100 likes | 231 Views
Enterprise Wrappers OASIS PI Meeting March 12, 2002. Bob Balzer Neil Goldman Mahindra Pai <balzer,ngoldman,mpai>@Teknowledge.com. Enterprise Wrappers Goals. Integrate host-based wrappers into scalable cyber-defense system Create common multi-platform wrapper infrastructure
E N D
Enterprise WrappersOASIS PI MeetingMarch 12, 2002 Bob Balzer Neil Goldman Mahindra Pai <balzer,ngoldman,mpai>@Teknowledge.com
Enterprise WrappersGoals • Integrate host-based wrappers into scalable cyber-defense system • Create common multi-platform wrapper infrastructure • Populate this infrastructure with useful monitors, authorizers, and controllers
Hardened System(expanded) Boundary Other IA components, M M Mediation Mediation Cocoon Cocoon Controller such as intrusion detection, App App sniffers, secure DNS, IDIP, etc. M M M M service M M service Host Controller ... Linux or NT WMI proxy Wrapper Data Base Subsystem “Soft” System Enterprise Wrappers Objectives NWM Interface Network Schema & Data Manager • Wrapper Network Interface • Off-board cyber-defense controllers • Off-board communication of wrapper data • Host Controller • Manages dynamic insertion and removal of Wrappers • Multi-platform (Linux and NT) • Network-scalable • Mutual protection/isolation of Host Controller & Wrappers from the system(s) being protected Data Push/Pull Control Protocol Hardened System
Original Added • Additional Wrappers Research • Large-Scale Wrapper Policy Management Project Challenges • Deployable Enterprise Wrappers • Host Controller • Network Wrapper Manager • Wrappers (developed by other projects)
Active Available Enterprise Wrapper APIs Deployable Version Available 12/31/01 Deploy Install Activate Define Sensed Defined Deployed Installed Active Undeploy Uninstall Deactivate Focus
Demo Enterprise Wrappers • Current Implementation • Network Controller • Starts and Terminates processes on controlled desktops • Receives Events from controlled desktops • Host Controller • Starts and Terminates processes for Network Controller • Wraps started processes in accordance with local Wrapper Policy • Forwards Events to Network Controller • Inter-Controller Communication via SSL • To Do • Deploy Policy to Host Controller
Contained Execution+ Accept Modifications Additional Wrapper Research • Fault-Tolerating Wrappers • Monitor Program Behavior • Record Persistent Resource Modifications • Delay Decision Point by making changes undoable • File, Registry, Database, Communication Changes • Lock access to updates by other processes until accepted • Provide Undo-Execution Facility • Invoked by after-the-fact Intrusion Detection • Effect: Reverse Attack Progress • Untrusted Wrappers • Isolate Mediators from code being wrapped • Enforce Mediator Interface • Monitors (only observe) • Authorizers (only allow/prevent invocation) • Transformers • Modify parameters and/or return • Supply service on their own
Large-Scale Wrapper Policy Management Very Large Network Wide Area Network Network Operations Center Middle Managers Enclave Local Area Network Host Host Situation Awareness Policy Alerts Process Process
Existing NT Wrappers • Safe Email Attachments • Document Integrity for MS Office • Executable Corruption Detector • Protected Path (Keyboard App. SmartCard) • Local/Remote Process Tracker • No InterProcess Diddling • Safe Web Brower • Safe Office Planned Key: Policy Driven Wrapper
Registry Contained Execution Contained Execution Contained Execution Contained Execution Contained Execution Contained Execution Policy Management(by Mission Category) • Baseline (Protect Resources) • Application Control • Only Authorized Applications • Add and Remove Authorized Applications • Only Mission Critical Applications • Add and Remove Critical Applications • No Spawns Initiated by Remote Users • Media Control • No Streaming Media • No Active Content • Override Control • No Local Danger/Alert Overrides • Terminate all processes violating policy