1 / 16

Detecting & Preventing Misuse of Privilege

Detecting & Preventing Misuse of Privilege. Bob Balzer (Teknowledge) Howie Shrobe (MIT). DANGER. Harmful Operator Action. Benign Operator Action. Normal. Behavior Authorizer. Intent Assessment. M. Mediation. Cocoon. Legacy App. M. M. GUI. Operator Error. Malicious Insider.

quinn-tran
Télécharger la présentation

Detecting & Preventing Misuse of Privilege

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting & PreventingMisuse of Privilege Bob Balzer (Teknowledge) Howie Shrobe (MIT)

  2. DANGER Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  3. DANGER Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor MIT Teknowledge Operator Action

  4. DANGER Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor MIT Teknowledge Operator Action

  5. DANGER Harmful Operator Action Benign Operator Action What are we trying to do? Normal Behavior Authorizer Intent Assessment • Block Harmful Operations • Differentiate • Operator Error • Malicious Intent M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  6. Applying Security toApplication Layer • MAF DemVal component • Builds Air Transport Plans • Publishes completely built Air Transport Plans • Edits partially built Air Transport Plans • Saves & Restores partially built Air Transport Plans • Creating application specific rule framework for defining harm • Harm expressed orthogonally from OS objects • For MAF DemVal component • Harm = publishing semantically malformed Air Transport Plan • What semantic knowledge and data is required to determine malformedness • Finding points in application to apply it • For MAF DemVal component • Commit = Publish Air Transport Plan

  7. How will you show success? DANGER Harmful Operator Action Benign Operator Action • Block Harmful Operations • Differentiate • Operator Error • Malicious Intent • Red-TeamExperiment Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  8. Red Team Experiment • Force experiment to determine ability to thwart insider attack • Three Flags • Harm application using only application GUI(SaveAs/Open GUI excluded)Using jointly defined subset of application semantics • Harm application using only SaveAs/Open GUI • Harm application using OS GUI (Explorer process)(running other programs excluded)

  9. Defined Application Semantics • Planes have types which have a maximum Range before the plane must land or be refueled (refueling resets the starting point to the refueling point - i.e. assumes the plane has been fully refueled). • Planes have types which have a minimum required runway length for takeoffs and landings • Planes can not land or takeoff in restricted-access zones (defined as rectangles aligned with the lat/long axis). • Planes have types which can not go to certain destinations • Each airport has a minimum turn around time and a plane landing at that airport must not takeoff before that minimum turnaround time has expired • Each mission has a objective for that mission's plane and that plane must reach the destination specified in that objective by the time specified in that objective. This objective is associated with the type of the plane. • Refueling (defined by the MAF to occur at a point) can only occur in rectangularly defined refueling-areas (aligned with the lat/long axis). • Each leg in a mission must get the plane closer to its destination. Offload events (which have end points equal to their start points) don't count as a leg for this rule. • A plane's weight (determined by its plane type) cannot exceed the weight-handling maximum for each runway it lands on or takes off from. • A plane can only land or take off from a runway at night (1800 to 0600 local time) if that runway is equipped with night lighting. • The duration of a leg must exceed the time needed to fly that leg (i.e. the distance between its start and end locations) at the plane's maximum speed • Offloads must occur at the same place as the landing that preceded them. • Offloads must have a minimum duration based on the type of airplane • All missions must start with a takeoff and end with a landing or offload (i.e. no suicide missions). • All takeoffs (other than the initial takeoff) must be immediately preceded by a landing or offload. • All landings must be immediately preceded by a takeoff, waypoint, or refueling. • All refuelings must be immediately preceded by a takeoff, waypoint, or refueling. • All waypoints must be immediately preceded by a takeoff, waypoint, or refueling. • All offloads must be immediately preceded by a landing. • Each leg must start after the end of the immediately preceding leg ends. • Each leg must end after the start of that leg. • Each takeoff (other than the initial takeoff) must be from the same place as the previous landing.

  10. DANGER Safe Family OS GUI Wrapper PMOP RedTeam Experiment Configuration Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M JavaWrap Wrapper Safe Family Demval MAF M M GUI Operator Error Malicious Insider Harm Assessment Wrapper Operational System Model M Predicted State Behavior Monitor JavaWrap intercepts published plan for harm assessment Operator Action Legend SafeFamily intercepts file/registry/comm actions for harm assessment Not Present

  11. Red Team Experiment Results • Force experiment to determine ability to thwart insider attack • Three Flags • Harm application using only application GUI(SaveAs/Open GUI excluded)Using jointly defined subset of application semantics • Harm application using only SaveAs/Open GUI • Harm application using OS GUI (Explorer process)(running other programs excluded) 0 Harm 1 False Positive 0 Harm 0 False Positive 1 Harm 0 False Positive

  12. Wildly Successful Red Team ExperimentLessons Learned • Force experiment to determine ability to thwart insider attack • Three Flags • Harm application using only application GUI(SaveAs/Open GUI excluded)Using jointly defined subset of application semantics • Harm application using only SaveAs/Open GUI • Harm application using OS GUI (Explorer process)(running other programs excluded) • Careful Choice of Flags • Covered Space • Focused attacks

  13. What are implications of success? DANGER Harmful Operator Action Benign Operator Action • Systems can be protected • from insider attacks • from operator error • from zero-day attacks Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  14. DANGER Harmful Operator Action Benign Operator Action What is technical approach? Normal Behavior Authorizer Intent Assessment • Observe effect of operatoraction in system model • Match harmful actions against • Errorful Operator Plans • Attack Plans M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  15. DANGER Harmful Operator Action Benign Operator Action What is new? Normal Behavior Authorizer Intent Assessment • Observe effect of operatoraction in system model • Match harmful actions against • Errorful Operator Plans • Attack Plans M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  16. DANGER Harmful Operator Action Benign Operator Action What is hard? Normal Behavior Authorizer Intent Assessment • Modeling Systemto predict effect • Modeling Operatorto differentiate • Operator Error • Malicious Intent M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

More Related