Enterprise Wrappers OASIS PI Meeting July 24, 2001 Bob Balzer Neil

Situational Awareness Very Large Network Wide Area Network Network Operations Center Middle Managers Enclave Local Area Network Host Process Host Process PolicyAlerts

Enterprise Wrappers Goals  Integrate host-based wrappers into scalable cyber-defense system  Create common multi-platform wrapper infrastructure  Populate this infrastructure with useful monitors, authorizers, and controllers

Enterprise Wrappers Objectives NWM Network Schema & Data Hardened System “Soft” System Manager Interface Other IA components, such as intrusion detection, sniffers, secure DNS, IDIP, etc. Boundary Controller... service WMI proxy Control Protocol Data Push/Pull Wrapper Network Interface –Off-board cyber-defense controllers –Off-board communication of wrapper data Host Controller –Manages dynamic insertion and removal of Wrappers –Multi-platform (Linux and NT) –Network-scalable Mutual protection/isolation of Host Controller & Wrappers from the system(s) being protected Linux or NT Wrapper Subsystem Data Base Hardened System(expanded) Host Controller M M M M MediationCocoon App M M M M MediationCocoon App

Original Project Challenges Deployable Enterprise Wrappers –Host Controller –Network Wrapper Manager –Wrappers (developed by other projects) Additional Wrappers Research Large-Scale Wrapper Policy Management Added

Active Available Enterprise Wrapper APIs Deployable Version Available 12/31/01 Deployed Deploy Installed Install Active Activate Sensed Deactivate Defined UndeployUninstall Define Focus

Additional Wrapper Research Fault-Tolerating Wrappers –Monitor Program Behavior –Record Persistent Resource Modifications –Delay Decision Point by making changes undoable File, Registry, Database, Communication Changes Lock access to updates by other processes until accepted –Provide Undo-Execution Facility Invoked by after-the-fact Intrusion Detection Effect: Reverse Attack Progress Untrusted Wrappers –Isolate Mediators from code being wrapped –Enforce Mediator Interface Monitors (only observe) Authorizers (only allow/prevent invocation) Transformers –Modify parameters and/or return –Supply service on their own

Situation Awareness Very Large Network Wide Area Network Network Operations Center Middle Managers Enclave Local Area Network Host Process Host Process Large-Scale Wrapper Policy Management PolicyAlerts

Existing NT Wrappers  Safe Attachments Document Integrity for MS Office  Executable Corruption Detector Protected Path (Keyboard  App.  SmartCard) Local/Remote Process Tracker  No InterProcess Diddling  Safe Web Brower  Safe Office Key:  Policy Driven Wrapper Planned

Policy Management (by Mission Category) Baseline (Protect Resources) Application Control –Only Authorized Applications Add and Remove Authorized Applications –Only Mission Critical Applications Add and Removed Critical Applications –No Spawns Initiated by Remote Users Media Control –No Streaming Media –No Active Content Override Control –No Local Danger/Alert Overrides –Terminate all processes violating policy

Graphical Policy Specification Policy 1 Domain A App Control Media Control Override Control Domain B Policy 1a Policy 1b

Graphical Policy Enforcement Use PowerPoint as GUI –For Policy Definition –For Policy Enforcement Diagram Changes Trigger Actions Policy 1 Domain A App Control Media Control Override Control Domain B Domain C Policy 1a Policy 1b

Can wrappers raise the security bar by è Securing PIN entry from keyboard to crypto application? è Securing communication between crypto application and crypto peripheral? Cryptoperipheral Computer Keyboard è Identifying valid user/crypto application combinations? è Protecting critical system resources? CAPD Experiment (Controlled Access Path to Devices) NT Teknowledge Solaris NAI Labs

Netscape User32 PKCS11 Winscard thepin System Queue Kernel User Netscape Queue Smart Card Resource Manager (NT Service) Kernel32 Serial Port t h e p i n * * *    NT PIN Path (unwrapped)   thepin

Netscape User32 PKCS11 Winscard proxy System Queue Kernel User Netscape Queue Smart Card Resource Manager (NT Service) Kernel32 Serial Port   NT Secure PIN Path  thepin  proxy thepin  

No Interprocess Handles Key Protected/Blocked Unprotected Worth Trying Out of Bounds May Use Outlawed APIs Static Linking? Only Netscape can load Unseen API No Defense Created May Use Outlawed APIs No Corrupted Executables No Keyboard HooksNo Corrupted Executables Keyboard Logging Serial Port Monitoring Smartcard Service Manager Trojan Horse Wrapped Shell Virus Infection Start Point Capture PIN entry Capture and/or modify card datastream Capture data flow to and from card Monitor Netscape.exe raw memory space Overlapped IO access to Keyboard Event Queue Watch BIOS interrupts Hook Serial Comm VxD Small App built from MS SC API Launch Sub7 Trojan Horse Infect Netscape executable with a debug virus Memory Monitoring Capture Key data Objectives CAPD NT Attack Tree Results 8/2/01

Hardened Client Experiment Mobile Laptops –Deployed on Public Networks Objectives –1. Protect laptops from hostile systems on any network. –2. Protect laptops from hostile and malicious code. 3. Provide data protection for some or the entire disk

Hardened Client Defenses Unrestricted Access Authorized Comm Paths OS Attacks Server Attacks Application Attacks Encrypted File system Encrypted File system Web Floppy FTP P2P ADFPGP Disk Safe Enterprise Wrappers Option Attachments opened in separate process Except for PowerPoint and Netscape Rules applied to multiple processes

URL Server Request Handler Requests Responses URL Server Page Offensive Wrapper Vulnerabilities How could an attacker user this technology? –Change the perceived execution environment E.g. Subvert Detect Defaced Web Page Defending against Offensive Wrappers Get there first (i.e. deploy Defensive Wrappers) Mediate Wrapper Installation APIs (don’t allow new wrappers) Prevent Inter-Process Diddling of Protected Processes Deface Detector