Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integrity Through Mediated Interfaces PI Meeting Feb. 15, 2001 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from July99.

Published byHoward Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "Integrity Through Mediated Interfaces PI Meeting Feb. 15, 2001 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from July99."— Presentation transcript:

1 Integrity Through Mediated Interfaces PI Meeting Feb. 15, 2001 Bob Balzer, Marcelo Tallis Teknowledge @teknowledge.com Legend: Turquoise Changes from July99 PI meeting GreenChanges from Feb 00 PI meeting RedChanges from July00 PI meeting

2 Technical Objectives Wrap Data with Integrity Marks –Insure its Integrity –Record its processing history –Reconstruct it from this history if it is corrupted by program bugs by malicious attacks Demo these capabilities on major COTS product –Microsoft Office Suite (PowerPoint & Word only) –Also demo on a mission critical military system PowerPoint and Word

3 This Slide Intentionally Blank Existing Practice Integrity Stove-Piped on Tool-by-Tool Basis End-to-End Integrity Not Supported Persistent Data only Safeguarded by OS Corruption Detection is Ad-Hoc Corruption Repair –Based on Backups –Not Integrated with Detection

4 Wrap Program –Detect access of integrity marked data & decode it M M M M MediationCocoon Environment = Operating System External Programs Program Change Monitor –Monitor User Interface to detect change actions Translate GUI actions into application specific modifications Technical Approach –Detect update of integrity marked data Re-encode & re-integrity mark the updated data Repair any subsequent Corruption from History Build on existing research infrastructure

5 Major Risks and Planned Mitigation Ability to detect application-level modifications Application Openness Spectrum: –Event-Generators:Capture as transaction history –Scripting API:Examine state to infer action –Black-Box:Mediate GUI to infer action => Generic Mediators + Tool Specific mapping Two Level Architecture M M M M MediationCocoon Environment = Operating System External Programs Program Change Monitor 1. Application Independent GUI Monitor signals action types 2. Application Dependent Change Monitor Determines Action Parameters Logs Modification History

6 Major Risks and Planned Mitigation Ability to detect application-level modifications Application Openness Spectrum: –Event-Generators:Capture as transaction history –Scripting API:Examine state to infer action –Black-Box:Mediate GUI to infer action => Generic Mediators + Tool Specific mapping Ability to protect transaction history => Hide the location of the transaction history Virtual File System wrapper System-level Randomization Techniques Tool-Specific Modification Trackers Expensive => Automate common portions => Provide rule-based scripting language

7 Accomplishments To Date Corruption Detector –IDsDocument Version on Save (in Document) –Records Document Cryptographic Digest on Save –Checks Document Cryptographic Digest on Load Demo Change Monitor for MS Word 2000 –Determines parameters for application-level action –Records transaction history (for possible Replay) Corruption Repairer –Rebuilds document by replaying transaction history Demo Operation Coverage –Compound Operations (Undo,AutoCorrect) –Recording “Uninstrumented” Operations Demo

8 MS Word Data Integrity Technical Approach To Attribution Time Lever shows document development –User selects range of interest –Move Forwards through Operations Log –Move Backwards through Undo Stack Operations Log

9 Accomplishments To Date Corruption Detector –IDsDocument Version on Save (in Document) –Records Document Cryptographic Digest on Save –Checks Document Cryptographic Digest on Load Demo Change Monitor for MS Word 2000 –Determines parameters for application-level action –Records transaction history (for possible Replay) Corruption Repairer –Rebuilds document by replaying transaction history Demo Operation Coverage –Compound Operations (Undo,AutoCorrect) –Recording “Uninstrumented” Operations Demo Attribution –Forward-Backward Time Control Demo

10 MS Word Data Integrity Major Challenges Complexity of Word –1128 unique commands –889 Command Bar controls –416 classes with 2594 instance variables –However only a small subset is commonly used Lack of a General Mechanism for Capturing User Operations –Each individual Word function is handled in a specific implementation.

11 MS Word Data Integrity Majors Areas of Development Capture of User Operations –Mostly Word specific implementation –Impacted by complexity of Word Version Management and Recovery Attribution

12 MS Word Data Integrity Capture of User Operations Category TotalImplemented N%NCoverage (%) Common1971789 Infrequent4216819 Hardly Ever2057700 Status –Instrumented most GUI Interaction Mechanisms –Implemented most of the most used operations Survey of Word operations usage (includes only text-based operations that modify document content)

13 MS Word Data Integrity User Operation Capture Completion Strategy Detect UnInstrumented User Changes –Method: Unmediated change to Undo Stack Record Modification 1.Localize Scope of Change –Record Scoped Change 2.Checkpoint Document

14 PowerPoint Data Integrity Reuse existing capabilities –Corruption Detection Wrapper –Recording/Replay Mechanism –Office2000 Instrumentation –(PowerPoint) Design Editor Change Monitor Unique Development –Instrument Remaining PowerPoint Operations

15 Data Integrity To Do MS Word Data Integrity –Finish set of commonly used operations (from survey) –Default mechanism to handle non instrumented changes –Finish Attribution Power Point Data Integrity –We expect significant reuse of Word instrumentation Demonstrate Data Integrity in Military System –Identify mission critical Word/PowerPoint use –Package system for test deployment

