PI meeting
Technical Objectives Wrap Data with Integrity Marks –Insure its Integrity –Record its processing history –Reconstruct it from this history if it is corrupted by program bugs by malicious attacks Demo these capabilities on major COTS product –Microsoft Office Suite (PowerPoint & Word only) –Also demo on a mission critical military system
This Slide Intentionally Blank Existing Practice Integrity Stove-Piped on Tool-by-Tool Basis End-to-End Integrity Not Supported Persistent Data only Safeguarded by OS Corruption Detection is Ad-Hoc Corruption Repair –Based on Backups –Not Integrated with Detection
Wrap Program –Detect access of integrity marked data & decode it M M M M MediationCocoon Environment = Operating System External Programs Program Change Monitor –Monitor User Interface to detect change actions Translate GUI actions into application specific modifications Technical Approach –Detect update of integrity marked data Re-encode & re-integrity mark the updated data Repair any subsequent Corruption from History Build on existing research infrastructure
Major Risks and Planned Mitigation Ability to detect application-level modifications Application Openness Spectrum: –Event-Generators:Capture as transaction history –Scripting API:Examine state to infer action –Black-Box:Mediate GUI to infer action => Generic Mediators + Tool Specific mapping Two Level Architecture M M M M MediationCocoon Environment = Operating System External Programs Program Change Monitor 1. Application Independent GUI Monitor signals action types 2. Application Dependent Change Monitor Determines Action Parameters Logs Modification History
Major Risks and Planned Mitigation Ability to detect application-level modifications Application Openness Spectrum: –Event-Generators:Capture as transaction history –Scripting API:Examine state to infer action –Black-Box:Mediate GUI to infer action => Generic Mediators + Tool Specific mapping Ability to protect transaction history => Hide the location of the transaction history Virtual File System wrapper System-level Randomization Techniques Tool-Specific Modification Trackers Expensive => Automate common portions => Provide rule-based scripting language
Accomplishments To Date Corruption Detector (for MS Word 2000) –IDsDocument Version on Save (in Document) –Records Document Cryptographic Digest on Save –Checks Document Cryptographic Digest on Load GUI Monitor –Application Independent –Signals types of actions (e.g. buttonclick, typing) Demo Prototype Change Monitor for MS Word –Determines parameters for application-level action –Records transaction history (for possible Replay)
Accomplishments To Date Other IA Projects IFE 2.3 ReRun:
IFE 2.3 ReRun Experiment 14 Blue Flags established (asset targets) 1 in dispute 13 captured by Red-Team
–Executionof detected modified executables IFE 2.3 ReRun Wrapper Defenses Detection Attacks Prevention Layered Protection Tolerance Prevent modification of –Database by anyone other than DB Manager –EDI Orders by anyone other than FTP Server –Executables by anyone (during “production”) –Execution of unauthorized processes Detect modification of –Executablesby checking hidden digital signature Tolerate modification of –Executablesby reinstalling hidden saved copy
Accomplishments To Date Other IA Projects IFE 2.3 ReRun: o nly uncaptured blue flag(in dispute) Demo NT Security Manager –Policy specifies which processes can run whether executables should be integrity checked how processes should be wrapped –All processes wrapped before execution New AIA Project :Enterprise Wrappers (ISI/ NAI) –Goal: Network Management of Host Wrappers Common NT/Linux Interface & Infrastructure
Measures of Success Widespread Deployment of Integrity Manager for MS-Office Extensibility of Integrity Manager to other COTS products Ease of creating Modification Trackers Resistance to Malicious Attacks –Corruption Avoidance –Corruption Detection –Corruption Repair => Red-Team Experiment
Expected Major Achievements for Integrity Marked Documents: –End-To-End Data Integrity (through multiple tools/sessions) –Modifications Monitored, Authorized, & Recorded Authorization Control of Users, Tools, and Operations All Changes Attributed and Time Stamped –Assured Detection of Corruption –Ability to Restore Corrupted Data Ability to operate with COTS products MS-Office Documents Integrity Marked Mission Critical Military System Integrity Marked
Task Schedule Dec99:Tool-Level Integrity Manager –Monitor & Authorize Tool access & updates Jun00:Operation-Level Integrity Manager –Monitor, Authorize, & Record Modifications Dec00:Integrity Management for MS-Office Jun01:Corruption Repair Dec01: Integrity Management for Mission Critical Military System Jun02:Automated Modification Tracking
Key Outstanding Issues None Yet
Transition of Technology Piggyback our Technology on a widely used Target Product (MS Office) –Integrity Manager automatically invoked as needed Make technology available for COTS products Work with Vendors to encourage publication of modification events
Needed PM Assistance None Yet Watch this space (Summer PI meeting) Help identifying suitable mission critical military system