Integrity Through Mediated Interfaces

PI Meeting Feb. 15, 2001

Bob Balzer, Marcelo Tallis

Teknowledge

<balzer,mtallis>@teknowledge.comLegend: Turquoise Changes from July 99 PI meeting

Green Changes from Feb 00 PI meetingRed Changes from July 00 PI meeting

Technical Objectives

• Wrap Data with Integrity Marks– Insure its Integrity– Record its processing history– Reconstruct it from this history if it is corrupted

• by program bugs• by malicious attacks

• Demo these capabilities on major COTS product– Microsoft Office Suite (PowerPoint & Word only)– Also demo on a mission critical military system

• PowerPoint and Word

This Slide Intentionally Blank

Existing Practice

• Integrity Stove-Piped on Tool-by-Tool Basis

• End-to-End Integrity Not Supported

• Persistent Data only Safeguarded by OS

• Corruption Detection is Ad-Hoc

• Corruption Repair– Based on Backups– Not Integrated with Detection

• Wrap Program– Detect access of integrity marked data & decode it

M

M

M

M

Mediation Cocoon

Environment = Operating System External Programs

Program

ChangeMonitor

– Monitor User Interface to detect change actions• Translate GUI actions into application specific modifications

Technical Approach

– Detect update of integrity marked data • Re-encode & re-integrity mark the updated data

• Repair any subsequent Corruption from History• Build on existing research infrastructure

Major Risks and Planned Mitigation

• Ability to detect application-level modificationsApplication Openness Spectrum:– Event-Generators: Capture as transaction history– Scripting API: Examine state to infer action– Black-Box: Mediate GUI to infer action=> Generic Mediators + Tool Specific mapping

Two Level ArchitectureM

M

M

M

Mediation Cocoon

Environment = Operating System External Programs

Program

ChangeMonitor

1. Application Independent GUI Monitor signals action types

2. Application Dependent Change Monitor• Determines Action Parameters

• Logs Modification History

Major Risks and Planned Mitigation

• Ability to detect application-level modificationsApplication Openness Spectrum:– Event-Generators: Capture as transaction history– Scripting API: Examine state to infer action– Black-Box: Mediate GUI to infer action=> Generic Mediators + Tool Specific mapping

• Ability to protect transaction history=> Hide the location of the transaction history

• Virtual File System wrapper• System-level Randomization Techniques

• Tool-Specific Modification Trackers Expensive=> Automate common portions=> Provide rule-based scripting language

Accomplishments To Date

• Corruption Detector– IDs Document Version on Save (in Document)– Records Document Cryptographic Digest on Save– Checks Document Cryptographic Digest on Load

Demo

Demo

• Change Monitor for MS Word 2000– Determines parameters for application-level action– Records transaction history (for possible Replay)

• Corruption Repairer– Rebuilds document by replaying transaction history

Demo

• Operation Coverage– Compound Operations (Undo,AutoCorrect)– Recording “Uninstrumented” Operations

Demo

MS Word Data Integrity

Technical Approach To Attribution

• Time Lever shows document development– User selects range of interest– Move Forwards through Operations Log– Move Backwards through Undo Stack

Operations Log

Accomplishments To Date

• Corruption Detector– IDs Document Version on Save (in Document)– Records Document Cryptographic Digest on Save– Checks Document Cryptographic Digest on Load

Demo

Demo

• Change Monitor for MS Word 2000– Determines parameters for application-level action– Records transaction history (for possible Replay)

• Corruption Repairer– Rebuilds document by replaying transaction history

Demo

• Operation Coverage– Compound Operations (Undo,AutoCorrect)– Recording “Uninstrumented” Operations

Demo

• Attribution– Forward-Backward Time Control

Demo

MS Word Data Integrity Major Challenges

• Complexity of Word– 1128 unique commands

– 889 Command Bar controls

– 416 classes with 2594 instance variables

– However only a small subset is commonly used

• Lack of a General Mechanism for Capturing User Operations– Each individual Word function is handled in a specific

implementation.

MS Word Data Integrity

Majors Areas of Development• Capture of User Operations

– Mostly Word specific implementation– Impacted by complexity of Word

• Version Management and Recovery

• Attribution

MS Word Data Integrity

Capture of User Operations

Category

Total Implemented

N % N Coverage (%)

Common 19 7 17 89

Infrequent 42 16 8 19

Hardly Ever 205 77 0 0

• Status– Instrumented most GUI Interaction Mechanisms– Implemented most of the most used operations

Survey of Word operations usage(includes only text-based operations that modify document content)

MS Word Data Integrity

User Operation Capture Completion Strategy

• Detect UnInstrumented User Changes– Method: Unmediated change to Undo Stack

• Record Modification1. Localize Scope of Change

– Record Scoped Change

2. Checkpoint Document

PowerPoint Data Integrity

• Reuse existing capabilities– Corruption Detection Wrapper– Recording/Replay Mechanism– Office2000 Instrumentation– (PowerPoint) Design Editor Change Monitor

• Unique Development– Instrument Remaining PowerPoint Operations

Data Integrity

To Do• MS Word Data Integrity

– Finish set of commonly used operations (from survey)– Default mechanism to handle non instrumented

changes– Finish Attribution

• Power Point Data Integrity– We expect significant reuse of Word instrumentation

• Demonstrate Data Integrity in Military System– Identify mission critical Word/PowerPoint use– Package system for test deployment

Safe Email Attachments Accomplishments To Date

• Wrapper protects email attachment execution– Automatically spawned when attachment opened– Restricts

• Files that can be read/written• Remote Sites that can be downloaded-from/uploaded-to• Portions of Registry that can be read/written• Processes that can be spawned

Demo

• Email Attachment Context Determined• Alerts Logged with Context• AIA Experiment conducted with IMSC(Musman)

Required for Deployment

Safe Email Attachments

• Testing Status– Functionality Testing (MitreTek): Completed– Rule Testing (MitreTek): Imminent

• Allows normal behavior (Absence of False Positives)• Blocks malicious behavior

• To Do– Packaging for Deployment

• Installation• Documentation• Test for proper installation

– Implement Switch-Rules– Each attachment opened in separate process (hard)– Protect additional Resources (devices, COM)

Safe Email Attachments

• Planned Deployment– Aug: Alpha at Teknowledge/MitreTek– Sept: Beta at DARPA– Nov: Pilot at military command (TBD)

AprJun

Task Schedule

• Dec99: Tool-Level Integrity Manager– Monitor & Authorize Tool access & updates

• Jun00: Operation-Level Integrity Manager – Monitor, Authorize, & Record Modifications

• Dec00: Integrity Management for MS-Office• Jun01: Corruption Repair• Dec01: Integrity Management for

Mission Critical Military System• Jun02: Automated Modification Tracking

Word

Jun01: PowerPoint

Enforced Policies• MS Word documents (PowerPoint next)

– Attack: Document corrupted between usages– Policy: Check integrity when used. Rebuild if corrupted– Attack: Insider corrupts document using Word/PowerPoint– Policy: Log changes. Attribute changes to individuals

• Suspect Programs– Attack: Program may harm persistent resources– Policy: Copy files just before they are modified.

Rollback when requested• Email-Attachments (Web Browsers)

– Attack: Program may harm resources– Policy: Restrict access/modification of resources

• Executables– Attack: Unauthorized changes are made to executables– Policy: Integrity Check executables before loading

Prohibit unauthorized modification of executables

(To Be) Enforced Policies

• <Program> can’t leave any persistent files after it terminates

• <Program> can only create/access files in <directory> that are selected by user

• <Program> can only modify files it creates