Integrity Through Mediated Interfaces

Bob Balzer

Information Sciences Institute

balzer@isi.edu

Technical Objectives

• Wrap Data with Integrity Marks– Insure its Integrity– Record its processing history– Reconstruct it from this history if it is corrupted

• by program bugs

• by malicious attacks

• Demo these capabilities on major COTS product– Microsoft Office Suite

This Slide Intentionally Blank

Existing Practice

• Integrity Stove-Piped on Tool-by-Tool Basis

• End-to-End Integrity Not Supported

• Persistent Data only Safeguarded by OS

• Corruption Detection is Ad-Hoc

• Corruption Repair– Based on Backups– Not Integrated with Detection

• Wrap Program– Detect access of integrity marked data & decode it

M

M

M

M

Mediation Cocoon

Environment = Operating System External Programs

Program

ChangeMonitor

– Monitor User Interface to detect change actions• Translate GUI actions into application specific modifications

Technical Approach

– Detect update of integrity marked data • Re-encode & re-integrity mark the updated data

• Repair any subsequent Corruption from History• Build on existing research infrastructure

Program

M

M

M

Mediation Cocoon

M

Security Manager• Mediation Installer• Secure Mediation

NT Security & IntegrationEnhancements

Safe Execution Environments

• Safe Web Browsing• Safe Agent Execution• Safe Download/Macro Execution

File System Extensions

• Encryption Archive• Virtual File System• Copy-On-Modify

• Ppt Design Editor• EMACS in Eudora• Web Annotator

BalzerUSC INFORMATION SCIENCES INSTITUTE

• Diagram Animation• Monitoring C++ Development• Web Ad Buster

COTS Integration

Copy On Modify Demo

Safe Web Browser Demo

Domain SpecificDesign Editor

Demo

Major Risks and Planned Mitigation

• Ability to detect application-level modificationsApplication Openness Spectrum:– Event-Generators: Capture as transaction history– Scripting API: Examine state to infer action– Black-Box: Mediate GUI to infer action=> Generic Mediators + Tool Specific mapping

• Ability to protect transaction history=> Hide the location of the transaction history

• Virtual File System wrapper• System-level Randomization Techniques

• Tool-Specific Modification Trackers Expensive=> Automate common portions=> Provide rule-based scripting language

Task Schedule

• Dec99: Tool-Level Integrity Manager

– Monitor & Authorize Tool access & updates

• Jun00: Operation-Level Integrity Manager

– Monitor, Authorize, & Record Modifications

• Dec00: Integrity Management for MS-Office

• Jun01: Corruption Repair

• Jun02: Automated Modification Tracking

Expected Major Achievements

• for Integrity Marked Documents:– End-To-End Data Integrity (through multiple tools/sessions)

– Modifications Monitored, Authorized, & Recorded• Authorization Control of Users, Tools, and Operations • All Changes Attributed and Time Stamped

– Assured Detection of Corruption– Ability to Restore Corrupted Data

• Ability to operate with COTS products

• MS-Office Documents Integrity Marked

Measures of Success

• Widespread Deployment of Integrity Manager for MS-Office

• Extensibility of Integrity Manager to other COTS products

• Ease of creating Modification Trackers• Resistence to Malicious Attacks

– Corruption Avoidance– Corruption Detection– Corruption Repair=> Red-Team Experiment

Key Outstanding Issues

• None Yet

Transition of Technology

• Piggyback our Technology on a widely used Target Product (MS Office)– Integrity Manager automatically invoked as needed

• Make technology available for COTS products

• Work with Vendors to encouragepublication of modification events

Needed PM Assitance

• None Yet