Integrity Through Mediated InterfacesPI Meeting: July 19-21, 2000Bob BalzerTeknowledgebalzer@teknowledge.comLegend: Turquoise Changes from July 99 PI meetingGreenChanges from Feb 00 PI meeting

Technical ObjectivesWrap Data with Integrity MarksInsure its IntegrityRecord its processing historyReconstruct it from this history if it is corruptedby program bugsby malicious attacksDemo these capabilities on major COTS productMicrosoft Office Suite (PowerPoint & Word only)Also demo on a mission critical military system

Existing PracticeThis Slide Intentionally BlankIntegrity Stove-Piped on Tool-by-Tool BasisEnd-to-End Integrity Not SupportedPersistent Data only Safeguarded by OSCorruption Detection is Ad-HocCorruption RepairBased on BackupsNot Integrated with Detection

Technical ApproachProgramDetect update of integrity marked data Re-encode & re-integrity mark the updated dataRepair any subsequent Corruption from HistoryBuild on existing research infrastructure

Major Risks and Planned MitigationAbility to detect application-level modificationsApplication Openness Spectrum:Event-Generators:Capture as transaction historyScripting API:Examine state to infer actionBlack-Box:Mediate GUI to infer action1. Application Independent GUI Monitor signals action types2. Application Dependent Change MonitorDetermines Action ParametersLogs Modification History

Major Risks and Planned MitigationAbility to detect application-level modificationsApplication Openness Spectrum:Event-Generators:Capture as transaction historyScripting API:Examine state to infer actionBlack-Box:Mediate GUI to infer action=> Generic Mediators + Tool Specific mappingAbility to protect transaction history=> Hide the location of the transaction historyVirtual File System wrapperSystem-level Randomization TechniquesTool-Specific Modification Trackers Expensive=> Automate common portions=> Provide rule-based scripting language

Accomplishments To DateCorruption DetectorIDsDocument Version on Save (in Document)Records Document Cryptographic Digest on SaveChecks Document Cryptographic Digest on LoadChange Monitor for MS Word 2000Determines parameters for application-level actionRecords transaction history (for possible Replay)Corruption RepairerRebuilds document by replaying transaction history

Accomplishments To DateSafe Email AttachmentsWrapper protects email attachment executionAutomatically spawned when attachment openedRestrictsFiles that can be read/writtenRemote Sites that can be downloaded-from/uploaded-toPortions of Registry that can be read/writtenProcesses that can be spawnedPlanned DeploymentAug: Alpha at Teknowledge/MitreTekSept: Beta at DARPANov: Pilot at military command (TBD)

Accomplishments To DateIFE 2.3 ReRun Experiment (IA)

IFE 2.3 ReRun Wrapper DefensesPrevent modification ofDatabase by anyone other than DB ManagerEDI Orders by anyone other than FTP Server Executables by anyone (during production)Execution of unauthorized processes

Detect modification ofExecutablesby checking hidden digital signatureTolerate modification ofExecutablesby reinstalling hidden saved copyDetectionAttacksPreventionLayered ProtectionTolerance

Accomplishments To DateOther IA ProjectsIFE 2.3 ReRun: only uncaptured blue flagsNT Security ManagerPolicy specifies which processes can runwhether executables should be integrity checkedhow processes should be wrappedAll processes wrapped before executionNew AIA Project :Enterprise Wrappers (Tek/ NAI)Goal: Network Management of Host Wrappers Common NT/Linux Interface & Infrastructure

Measures of SuccessWidespread Deployment of Integrity Manager for MS-OfficeExtensibility of Integrity Manager to other COTS productsEase of creating Modification TrackersResistance to Malicious AttacksCorruption AvoidanceCorruption DetectionCorruption Repair=> Red-Team Experiment

Expected Major Achievementsfor Integrity Marked Documents:End-To-End Data Integrity (through multiple tools/sessions)Modifications Monitored, Authorized, & RecordedAuthorization Control of Users, Tools, and Operations All Changes Attributed and Time StampedAssured Detection of CorruptionAbility to Restore Corrupted DataAbility to operate with COTS productsMS-Office Documents Integrity MarkedMission Critical Military System Integrity Marked

Task ScheduleDec99:Tool-Level Integrity ManagerMonitor & Authorize Tool access & updatesJun00:Operation-Level Integrity Manager Monitor, Authorize, & Record ModificationsDec00:Integrity Management for MS-OfficeJun01:Corruption RepairDec01: Integrity Management for Mission Critical Military SystemJun02:Automated Modification Tracking

Task ScheduleSafe Email-AttachmentsJuly00:Demo at PI MeetingAug00:Alpha at Teknowledge/MitreTekSept00:Beta at DARPANov00:Pilot at military command (TBD)

Enforced PoliciesMS Word documents (PowerPoint next)Attack: Document corrupted between usagesPolicy: Check integrity when used. Rebuild if corrupted

Attack: Insider corrupts document using Word/PowerPointPolicy: Log changes. Attribute changes to individualsSuspect ProgramsAttack: Program may harm persistent resourcesPolicy: Copy files just before they are modified. Rollback when requestedEmail-Attachments (Web Browsers)Attack: Program may harm resourcesPolicy: Restrict access/modification of resourcesExecutablesAttack: Unauthorized changes are made to executablesPolicy: Integrity Check executables before loading Prohibit unauthorized modification of executables

(To Be) Enforced Policies can only modify files it creates cant leave any persistent files after it terminates can only create/access files in that are selected by user

Key Outstanding IssuesNone Yet

Transition of TechnologyPiggyback our Technology on a widely used Target Product (MS Office)Integrity Manager automatically invoked as neededMake technology available for COTS productsWork with Vendors to encourage publication of modification events

Needed PM AssistanceHelp identifying suitable mission critical military system (possibly at PACOM)