Integrity Through Mediated Interfaces

1
Integrity Through Mediated Interfaces

• Bob Balzer
• Information Sciences Institute
• balzer_at_isi.edu

2
Technical Objectives

• Wrap Data with Integrity Marks
• Insure its Integrity
• Record its processing history
• Reconstruct it from this history if it is
  corrupted
• by program bugs
• by malicious attacks
• Demo these capabilities on major COTS product
• Microsoft Office Suite

3
Existing Practice

• Integrity Stove-Piped on Tool-by-Tool Basis
• End-to-End Integrity Not Supported
• Persistent Data only Safeguarded by OS
• Corruption Detection is Ad-Hoc
• Corruption Repair
• Based on Backups
• Not Integrated with Detection

This Slide Intentionally Blank
4
Technical Approach
Program

• Detect update of integrity marked data
• Re-encode re-integrity mark the updated data

• Repair any subsequent Corruption from History

• Build on existing research infrastructure

5
NT Security IntegrationEnhancements

• External Analyzers Track Evolving Design
  Feedback Results/Errors
• User Specified Diagram Semantics Domain
  Model Analyzers
• Pseudo-Events added to track user modifications
• COTS Infrastructure Leveraged (99.9)

Email Reply composed in EMACS Message body
Eudora gt EMACS EMACS window selected
Message body EMACS gt Eudora Reply queued
for delivery Eudora window
selected Neither COTS product modified Pseudo-Even
ts added to track user commands
User Specified Restrictions File Access
(Read Write) Process Spawn Registry
Access (Read Write) Violations reported to
user Dynamic user-specified overrides Rule
Set Chosen by Program Name
File Contents Encrypted File Name Encrypted (no
pneumonics) No Persistent Clear Version
Retained Transparently Added to COTS products

• Blocks Downloading of Ads
• User Specified Blocking of
• Sites
• URLs with wildcards

User Specified Restrictions File Access
(Read Write) Process Spawn Registry
Access (Read Write) Violations reported to
user Dynamic user-specified overrides
Files/Directories Hidden Inaccessible Virtual
Files/Directories Materialized Transparently
Added to COTS products

• Personalizes Web page with annotations
  Rated Links (by you) Updated Links
  (for you) New Links (for you)
• Displays Time Link Last Read

Data Flow Simulation User code for modules
User specified tokens Animation
Primatives Animation Controls PowerPoint
Unmodified
Capture Compilation Activity Compilation
Errors Compilation Warnings Monitor
intra-COTS architecture

• Security Manager
• Mediation Installer
• Secure Mediation

Wrapper installed before execution begins Wrapper
installed Non-ByPassably Malicious program
cant get around mediators Malicious program
cant remove mediators
M
Mediation
Cocoon

• Safe Execution Environments
• Safe Web Browsing
• Safe Agent Execution
• Safe Download/Macro Execution

• File System
• Extensions
• Encryption Archive
• Virtual File System
• Copy-On-Modify

M
M
Program
M
Technical Capability Control Environment in which
execution occurs Research Question How to control
program by controlling execution environment gt
Indirect Control
COTS Integration

• Ppt Design Editor
• EMACS in Eudora
• Web Annotator

• Diagram Animation
• Monitoring C Development
• Web Ad Buster

Balzer
USC INFORMATION SCIENCES INSTITUTE
6
Copy On Modify Demo
7
Safe Web Browser Demo
8
Domain SpecificDesign Editor Demo
9
Major Risks and Planned Mitigation

• Ability to detect application-level modifications
• Application Openness Spectrum
• Event-Generators Capture as transaction history
• Scripting API Examine state to infer action
• Black-Box Mediate GUI to infer action
• gt Generic Mediators Tool Specific mapping
• Ability to protect transaction history
• gt Hide the location of the transaction history
• Virtual File System wrapper
• System-level Randomization Techniques
• Tool-Specific Modification Trackers Expensive
• gt Automate common portions
• gt Provide rule-based scripting language

10
Task Schedule

• Dec99 Tool-Level Integrity Manager
• Monitor Authorize Tool access updates
• Jun00 Operation-Level Integrity Manager
• Monitor, Authorize, Record Modifications
• Dec00 Integrity Management for MS-Office
• Jun01 Corruption Repair
• Jun02 Automated Modification Tracking

11
Expected Major Achievements

• for Integrity Marked Documents
• End-To-End Data Integrity (through multiple
  tools/sessions)
• Modifications Monitored, Authorized, Recorded
• Authorization Control of Users, Tools, and
  Operations
• All Changes Attributed and Time Stamped
• Assured Detection of Corruption
• Ability to Restore Corrupted Data
• Ability to operate with COTS products
• MS-Office Documents Integrity Marked

12
Measures of Success

• Widespread Deployment of Integrity Manager for
  MS-Office
• Extensibility of Integrity Manager to other COTS
  products
• Ease of creating Modification Trackers
• Resistence to Malicious Attacks
• Corruption Avoidance
• Corruption Detection
• Corruption Repair
• gt Red-Team Experiment

13
Key Outstanding Issues

• None Yet

14
Transition of Technology

• Piggyback our Technology on a widely used Target
  Product (MS Office)
• Integrity Manager automatically invoked as needed
• Make technology available for COTS products
• Work with Vendors to encouragepublication of
  modification events

15
Needed PM Assitance

• None Yet