Integrity Through Mediated Interfaces PI Meeting July 24, 2001 Bob Balzer, Marcelo Tallis Legend:...
-
Upload
sydney-morton -
Category
Documents
-
view
217 -
download
0
description
Transcript of Integrity Through Mediated Interfaces PI Meeting July 24, 2001 Bob Balzer, Marcelo Tallis Legend:...
Integrity Through Mediated Interfaces
PI Meeting July 24, 2001
Bob Balzer, Marcelo TallisTeknowledge
<balzer,mtallis>@teknowledge.comLegend: Turquoise Changes from July 99 PI meeting
Green Changes from Feb 00 PI meetingRed Changes from July 00 PI meetingBrown Changes from Feb 01 PI meeting
Technical Objectives
• Wrap Data with Integrity Marks– Insure its Integrity– Record its processing history– Reconstruct it from this history if it is corrupted
• by program bugs• by malicious attacks
• Demo these capabilities on major COTS product– Microsoft Office Suite (PowerPoint & Word only)– Also demo on a mission critical military system
• PowerPoint and Word
• Wrap Program– Detect access of integrity marked data & decode it
M
M
M
M
Mediation Cocoon
Environment = Operating System External Programs
Program
ChangeMonitor
– Monitor User Interface to detect change actions• Translate GUI actions into application specific modifications
Technical Approach
– Detect update of integrity marked data • Re-encode & re-integrity mark the updated data
• Repair any subsequent Corruption from History• Build on existing research infrastructure
MS Word Data Integrity Technical Approach To Attribution
• Time Lever shows document development– User selects range of interest– Move Forwards through Operations Log– Move Backwards through Undo Stack
Operations Log
MS Word Data Integrity Major Challenges
• Complexity of Word– 1128 unique commands– 889 Command Bar controls– 416 classes with 2594 instance variables– However only a small subset is commonly used
• Lack of a General Mechanism for Capturing User Operations– Each individual Word function is handled in a specific
implementation.
MS Word Data Integrity
User Operation Capture Completion StrategyGeneric Architecture
• Detect UnInstrumented User Changes– Method: Unmediated change to Undo Stack
• Record Modification1. Localize Scope of Change2. Compare with Cached State3. Record Scoped Change
Accomplishments To Date
• Corruption Detector– IDs Document Version on Save (in Document)– Records Document Cryptographic Digest on Save– Checks Document Cryptographic Digest on Load
Demo
Demo
• Change Monitor for MS Word 2000– Determines parameters for application-level action– Records transaction history (for possible Replay)
• Corruption Repairer– Rebuilds document by replaying transaction history
Demo
• Operation Coverage– Compound Operations (Undo,AutoCorrect)– Recording “Uninstrumented” Operations– Insert Images/Symbols, Page/Section BreaksDemo
• Attribution– Forward-Backward Time ControlDemo
PowerPoint Data IntegrityPlan
• Reuse existing capabilities– Corruption Detection Wrapper– Recording/Replay Mechanism– Office2000 Instrumentation– (PowerPoint) Design Editor Change Monitor– Generic Data Integrity Architecture
• Unique Development– Instrument Remaining PowerPoint Operations
PowerPoint Data IntegrityStatus
• Using Generic Data Integrity Architecture– Handled
• Shape creation/deletion• Shape move/resize/recolor/rotate• Connector attachment/detachment• Group/ungroup
• Problems (requiring unique development)– Single Process Debug/Demo Architecture– Typed Text (different low-level implementation)– Dangling Connectors (incomplete COM model)
Data Integrity To Do
• MS Word Data Integrity– Finish set of commonly used operations (from survey)– Default mechanism to handle non instrumented changes– Finish Attribution
• Power Point Data Integrity– We expect significant reuse of Word instrumentation
• Demonstrate Data Integrity in Military System– Identify mission critical Word/PowerPoint use– Package system for test deployment
SafeEmail Attachments
M
M
M M
WrapperSafetyRulesk
AttachmentHandler
Spawn
• Wrapper encapsulateseach spawned process
SafeEmail Attachments
M
M
M M
WrapperSafetyRulesj
AttachmentHandler
• Each opened attachment spawns new process
SpawnSafeEmail Attachments
M
M
M M
WrapperSafetyRulesi
Attachment
Attachment
EmailClient
Safe EmailAttachments
No updatefor novelattacks
Safe Email AttachmentsWrapper
• Wrapper protects email attachment execution– Automatically spawned when attachment opened– Restricts (via application-specific rules)
• Files that can be read/written• Remote Sites that can be downloaded-from/uploaded-to• Portions of Registry that can be read/written• Processes that can be spawned• COM Servers that can be contacted• Devices that can be used• Processes that can be accessed
– Detects scripts within application (different rules)• Pilot deployment within DARPA ATO office
Demo
Safe Email Attachments Accomplishments To Date
• Wrapper protects email attachment execution– Automatically spawned when attachment opened– Restricts
• Files that can be read/written• Remote Sites that can be downloaded-from/uploaded-to• Portions of Registry that can be read/written• Processes that can be spawned
Demo
• Email Attachment Context Determined• Alerts Logged with Context• AIA Experiment conducted with IMSC(Musman)
Required for Deployment
Safe Email Attachments• Testing Status
– Functionality Testing (MitreTek): Completed– Rule Testing (MitreTek): Completed
• Allows normal behavior (Absence of False Positives)• Blocks malicious behavior
• To Do– Packaging for Deployment
• Installation• Documentation• Test for proper installation
– Implement Switch-Rules– Each attachment opened in separate process (hard)– Protect additional Resources (devices, COM)
Safe Email Attachments
• Planned Deployment– Aug: Alpha at Teknowledge/MitreTek– Sept: Beta at DARPA– Nov: Pilot at military command (TBD)
AprJun
BBN => MARFORPAC
(NT => Win2000)
Task Schedule• Dec99: Tool-Level Integrity Manager
– Monitor & Authorize Tool access & updates• Jun00: Operation-Level Integrity Manager
– Monitor, Authorize, & Record Modifications• Dec00: Integrity Management for MS-Office• Jun01: Corruption Repair• Dec01: Integrity Management for
Mission Critical Military System• Jun02: Automated Modification Tracking
WordDec01: PowerPoint