1 / 35

Detecting & Preventing Misuse of Privilege (PMOP)

Detecting & Preventing Misuse of Privilege (PMOP). PI Meeting 7/13/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT). Updates since Kickoff. Updates since January. DANGER. Harmful Operator Action. Benign Operator Action. Normal. Behavior Authorizer. Intent Assessment. M.

danae
Download Presentation

Detecting & Preventing Misuse of Privilege (PMOP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting & PreventingMisuse of Privilege(PMOP) PI Meeting 7/13/05 Bob Balzer (Teknowledge) Howie Shrobe (MIT) • Updates since Kickoff • Updates since January

  2. DANGER Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  3. DANGER Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor MIT Teknowledge Operator Action

  4. For integrated SRS system need both capabilities Distinguishing AWDRAT & PMOP • AWDRAT • Detecting misbehaving software • Hijacks, overprivledged scripts, trap doors, faults • PMOP • Detecting misbehaving operators • Malicious intent, operator error

  5. Progress Since 1/05 PI Meeting • End-to-End working system • Instrumentation of Operator Actions • Expanded Scope • Originally, application harm by application operator • Now, system harm by application operator • System harm  harm to OS objects (files, registry, etc.) • Integration of OS level Wrappers into PMOP architecture • Next, system harm by OS operator

  6. ^ Application Level DANGER Harmful Operator Action Benign Operator Action What are we trying to do? Normal Behavior Authorizer Intent Assessment • Block Harmful Operations • Differentiate • Operator Error • Malicious Intent M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  7. Technical Challenges • Modeling system to predict effect • ModelingOperator to differentiate • OperatorError • Malicious Intent • Applying security to the application layer • Creating application specific rule framework for defining harm • Harm expressed orthogonally from OS objects • Finding points in application to apply it • NOT complete coverage of application semantics • => to be handled in Phase II for a specific high value system

  8. Legacy Component Code Not Available Canned Component Publishes fixed output Table Lookup The Good – The Bad – The Ugly JBI DemVal Dataflow(via Publish/Subscribe) External AODB AS Proposed MI MAF Approved MI CAF LOC JW SPI EDC JEES TAP ATO Chem Hazard CHW CHI TNL Targeting EDC CHW WLC Chem Hazard Weather Hazard CHA WH Combat Ops

  9. Applying Security toApplication Layer • CAF DemVal component • Builds Air Transport Plans • Publishes completely built Air Transport Plans • Edits partially built Air Transport Plans • Saves & Restores partially built Air Transport Plans • Creating application specific rule framework for defining harm • Harm expressed orthogonally from OS objects • For CAF DemVal component • Harm = publishing semantically malformed Air Transport Plan • What semantic knowledge and data is required to determine malformedness • Finding points in application to apply it • For CAF DemVal component • Commit = Publish Air Transport Plan

  10. Limitations of Approach • Harm defined as a Boolean • No comparison metric • no comparison of alternatives (either predefined or generated) • lesser of two or more evils not detected as beneficial • suboptimal actions not detected as harmful • Benefit is not defined • Doing nothing or delaying action not detected as harmful • Possible Phase II Improvements • Define Harm and Benefit as quantified dimensions • Provide operator performance model (generate alternatives) • Minimal acceptable performance model enables • Detecting suboptimal choice Harm & Malicious Intent in such choices • Detecting delay/do-nothing as harmful & Malicious Intent in such choices

  11. Insider Threat • Space of Insider Attacks • Attacks through Application Software • Attacks through OS GUI (Insider as OS user) • Attacks through Insider’s software • Physical attacks

  12. Insider Threat • Space of Insider Attacks • Attacks through Application Software • General Framework: • Detect Harm (before it happens) & Block It • Harm defined by application specific rules • For JBI it was publishing malformed object •  Built a framework for applying malformed rule to published object •  Built a few “exemplar” malformed object rules •  Limited by lack of domain knowledge & engineering funds • For SaveAs GUI it was harm to JBI or System resources •  Used SafeFamily wrapper & rule language • => Coverage equals Rule Coverage

  13. Insider Threat • Space of Insider Attacks • Attacks through Application Software • Attacks through OS GUI (Insider as OS user) • General Framework: • Detect Harm (before it happens) & Block It • Harm defined by application specific rules • For OS GUI (Explorer process) it is harm to JBI or System resources •  Used SafeFamily wrapper & rule language • => Coverage equals Rule Coverage

  14. Insider Threat • Space of Insider Attacks • Attacks through Application Software • Attacks through OS GUI (Insider as OS user) • Attacks through Insider’s software • Problem for our approach because generic rule set must be used • Planned for Option • Physical attacks • Out of bounds

