Enterprise WrappersOASIS PI Meeting

July 24, 2001Bob Balzer

Neil Goldman

<balzer,ngoldman>@Teknowledge.com

Situational AwarenessVery Large Network

Wide Area NetworkNetwork Operations Center

Middle ManagersEnclave

Local Area NetworkHost

ProcessHost

Process

Policy Alerts

Enterprise Wrappers Goals

Integrate host-based wrappers into scalable cyber-defense system

Create common multi-platform wrapper infrastructure

Populate this infrastructure with useful monitors, authorizers, and controllers

Enterprise Wrappers ObjectivesNWM

NetworkSchema& Data

HardenedSystem

“Soft”System

Manager

Inte

rfac

e

Other IA components,such as intrusion detection,sniffers, secure DNS, IDIP, etc.

BoundaryController

...

serviceservice

WMIproxy

Control Protocol

Data Push/Pull

• Wrapper Network Interface– Off-board cyber-defense controllers– Off-board communication of wrapper data

• Host Controller– Manages dynamic insertion and removal of Wrappers– Multi-platform (Linux and NT) – Network-scalable

• Mutual protection/isolation of Host Controller & Wrappers from the system(s) being protected

Linux or NT

WrapperSubsystem

DataBase

Hardened System(expanded)

Hos

t Con

trol

ler

M

M

M

M

Mediation Cocoon

App

M

M

M

M

Mediation Cocoon

App

Original

Project Challenges

• Deployable Enterprise Wrappers– Host Controller – Network Wrapper Manager– Wrappers (developed by other projects)

• Additional Wrappers Research

• Large-Scale Wrapper Policy Management

Added

ActiveAvailable

Enterprise Wrapper APIs

Deployable Version

Available 12/31/01

Deployed

Deploy

Installed

Install

Active

Activate Sensed

Deactivate

Defined

Undeploy Uninstall

Define

Focus

Additional Wrapper Research

• Fault-Tolerating Wrappers– Monitor Program Behavior– Record Persistent Resource Modifications– Delay Decision Point by making changes undoable

• File, Registry, Database, Communication Changes• Lock access to updates by other processes until accepted

– Provide Undo-Execution Facility• Invoked by after-the-fact Intrusion Detection• Effect: Reverse Attack Progress

• Untrusted Wrappers– Isolate Mediators from code being wrapped– Enforce Mediator Interface

• Monitors (only observe)• Authorizers (only allow/prevent invocation)• Transformers

– Modify parameters and/or return– Supply service on their own

Situation Awareness

Very Large Network

Wide Area NetworkNetwork Operations Center

Middle ManagersEnclave

Local Area NetworkHost

ProcessHost

Process

Large-Scale Wrapper Policy Management

Policy Alerts

Existing NT Wrappers

Safe Email Attachments• Document Integrity for MS Office Executable Corruption Detector• Protected Path (Keyboard App. SmartCard)

• Local/Remote Process Tracker No InterProcess Diddling

Safe Web Brower Safe Office

Key: Policy Driven Wrapper

Planned

Policy Management(by Mission Category)

• Baseline (Protect Resources)• Application Control

– Only Authorized Applications• Add and Remove Authorized Applications

– Only Mission Critical Applications• Add and Removed Critical Applications

– No Spawns Initiated by Remote Users• Media Control

– No Streaming Media– No Active Content

• Override Control– No Local Danger/Alert Overrides– Terminate all processes violating policy

Graphical Policy Specification

Policy 1

Domain A

App Control

Media Control

Override Control

Domain B

Policy 1a

Policy 1b

Graphical Policy Enforcement

• Use PowerPoint as GUI– For Policy Definition– For Policy Enforcement

• Diagram Changes Trigger Actions

Policy 1

Domain A

App Control

Media Control

Override Control

Domain B

Domain C

Policy 1a

Policy 1b

Can wrappers raise the security bar by

Securing PIN entry from Securing PIN entry from keyboard to crypto application?keyboard to crypto application?

Securing communication Securing communication between crypto application and between crypto application and crypto peripheral?crypto peripheral?

CryptoCryptoperipheralperipheral

ComputerComputer

KeyboardKeyboard

Identifying valid user/crypto Identifying valid user/crypto application combinations?application combinations?Protecting critical system Protecting critical system resources?resources?

CAPD Experiment(Controlled Access Path to Devices)

NTTeknowledge

SolarisNAI Labs

Netscape

User32

PKCS11

Winscard

thepin

SystemQueue

Kernel

User

NetscapeQueue

Smart Card Resource Manager

(NT Service)

Kernel32

Serial Port

t h e p i n

* * * * * *

NT PIN Path (unwrapped)

thepin

thepin

Netscape

User32

PKCS11

Winscard

proxy

SystemQueue

Kernel

User

NetscapeQueue

Smart Card Resource Manager

(NT Service)

Kernel32

Serial Port

NT Secure PIN Path

thepin

thepin

proxy

thepin

No Interprocess Handles

Key Protected/Blocked Unprotected Worth Trying Out of Bounds

May Use Outlawed APIs

Static Linking?

Only Netscape can load

Unseen API

No Defense Created

May Use Outlawed APIs

No Corrupted Executables

No Keyboard Hooks

No Corrupted Executables

KeyboardLogging

Serial PortMonitoring

Smartcard ServiceManager

Trojan Horse

WrappedShell

Virus Infection

Start Point

Capture PINentry

Capture and/ormodify card datastream

Capture data flowto and from

card

Monitor Netscape.exe raw memory space

Overlapped IO accessto Keyboard Event Queue

Watch BIOS interrupts

Hook Serial CommVxD

Small App builtfrom MS SC API

LaunchSub7 Trojan

Horse

Infect Netscape executable

with a debug virus

MemoryMonitoring

CaptureKey data

ObjectivesCAPD NTAttack Tree

Results8/2/01

Hardened Client Experiment

• Mobile Laptops– Deployed on Public Networks

• Objectives– 1. Protect laptops from hostile systems on any network.

– 2. Protect laptops from hostile email and malicious code.

3. Provide data protection for some or the entire disk

Hardened Client Defenses

UnrestrictedAccess

AuthorizedComm Paths

OS Attacks

Server Attacks

Application Attacks

EncryptedFile system

EncryptedFile system

Email Web Floppy FTPP2P

ADF PGPDisk

SafeEmail

Enterprise Wrappers Option• Attachments opened in separate process

• Except for PowerPoint and Netscape• Rules applied to multiple processes

URLServerRequestHandler

Requests

Responses

URLServer

Page

Offensive Wrapper Vulnerabilities

• How could an attacker user this technology?– Change the perceived execution environment

• E.g. Subvert Detect Defaced Web Page

• Defending against Offensive Wrappers• Get there first (i.e. deploy Defensive Wrappers)• Mediate Wrapper Installation APIs (don’t allow new wrappers)

• Prevent Inter-Process Diddling of Protected Processes

DefaceDetector