enterprise wrappers oasis pi meeting july 24, 2001 bob balzer neil goldman @teknowledge.com
TRANSCRIPT
![Page 1: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/1.jpg)
Enterprise WrappersOASIS PI Meeting
July 24, 2001Bob Balzer
Neil Goldman
<balzer,ngoldman>@Teknowledge.com
![Page 2: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/2.jpg)
Situational AwarenessVery Large Network
Wide Area NetworkNetwork Operations Center
Middle ManagersEnclave
Local Area NetworkHost
ProcessHost
Process
Policy Alerts
![Page 3: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/3.jpg)
Enterprise Wrappers Goals
Integrate host-based wrappers into scalable cyber-defense system
Create common multi-platform wrapper infrastructure
Populate this infrastructure with useful monitors, authorizers, and controllers
![Page 4: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/4.jpg)
Enterprise Wrappers ObjectivesNWM
NetworkSchema& Data
HardenedSystem
“Soft”System
Manager
Inte
rfac
e
Other IA components,such as intrusion detection,sniffers, secure DNS, IDIP, etc.
BoundaryController
...
serviceservice
WMIproxy
Control Protocol
Data Push/Pull
• Wrapper Network Interface– Off-board cyber-defense controllers– Off-board communication of wrapper data
• Host Controller– Manages dynamic insertion and removal of Wrappers– Multi-platform (Linux and NT) – Network-scalable
• Mutual protection/isolation of Host Controller & Wrappers from the system(s) being protected
Linux or NT
WrapperSubsystem
DataBase
Hardened System(expanded)
Hos
t Con
trol
ler
M
M
M
M
Mediation Cocoon
App
M
M
M
M
Mediation Cocoon
App
![Page 5: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/5.jpg)
Original
Project Challenges
• Deployable Enterprise Wrappers– Host Controller – Network Wrapper Manager– Wrappers (developed by other projects)
• Additional Wrappers Research
• Large-Scale Wrapper Policy Management
Added
![Page 6: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/6.jpg)
ActiveAvailable
Enterprise Wrapper APIs
Deployable Version
Available 12/31/01
Deployed
Deploy
Installed
Install
Active
Activate Sensed
Deactivate
Defined
Undeploy Uninstall
Define
Focus
![Page 7: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/7.jpg)
Additional Wrapper Research
• Fault-Tolerating Wrappers– Monitor Program Behavior– Record Persistent Resource Modifications– Delay Decision Point by making changes undoable
• File, Registry, Database, Communication Changes• Lock access to updates by other processes until accepted
– Provide Undo-Execution Facility• Invoked by after-the-fact Intrusion Detection• Effect: Reverse Attack Progress
• Untrusted Wrappers– Isolate Mediators from code being wrapped– Enforce Mediator Interface
• Monitors (only observe)• Authorizers (only allow/prevent invocation)• Transformers
– Modify parameters and/or return– Supply service on their own
![Page 8: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/8.jpg)
Situation Awareness
Very Large Network
Wide Area NetworkNetwork Operations Center
Middle ManagersEnclave
Local Area NetworkHost
ProcessHost
Process
Large-Scale Wrapper Policy Management
Policy Alerts
![Page 9: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/9.jpg)
Existing NT Wrappers
Safe Email Attachments• Document Integrity for MS Office Executable Corruption Detector• Protected Path (Keyboard App. SmartCard)
• Local/Remote Process Tracker No InterProcess Diddling
Safe Web Brower Safe Office
Key: Policy Driven Wrapper
Planned
![Page 10: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/10.jpg)
Policy Management(by Mission Category)
• Baseline (Protect Resources)• Application Control
– Only Authorized Applications• Add and Remove Authorized Applications
– Only Mission Critical Applications• Add and Removed Critical Applications
– No Spawns Initiated by Remote Users• Media Control
– No Streaming Media– No Active Content
• Override Control– No Local Danger/Alert Overrides– Terminate all processes violating policy
![Page 11: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/11.jpg)
Graphical Policy Specification
Policy 1
Domain A
App Control
Media Control
Override Control
Domain B
Policy 1a
Policy 1b
![Page 12: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/12.jpg)
Graphical Policy Enforcement
• Use PowerPoint as GUI– For Policy Definition– For Policy Enforcement
• Diagram Changes Trigger Actions
Policy 1
Domain A
App Control
Media Control
Override Control
Domain B
Domain C
Policy 1a
Policy 1b
![Page 13: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/13.jpg)
Can wrappers raise the security bar by
Securing PIN entry from Securing PIN entry from keyboard to crypto application?keyboard to crypto application?