16 Safe Email Attachments Accomplishments To Date Wrapper protects email attachment execution –Automatically spawned when attachment opened –Restricts Files that can be read/written Remote Sites that can be downloaded-from/uploaded-to Portions of Registry that can be read/written Processes that can be spawned Demo Email Attachment Context Determined Alerts Logged with Context AIA Experiment conducted with IMSC (Musman)

17 Required for Deployment Safe Email Attachments Testing Status –Functionality Testing (MitreTek): Completed –Rule Testing (MitreTek): Imminent Allows normal behavior (Absence of False Positives) Blocks malicious behavior To Do –Packaging for Deployment Installation Documentation Test for proper installation –Implement Switch-Rules –Each attachment opened in separate process (hard) –Protect additional Resources (devices, COM)

18 Safe Email Attachments Planned Deployment –Aug: Alpha at Teknowledge/MitreTek –Sept: Beta at DARPA –Nov: Pilot at military command (TBD) Apr Jun

19 Measures of Success Widespread Deployment of Integrity Manager for MS-Office Extensibility of Integrity Manager to other COTS products Ease of creating Modification Trackers Resistance to Malicious Attacks –Corruption Avoidance –Corruption Detection –Corruption Repair => Red-Team Experiment

20 Expected Major Achievements for Integrity Marked Documents: –End-To-End Data Integrity (through multiple tools/sessions) –Modifications Monitored, Authorized, & Recorded Authorization Control of Users, Tools, and Operations All Changes Attributed and Time Stamped –Assured Detection of Corruption –Ability to Restore Corrupted Data Ability to operate with COTS products MS-Office Documents Integrity Marked Mission Critical Military System Integrity Marked

21 Task Schedule Dec99:Tool-Level Integrity Manager –Monitor & Authorize Tool access & updates Jun00:Operation-Level Integrity Manager –Monitor, Authorize, & Record Modifications Dec00:Integrity Management for MS-Office Jun01:Corruption Repair Dec01: Integrity Management for Mission Critical Military System Jun02:Automated Modification Tracking Word Jun01: PowerPoint

22 Enforced Policies MS Word documents (PowerPoint next) –Attack: Document corrupted between usages –Policy: Check integrity when used. Rebuild if corrupted –Attack: Insider corrupts document using Word/PowerPoint –Policy: Log changes. Attribute changes to individuals Suspect Programs –Attack: Program may harm persistent resources –Policy: Copy files just before they are modified. Rollback when requested Email-Attachments (Web Browsers) –Attack: Program may harm resources –Policy: Restrict access/modification of resources Executables –Attack: Unauthorized changes are made to executables –Policy: Integrity Check executables before loading Prohibit unauthorized modification of executables

23 (To Be) Enforced Policies can’t leave any persistent files after it terminates can only create/access files in that are selected by user can only modify files it creates

24 Key Outstanding Issues None Yet

25 Transition of Technology Piggyback our Technology on a widely used Target Product (MS Office)(Outlook) –Integrity Manager automatically invoked as needed –SafeEmailAttachments wraps opened documents Make technology available for COTS products Work with Vendors to encourage publication of modification events

26 Needed PM Assistance None at this time

Download ppt "Integrity Through Mediated Interfaces PI Meeting Feb. 15, 2001 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from July99."

Similar presentations

Computer Systems & Architecture Lesson 2 4. Achieving Qualities.

Computer Systems & Architecture Lesson 2 4. Achieving Qualities.
Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Semantically Grounded Briefings Bob Balzer, Neil Goldman, Marcelo Tallis Teknowledge

Semantically Grounded Briefings Bob Balzer, Neil Goldman, Marcelo Tallis Teknowledge
Designing Reusable Frameworks for Test Automation

Designing Reusable Frameworks for Test Automation
Access Control Methodologies

Access Control Methodologies
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Network Management Overview IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.

IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.
 SAP AG CSU Chico Working with IMG Copyright 1996, 1997, 1998- James R. Mensching, Gail Corbitt Contents of this file are for the exclusive use of the.

 SAP AG CSU Chico Working with IMG Copyright 1996, 1997, James R. Mensching, Gail Corbitt Contents of this file are for the exclusive use of the.
SYSchange for z/OS By Pristine Software April 2009 Thomas Phillips April 2009 SYSchange Pristine Software.

SYSchange for z/OS By Pristine Software April 2009 Thomas Phillips April 2009 SYSchange Pristine Software.
Chapter 1 and 2 Computer System and Operating System Overview

Chapter 1 and 2 Computer System and Operating System Overview
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.

Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
Chapter 12 File Management Systems

Chapter 12 File Management Systems
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Presented by, Sai Charan Obuladinne MYSEA Technology Demonstration.

Presented by, Sai Charan Obuladinne MYSEA Technology Demonstration.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Software Distribution in Microsoft System Center Configuration Manager v.Next: Part 1.

Software Distribution in Microsoft System Center Configuration Manager v.Next: Part 1.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Introduction to Software Testing

Introduction to Software Testing

Similar presentations

Ads by Google