Enterprise Wrappers OASIS PI Meeting March 12, 2002 Bob Balzer Neil Goldman Mahindra

Enterprise Wrappers Goals  Integrate host-based wrappers into scalable cyber-defense system  Create common multi-platform wrapper infrastructure  Populate this infrastructure with useful monitors, authorizers, and controllers

Enterprise Wrappers Objectives NWM Network Schema & Data Hardened System “Soft” System Manager Interface Other IA components, such as intrusion detection, sniffers, secure DNS, IDIP, etc. Boundary Controller... service WMI proxy Control Protocol Data Push/Pull Wrapper Network Interface –Off-board cyber-defense controllers –Off-board communication of wrapper data Host Controller –Manages dynamic insertion and removal of Wrappers –Multi-platform (Linux and NT) –Network-scalable Mutual protection/isolation of Host Controller & Wrappers from the system(s) being protected Linux or NT Wrapper Subsystem Data Base Hardened System(expanded) Host Controller M M M M MediationCocoon App M M M M MediationCocoon App

Original Project Challenges Deployable Enterprise Wrappers –Host Controller –Network Wrapper Manager –Wrappers (developed by other projects) Additional Wrappers Research Large-Scale Wrapper Policy Management Added

Active Available Enterprise Wrapper APIs Deployable Version Available 12/31/01 Deployed Deploy Installed Install Active Activate Sensed Deactivate Defined UndeployUninstall Define Focus

Enterprise Wrappers Current Implementation –Network Controller Starts and Terminates processes on controlled desktops Receives Events from controlled desktops –Host Controller Starts and Terminates processes for Network Controller Wraps started processes in accordance with local Wrapper Policy Forwards Events to Network Controller –Inter-Controller Communication via SSL Demo To Do –Deploy Policy to Host Controller

Contained Execution + Accept Modifications Additional Wrapper Research Fault-Tolerating Wrappers –Monitor Program Behavior –Record Persistent Resource Modifications –Delay Decision Point by making changes undoable File, Registry, Database, Communication Changes Lock access to updates by other processes until accepted –Provide Undo-Execution Facility Invoked by after-the-fact Intrusion Detection Effect: Reverse Attack Progress Untrusted Wrappers –Isolate Mediators from code being wrapped –Enforce Mediator Interface Monitors (only observe) Authorizers (only allow/prevent invocation) Transformers –Modify parameters and/or return –Supply service on their own

Situation Awareness Very Large Network Wide Area Network Network Operations Center Middle Managers Enclave Local Area Network Host Process Host Process Large-Scale Wrapper Policy Management PolicyAlerts

Existing NT Wrappers  Safe Attachments Document Integrity for MS Office  Executable Corruption Detector Protected Path (Keyboard  App.  SmartCard) Local/Remote Process Tracker  No InterProcess Diddling  Safe Web Brower  Safe Office Key:  Policy Driven Wrapper Planned

Policy Management (by Mission Category) Baseline (Protect Resources) Application Control –Only Authorized Applications Add and Remove Authorized Applications –Only Mission Critical Applications Add and Remove Critical Applications –No Spawns Initiated by Remote Users Media Control –No Streaming Media –No Active Content Override Control –No Local Danger/Alert Overrides –Terminate all processes violating policy Contained Execution Contained Execution Contained Execution Contained Execution Contained Execution Registry Contained Execution