Integrity Through Mediated Interfaces PI Meeting July 24, 2001 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from July99 PI meeting GreenChanges from Feb 00 PI meeting RedChanges from July00 PI meeting BrownChanges from Feb01 PI meeting
Technical Objectives Wrap Data with Integrity Marks –Insure its Integrity –Record its processing history –Reconstruct it from this history if it is corrupted by program bugs by malicious attacks Demo these capabilities on major COTS product –Microsoft Office Suite (PowerPoint & Word only) –Also demo on a mission critical military system PowerPoint and Word
Wrap Program –Detect access of integrity marked data & decode it M M M M MediationCocoon Environment = Operating System External Programs Program Change Monitor –Monitor User Interface to detect change actions Translate GUI actions into application specific modifications Technical Approach –Detect update of integrity marked data Re-encode & re-integrity mark the updated data Repair any subsequent Corruption from History Build on existing research infrastructure
MS Word Data Integrity Technical Approach To Attribution Time Lever shows document development –User selects range of interest –Move Forwards through Operations Log –Move Backwards through Undo Stack Operations Log
MS Word Data Integrity Major Challenges Complexity of Word –1128 unique commands –889 Command Bar controls –416 classes with 2594 instance variables –However only a small subset is commonly used Lack of a General Mechanism for Capturing User Operations –Each individual Word function is handled in a specific implementation.
MS Word Data Integrity User Operation Capture Completion Strategy Generic Architecture Detect UnInstrumented User Changes –Method: Unmediated change to Undo Stack Record Modification 1.Localize Scope of Change 2.Compare with Cached State 3.Record Scoped Change
Accomplishments To Date Corruption Detector –IDsDocument Version on Save (in Document) –Records Document Cryptographic Digest on Save –Checks Document Cryptographic Digest on Load Demo Change Monitor for MS Word 2000 –Determines parameters for application-level action –Records transaction history (for possible Replay) Corruption Repairer –Rebuilds document by replaying transaction history Demo Operation Coverage –Compound Operations (Undo,AutoCorrect) –Recording “Uninstrumented” Operations –Insert Images/Symbols, Page/Section Breaks Demo Attribution –Forward-Backward Time Control Demo
PowerPoint Data Integrity Plan Reuse existing capabilities –Corruption Detection Wrapper –Recording/Replay Mechanism –Office2000 Instrumentation –(PowerPoint) Design Editor Change Monitor –Generic Data Integrity Architecture Unique Development –Instrument Remaining PowerPoint Operations
PowerPoint Data Integrity Status Using Generic Data Integrity Architecture –Handled Shape creation/deletion Shape move/resize/recolor/rotate Connector attachment/detachment Group/ungroup Problems (requiring unique development) –Single Process Debug/Demo Architecture –Typed Text (different low-level implementation) –Dangling Connectors (incomplete COM model)
Data Integrity To Do MS Word Data Integrity –Finish set of commonly used operations (from survey) –Default mechanism to handle non instrumented changes –Finish Attribution Power Point Data Integrity –We expect significant reuse of Word instrumentation Demonstrate Data Integrity in Military System –Identify mission critical Word/PowerPoint use –Package system for test deployment
Safe Attachments M M M M Wrapper Safety Rules k Attachment Handler Spawn Wrapper encapsulates each spawned process Safe Attachments M M M M Wrapper Safety Rules j Attachment Handler Each opened attachment spawns new process Spawn Safe Attachments M M M M Wrapper Safety Rules i Attachment Client Safe Attachments
No update for novel attacks Safe Attachments Wrapper Wrapper protects attachment execution –Automatically spawned when attachment opened –Restricts (via application-specific rules) Files that can be read/written Remote Sites that can be downloaded-from/uploaded-to Portions of Registry that can be read/written Processes that can be spawned COM Servers that can be contacted Devices that can be used Processes that can be accessed –Detects scripts within application (different rules) Pilot deployment within DARPA ATO office Demo
Safe Attachments Accomplishments To Date Wrapper protects attachment execution –Automatically spawned when attachment opened –Restricts Files that can be read/written Remote Sites that can be downloaded-from/uploaded-to Portions of Registry that can be read/written Processes that can be spawned Demo Attachment Context Determined Alerts Logged with Context AIA Experiment conducted with IMSC (Musman)
Required for Deployment Safe Attachments Testing Status –Functionality Testing (MitreTek): Completed –Rule Testing (MitreTek): Completed Allows normal behavior (Absence of False Positives) Blocks malicious behavior To Do –Packaging for Deployment Installation Documentation Test for proper installation –Implement Switch-Rules –Each attachment opened in separate process (hard) –Protect additional Resources (devices, COM)
Safe Attachments Planned Deployment –Aug: Alpha at Teknowledge/MitreTek –Sept: Beta at DARPA –Nov: Pilot at military command (TBD) Apr Jun BBN => MARFORPAC (NT => Win2000)
Task Schedule Dec99:Tool-Level Integrity Manager –Monitor & Authorize Tool access & updates Jun00:Operation-Level Integrity Manager –Monitor, Authorize, & Record Modifications Dec00:Integrity Management for MS-Office Jun01:Corruption Repair Dec01: Integrity Management for Mission Critical Military System Jun02:Automated Modification Tracking Word Dec01: PowerPoint