  15. How do we turn Coverable => Covered Thwartable => Thwarted Insider Threat Coverage % Coverable 80% 80% 0% % Space 50% 25% 25% % Thwartable 40% 20% 0% • Space of Insider Attacks • Attacks through Application Software • Coverage equals Rule Coverage • Attacks through OS GUI (Insider as OS user) • Coverage equals Rule Coverage • Attacks through Insider’s software • Planned for Option • Physical attacks • Out of bounds ===== 60% 10%

  16. How do we turn Coverable => Covered Thwartable => Thwarted Metrics Issues • How can we show rule framework is generic without covering all of application semantics? • Use red team experiment • Red team rules of engagement • Jointly define application semantics to be defended • Require 100% coverage of that semantics

  17. How do we turn Coverable => Covered Thwartable => Thwarted Red Team Experiment • Force experiment to determine ability to thwart insider attack • Three (proposed) Flags • Harm application using only application GUI(SaveAs GUI excluded)Using jointly defined subset of application semantics • Harm application using only SaveAs GUI • Harm application using OS GUI (Explorer process)(running other programs excluded)

  18. How will you show success? Block Harmful Operations • Differentiate • Operator Error • Malicious Intent DANGER Harmful Operator Action Benign Operator Action • Block Harmful Operations • Differentiate • Operator Error • Malicious Intent • Red-TeamExperiment Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  19. What are implications of success? DANGER Harmful Operator Action Benign Operator Action • Systems can be protected • from insider attacks • from operator error • from zero-day attacks Normal Behavior Authorizer Intent Assessment M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  20. DANGER Harmful Operator Action Benign Operator Action What is technical approach? Normal Behavior Authorizer Intent Assessment • Observe effect of operatoraction in system model • Match harmful actions against • Errorful Operator Plans • Attack Plans M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  21. DANGER Harmful Operator Action Benign Operator Action What is new? Normal Behavior Authorizer Intent Assessment • Observe effect of operatoraction in system model • Match harmful actions against • Errorful Operator Plans • Attack Plans M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  22. DANGER Harmful Operator Action Benign Operator Action What is hard? Normal Behavior Authorizer Intent Assessment • Modeling Systemto predict effect • Modeling Operatorto differentiate • Operator Error • Malicious Intent M Mediation Cocoon Legacy App M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  23. The Good – The Bad – The Ugly What We’re Missing • Realistic Rules (Domain Knowledgeable) • Would be created by SMEs in real deployment • Comprehensive Rule Set • Would be created by SMEs in real deployment • Instrumentation of the GUI actions • Just Mission Building/Editing methods currently instrumented • GUI actions will be instrumented by 4/1/05

  24. Technology for SRS Integration • Behavior Monitor/Authorizer • What code is doing • What human operator is doing • Operational Models • Software Components • Harm Detectors • Rule driven • Application-Level • OS-Level • Intent Determination

  25. Backup (old slides)

  26. Determining Malicious Intent • Can the operator action be performed legally • Does the operator action cause harm • Is there an alternative that doesn’t cause harm • Is this the minimial harm alternative • Does the operator action satisfy a requirement/goal • Is there a better way to accomplish the goal • Should the operator have found this better way

  27. JBI DemVal Dataflow(via Publish/Subscribe) External AODB AS Proposed MI MAF Approved MI CAF LOC JW SPI EDC JEES TAP ATO Chem Hazard CHW CHI TNL Targeting EDC CHW WLC Chem Hazard Weather Hazard CHA WH Combat Ops

  28. The Good – The Bad – The Ugly What We’ve Got • End-To-End Demonstration (demo shortly) • Working Prototypes of MOP components • Working models & rules of target application • Working integration of MOP components

  29. End-To-End Demonstration • Block Harmful Operations • Differentiate • Operator Error • Malicious Intent DANGER Harmful Operator Action Benign Operator Action Normal Behavior Authorizer Intent Assessment M Mediation Cocoon JBI DemVal M M GUI Operator Error Malicious Insider Harm Assessment Operational System Model M Predicted State Behavior Monitor Operator Action

  30. The Good – The Bad – The Ugly Accommodations • Java code base • Ported wrapper infrastructure • Planning Application (harm is in future) • Defined Harm as publishing harmful plan • Available JBI components to wrap • Detailed on next slide

  31. First SRS Tech Transition • Architecture Visualizer used in HURT (IXO) • Animated Event Sequence Diagram • Animated Dataflow Architecture

  32. Mixed Initiative MOP • One Client Live (with human operator) • Others Scripted Scripted MOP Driven from History Scripts Nominal Harmful: Takeoff Before Landing Harmful: Missing Leg(landing not collocated with takeoff) M M Mediation Mediation Cocoon Cocoon JBI Client JBI Client M M M M JBI Server M M Client Reconstitution Architecture Visualizer Script Driver Harm Detector Harm Rules Scripts History Visualizer MOP Execution Architecture JBI Server

  33. DetectingHarmful ActionsDemo

  34. Howie Slides Here

  35. DetectingMalicious IntentDemo

More Related