integrity through mediated interfaces pi meeting august 19, 2002 bob balzer, marcelo tallis legend:...
DESCRIPTION
Wrap Program –Detect access of integrity marked data & decode it M M M M MediationCocoon Environment = Operating System External Programs Program Change Monitor –Monitor User Interface to detect change actions Translate GUI actions into application specific modifications Technical Approach –Detect update of integrity marked data Re-encode & re-integrity mark the updated data Repair any subsequent Corruption from History Build on existing research infrastructureTRANSCRIPT
![Page 1: Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b577f8b9ab0599a9f55/html5/thumbnails/1.jpg)
Integrity Through Mediated Interfaces
PI Meeting August 19, 2002
Bob Balzer, Marcelo TallisTeknowledge
<balzer,mtallis>@teknowledge.comLegend: Turquoise Changes from Feb. 02 PI meeting
![Page 2: Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b577f8b9ab0599a9f55/html5/thumbnails/2.jpg)
Technical Objectives
• Wrap Data with Integrity Marks– Insure its Integrity– Record its processing history– Reconstruct it from this history if it is corrupted
• by program bugs• by malicious attacks
• Demo these capabilities on major COTS product– Microsoft Office Suite (PowerPoint & Word only)– Also demo on a mission critical military system
• PowerPoint and Word
![Page 3: Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b577f8b9ab0599a9f55/html5/thumbnails/3.jpg)
• Wrap Program– Detect access of integrity marked data & decode it
M
M
M
M
Mediation Cocoon
Environment = Operating System External Programs
Program
ChangeMonitor
– Monitor User Interface to detect change actions• Translate GUI actions into application specific modifications
Technical Approach
– Detect update of integrity marked data • Re-encode & re-integrity mark the updated data
• Repair any subsequent Corruption from History• Build on existing research infrastructure
![Page 4: Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b577f8b9ab0599a9f55/html5/thumbnails/4.jpg)
MS Word Data Integrity Technical Approach To Attribution
• Time Lever shows document development– User selects range of interest– Move Forwards through Operations Log– Move Backwards through Undo Stack
Operations Log
![Page 5: Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b577f8b9ab0599a9f55/html5/thumbnails/5.jpg)
Completed (except for integration of generic mechanisms from PowerPoint Data Integrity)
GUI Monitortied to
change history
Data Integrity Current Status
• MS Word Data Integrity– Completed
• MS PowerPoint Data Integrity– Generic Data Integrity Architecture
• Shape creation/deletion• Shape move/resize/recolor/rotate• Connector attachment/detachment• Group/ungroup
• Problems (requiring unique development)– Single Process Debug/Demo Architecture– Typed Text (different low-level implementation)– Dangling Connectors (incomplete COM model)Demo
![Page 6: Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b577f8b9ab0599a9f55/html5/thumbnails/6.jpg)
Data IntegrityFuture Plans
• Complete Coverage of PowerPoint Operations• Integrate generic mechanisms from PowerPoint
Integrity Manager back into Word• Deploy Word and PowerPoint Integrity
Managers
![Page 7: Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b577f8b9ab0599a9f55/html5/thumbnails/7.jpg)
SafeEmail Attachments
M
M
M M
WrapperSafetyRulesk
AttachmentHandler
Spawn
• Wrapper encapsulateseach spawned process
SafeEmail Attachments
M
M
M M
WrapperSafetyRulesj
AttachmentHandler
• Each opened attachment spawns new process
SpawnSafeEmail Attachments
M
M
M M
WrapperSafetyRulesi
Attachment
Attachment
EmailClient
Safe EmailAttachments
Deployment• Bundled with ADF as OPX Hardened Client• MARFORPAC Usability Test 2/02• FBE-Juliet Red Team Experiment 8/02
![Page 8: Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b577f8b9ab0599a9f55/html5/thumbnails/8.jpg)
Deployment/Red-Team Results• MARFORPAC Usability Test (2/02)
– No field usage problems (no attacks)– Assessed as unmaintainable
• Not configurable by Marine Sysadmins• Alerts not understandable by Marine personnel
• Hardened Client II Red-Team Experiment (5/02)– Test new ByPass Protection mechanism
• All attacks on or to disable ByPass Protector failed• Attack on unprotected wrapper data succeeded
– This vulnerability disclosed to Red-Team prior to experiment• FBE-Juliet Red-Team Experiment (8/02)
– Test SafeEmail against malicious attachments• All attacks on SafeEmail failed
– SafeEmail field portable to OfficeXP
New rule system & GUI Autonomic responses
Response
Demo
![Page 9: Integrity Through Mediated Interfaces PI Meeting August 19, 2002 Bob Balzer, Marcelo Tallis Legend: Turquoise Changes from](https://reader036.vdocuments.us/reader036/viewer/2022082908/5a4d1b577f8b9ab0599a9f55/html5/thumbnails/9.jpg)
SafeEmail Plans• Integration with Enterprise Wrappers
– Offboard Policy Manager– Offboard Alert Dissemination– Dynamic Policies
• Pilot Deployments– Within Military and Federal Government
• Development of Contained Execution Compartments– No persistent effects from opening email attachments– Only new document versions from editors
• Integration with autonomic attack detector (SBIR)• Hardening & Independent Assessment (OPX)• Broader Coverage (all user processes) (OPX)