Integrity Through Mediated Interfaces PI Meeting Feb. 15, 2001 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from July99 PI meeting GreenChanges from Feb 00 PI meeting RedChanges from July00 PI meeting

Technical Objectives Wrap Data with Integrity Marks –Insure its Integrity –Record its processing history –Reconstruct it from this history if it is corrupted by program bugs by malicious attacks Demo these capabilities on major COTS product –Microsoft Office Suite (PowerPoint & Word only) –Also demo on a mission critical military system PowerPoint and Word

This Slide Intentionally Blank Existing Practice Integrity Stove-Piped on Tool-by-Tool Basis End-to-End Integrity Not Supported Persistent Data only Safeguarded by OS Corruption Detection is Ad-Hoc Corruption Repair –Based on Backups –Not Integrated with Detection

Wrap Program –Detect access of integrity marked data & decode it M M M M MediationCocoon Environment = Operating System External Programs Program Change Monitor –Monitor User Interface to detect change actions Translate GUI actions into application specific modifications Technical Approach –Detect update of integrity marked data Re-encode & re-integrity mark the updated data Repair any subsequent Corruption from History Build on existing research infrastructure

Major Risks and Planned Mitigation Ability to detect application-level modifications Application Openness Spectrum: –Event-Generators:Capture as transaction history –Scripting API:Examine state to infer action –Black-Box:Mediate GUI to infer action => Generic Mediators + Tool Specific mapping Two Level Architecture M M M M MediationCocoon Environment = Operating System External Programs Program Change Monitor 1. Application Independent GUI Monitor signals action types 2. Application Dependent Change Monitor Determines Action Parameters Logs Modification History

Major Risks and Planned Mitigation Ability to detect application-level modifications Application Openness Spectrum: –Event-Generators:Capture as transaction history –Scripting API:Examine state to infer action –Black-Box:Mediate GUI to infer action => Generic Mediators + Tool Specific mapping Ability to protect transaction history => Hide the location of the transaction history Virtual File System wrapper System-level Randomization Techniques Tool-Specific Modification Trackers Expensive => Automate common portions => Provide rule-based scripting language

Accomplishments To Date Corruption Detector –IDsDocument Version on Save (in Document) –Records Document Cryptographic Digest on Save –Checks Document Cryptographic Digest on Load Demo Change Monitor for MS Word 2000 –Determines parameters for application-level action –Records transaction history (for possible Replay) Corruption Repairer –Rebuilds document by replaying transaction history Demo Operation Coverage –Compound Operations (Undo,AutoCorrect) –Recording “Uninstrumented” Operations Demo

MS Word Data Integrity Technical Approach To Attribution Time Lever shows document development –User selects range of interest –Move Forwards through Operations Log –Move Backwards through Undo Stack Operations Log

Accomplishments To Date Corruption Detector –IDsDocument Version on Save (in Document) –Records Document Cryptographic Digest on Save –Checks Document Cryptographic Digest on Load Demo Change Monitor for MS Word 2000 –Determines parameters for application-level action –Records transaction history (for possible Replay) Corruption Repairer –Rebuilds document by replaying transaction history Demo Operation Coverage –Compound Operations (Undo,AutoCorrect) –Recording “Uninstrumented” Operations Demo Attribution –Forward-Backward Time Control Demo

MS Word Data Integrity Major Challenges Complexity of Word –1128 unique commands –889 Command Bar controls –416 classes with 2594 instance variables –However only a small subset is commonly used Lack of a General Mechanism for Capturing User Operations –Each individual Word function is handled in a specific implementation.

