110 likes | 219 Vues
Integrity Through Mediated Interfaces PI Meeting March 12, 2002. Bob Balzer, Marcelo Tallis Teknowledge <balzer,mtallis>@ teknowledge.com. Legend: Turquoise Changes from July 01 PI meeting. Technical Objectives. Wrap Data with Integrity Marks Insure its Integrity
E N D
Integrity Through Mediated InterfacesPI Meeting March 12, 2002 Bob Balzer, Marcelo Tallis Teknowledge <balzer,mtallis>@teknowledge.com Legend: TurquoiseChanges from July 01 PI meeting
Technical Objectives • Wrap Data with Integrity Marks • Insure its Integrity • Record its processing history • Reconstruct it from this history if it is corrupted • by program bugs • by malicious attacks • Demo these capabilities on major COTS product • Microsoft Office Suite (PowerPoint & Word only) • Also demo on a mission critical military system • PowerPoint and Word
M Mediation Cocoon Environment = Operating System External Programs M M M Change Monitor • Wrap Program • Detect access of integrity marked data & decode it • Monitor User Interface to detect change actions • Translate GUI actions into application specific modifications Technical Approach Program • Detect update of integrity marked data • Re-encode & re-integrity mark the updated data • Repair any subsequent Corruption from History • Build on existing research infrastructure
MS Word Data IntegrityTechnical Approach To Attribution • Time Lever shows document development • User selects range of interest • Move Forwards through Operations Log • Move Backwards through Undo Stack Operations Log
Completed (except for integration of generic mechanisms from PowerPoint Data Integrity) Demo GUI Monitortied to change history Data IntegrityCurrent Status • MS Word Data Integrity • Completed • MS PowerPoint Data Integrity • Generic Data Integrity Architecture • Shape creation/deletion • Shape move/resize/recolor/rotate • Connector attachment/detachment • Group/ungroup • Problems (requiring unique development) • Single Process Debug/Demo Architecture • Typed Text (different low-level implementation) • Dangling Connectors (incomplete COM model) Single Process Debug/Demo Architecture
SafeEmail Attachments Spawn Email Client SafeEmail Attachments M M M Attachment Handler Safety Rulesi Wrapper M M M M M M Safety Rulesj Wrapper SafeEmail Attachments Spawn • Each opened attachment spawns new process M M M Attachment Handler • Wrapper encapsulateseach spawned process Safety Rulesk Wrapper Attachment Safe EmailAttachments Attachment • Deployment • Bundled with ADF as OPX Hardened Client • MARFORPAC Usability Test this week • RSI01 Red Team Experiment 8/02
Contained Unaltered Safe (Allow, Contain, Deny, Abort) • Contained operations only affect wrapped process easy Allow desired changes Contain everything else Late allowed (after execution) Desired Changes Attachments => None Editors => Edited document Wrapped Execution • Goal: Safely Execute possibly Malicious Code • Approach: • Mediate potentially harmful operations • Apply Authorization function (Allow, Deny, Abort) • Problems • Configuration difficult • Tight policy generates many false positives • Loose policy leaves room for undetected malicious activity • Early authorization decision required
Virtual Registry key key Virtual Key Virtual Key Virtual Key Virtual Key Virtual Key key Wrapper Virtual Key Virtual Key key Virtual Key key Write Virtual Keys M key File System key key COTS Application Read Real Files Read Real Keys key file key file key M M file key file key file key file Registry file file Demo file M Write Virtual Files file file Virtual File Virtual File Virtual File Virtual File Virtual File file Virtual File Virtual File Virtual File file Virtual File System file Contained Execution • Once created virtual resource used instead of real resource • Transparent Redirection • Selectively Applied
Contained Execution • Like a Virtual Machine • Execution is isolated • Unlike a Virtual Machine • Process-Level (instead of machine-level) • Selective (instead of copying entire environment) • Incremental (copies created as needed)
Contained Execution (contain selected modifications within process) • Contained Resource (currently implemented) • Virtual Registry (selected changes made to virtual keys) • Virtual File System (selected changes made to virtual files) • Benefits: • Program Execution has no effect on rest of system • Blocks single-stage attacks (no effect on rest of system) • Blocks multi -stage attacks (no transfer of aggregated effects) • Rule violations can be safely contained and auto-authorized • Attack determination can be safely delayed • More behavior analyzed => better decision • Supports autonomic responses • Reduced false alerts • Can rerun information extraction attacks with misinformation
Contained ExecutionPlan • Extend to other resources • Incorporate into SafeEmailAttachments • Revise Rules • Integrate with autonomic authorizer