Securing communication Securing communication between crypto application and between crypto application and crypto peripheral?crypto peripheral?
CryptoCryptoperipheralperipheral
ComputerComputer
KeyboardKeyboard
Identifying valid user/crypto Identifying valid user/crypto application combinations?application combinations?Protecting critical system Protecting critical system resources?resources?
CAPD Experiment(Controlled Access Path to Devices)
NTTeknowledge
SolarisNAI Labs
![Page 14: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/14.jpg)
Netscape
User32
PKCS11
Winscard
thepin
SystemQueue
Kernel
User
NetscapeQueue
Smart Card Resource Manager
(NT Service)
Kernel32
Serial Port
t h e p i n
* * * * * *
NT PIN Path (unwrapped)
thepin
thepin
![Page 15: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/15.jpg)
Netscape
User32
PKCS11
Winscard
proxy
SystemQueue
Kernel
User
NetscapeQueue
Smart Card Resource Manager
(NT Service)
Kernel32
Serial Port
NT Secure PIN Path
thepin
thepin
proxy
thepin
![Page 16: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/16.jpg)
No Interprocess Handles
Key Protected/Blocked Unprotected Worth Trying Out of Bounds
May Use Outlawed APIs
Static Linking?
Only Netscape can load
Unseen API
No Defense Created
May Use Outlawed APIs
No Corrupted Executables
No Keyboard Hooks
No Corrupted Executables
KeyboardLogging
Serial PortMonitoring
Smartcard ServiceManager
Trojan Horse
WrappedShell
Virus Infection
Start Point
Capture PINentry
Capture and/ormodify card datastream
Capture data flowto and from
card
Monitor Netscape.exe raw memory space
Overlapped IO accessto Keyboard Event Queue
Watch BIOS interrupts
Hook Serial CommVxD
Small App builtfrom MS SC API
LaunchSub7 Trojan
Horse
Infect Netscape executable
with a debug virus
MemoryMonitoring
CaptureKey data
ObjectivesCAPD NTAttack Tree
Results8/2/01
![Page 17: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/17.jpg)
Hardened Client Experiment
• Mobile Laptops– Deployed on Public Networks
• Objectives– 1. Protect laptops from hostile systems on any network.
– 2. Protect laptops from hostile email and malicious code.
3. Provide data protection for some or the entire disk
![Page 18: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/18.jpg)
Hardened Client Defenses
UnrestrictedAccess
AuthorizedComm Paths
OS Attacks
Server Attacks
Application Attacks
EncryptedFile system
EncryptedFile system
Email Web Floppy FTPP2P
ADF PGPDisk
SafeEmail
Enterprise Wrappers Option• Attachments opened in separate process
• Except for PowerPoint and Netscape• Rules applied to multiple processes
![Page 19: Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil Goldman @Teknowledge.com](https://reader036.vdocument.in/reader036/viewer/2022083008/56649e9e5503460f94ba06ca/html5/thumbnails/19.jpg)
URLServerRequestHandler
Requests
Responses
URLServer
Page
Offensive Wrapper Vulnerabilities
• How could an attacker user this technology?– Change the perceived execution environment
• E.g. Subvert Detect Defaced Web Page
• Defending against Offensive Wrappers• Get there first (i.e. deploy Defensive Wrappers)• Mediate Wrapper Installation APIs (don’t allow new wrappers)
• Prevent Inter-Process Diddling of Protected Processes
DefaceDetector