MS Word Data Integrity Majors Areas of Development Capture of User Operations –Mostly Word specific implementation –Impacted by complexity of Word Version Management and Recovery Attribution

MS Word Data Integrity Capture of User Operations Category TotalImplemented N%NCoverage (%) Common Infrequent Hardly Ever Status –Instrumented most GUI Interaction Mechanisms –Implemented most of the most used operations Survey of Word operations usage (includes only text-based operations that modify document content)

MS Word Data Integrity User Operation Capture Completion Strategy Detect UnInstrumented User Changes –Method: Unmediated change to Undo Stack Record Modification 1.Localize Scope of Change –Record Scoped Change 2.Checkpoint Document

PowerPoint Data Integrity Reuse existing capabilities –Corruption Detection Wrapper –Recording/Replay Mechanism –Office2000 Instrumentation –(PowerPoint) Design Editor Change Monitor Unique Development –Instrument Remaining PowerPoint Operations

Data Integrity To Do MS Word Data Integrity –Finish set of commonly used operations (from survey) –Default mechanism to handle non instrumented changes –Finish Attribution Power Point Data Integrity –We expect significant reuse of Word instrumentation Demonstrate Data Integrity in Military System –Identify mission critical Word/PowerPoint use –Package system for test deployment

Safe Attachments Accomplishments To Date Wrapper protects attachment execution –Automatically spawned when attachment opened –Restricts Files that can be read/written Remote Sites that can be downloaded-from/uploaded-to Portions of Registry that can be read/written Processes that can be spawned Demo Attachment Context Determined Alerts Logged with Context AIA Experiment conducted with IMSC (Musman)

Required for Deployment Safe Attachments Testing Status –Functionality Testing (MitreTek): Completed –Rule Testing (MitreTek): Imminent Allows normal behavior (Absence of False Positives) Blocks malicious behavior To Do –Packaging for Deployment Installation Documentation Test for proper installation –Implement Switch-Rules –Each attachment opened in separate process (hard) –Protect additional Resources (devices, COM)

Safe Attachments Planned Deployment –Aug: Alpha at Teknowledge/MitreTek –Sept: Beta at DARPA –Nov: Pilot at military command (TBD) Apr Jun

Measures of Success Widespread Deployment of Integrity Manager for MS-Office Extensibility of Integrity Manager to other COTS products Ease of creating Modification Trackers Resistance to Malicious Attacks –Corruption Avoidance –Corruption Detection –Corruption Repair => Red-Team Experiment

Expected Major Achievements for Integrity Marked Documents: –End-To-End Data Integrity (through multiple tools/sessions) –Modifications Monitored, Authorized, & Recorded Authorization Control of Users, Tools, and Operations All Changes Attributed and Time Stamped –Assured Detection of Corruption –Ability to Restore Corrupted Data Ability to operate with COTS products MS-Office Documents Integrity Marked Mission Critical Military System Integrity Marked

Task Schedule Dec99:Tool-Level Integrity Manager –Monitor & Authorize Tool access & updates Jun00:Operation-Level Integrity Manager –Monitor, Authorize, & Record Modifications Dec00:Integrity Management for MS-Office Jun01:Corruption Repair Dec01: Integrity Management for Mission Critical Military System Jun02:Automated Modification Tracking Word Jun01: PowerPoint

Enforced Policies MS Word documents (PowerPoint next) –Attack: Document corrupted between usages –Policy: Check integrity when used. Rebuild if corrupted –Attack: Insider corrupts document using Word/PowerPoint –Policy: Log changes. Attribute changes to individuals Suspect Programs –Attack: Program may harm persistent resources –Policy: Copy files just before they are modified. Rollback when requested -Attachments (Web Browsers) –Attack: Program may harm resources –Policy: Restrict access/modification of resources Executables –Attack: Unauthorized changes are made to executables –Policy: Integrity Check executables before loading Prohibit unauthorized modification of executables

(To Be) Enforced Policies can’t leave any persistent files after it terminates can only create/access files in that are selected by user can only modify files it creates

Key Outstanding Issues None Yet

Transition of Technology Piggyback our Technology on a widely used Target Product (MS Office)(Outlook) –Integrity Manager automatically invoked as needed –Safe Attachments wraps opened documents Make technology available for COTS products Work with Vendors to encourage publication of modification events

Needed PM Assistance None at this time