Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Bob Balzer - Tolerant Systems

advertisement 
Validation Characterization
For
Integrity Through Mediated Interfaces
1 Technology Description and Information
Assurance/Survivability Problem Addressed
1.1
Technology Description
The operation of COTS document editors (such as Word and PowerPoint) is mediated
to capture and record all the modifications being made to a document by a user. If the
document is corrupted, the document is rebuilt by replaying the sequence of user
changes recorded in the modification history.
Corrupted documents are detected by comparing a cryptographic hash of the document
as it is being loaded to its cryptographic hash when it was last saved. Any difference in
these cryptographic hashes indicates modification of the document outside this auditing
framework, is deemed to be the result of corruption of the document, and triggers
rebuilding the document from the recorded modification history.
The recorded modification history is also used by an attribution tool that enables a user
to determine who made particular changes and when they did so by selecting a portion
of the document and manipulating a time lever to move backward or forward through
the subset of changes in the modification history that affected the selected portion and
identify the specific change to be attributed.
1.2
Problems Addressed
Detecting corruption of a document (any modification of the document
occurring outside the auditing framework) and repairing the document
when such corruption occurs.
Providing forensic attribution for any selected portion of the document.
1.3
Limitations
Only being developed for MS Word and PowerPoint documents.
2 Assumptions
The logged in user is the user of this auditing framework (no separate
authentication)
The physically separate modification history recorded by the auditing
framework is protected from modification by any program other than the
auditing framework
1
The executable code for the auditing framework and the COTS
document editors it mediates are themselves protected so that they
can’t be corrupted without being detected (such as by checking the
cryptographic hash of executables as they are loaded).
Attackers cannot construct a modified document with the same
cryptographic hash as the unmodified document.
2.1
Residual Risks, Limitations, and Caveats
There are residual risks associated with each of the above assumptions (detailed
below). In addition, there is a residual risk associated with our approach itself – that our
recorded modification history is incomplete – and that therefore the repaired document
will not be an exact copy of the document before it was corrupted.
Incomplete recorded modification history: This is a significant
residual risk as the COTS document editors we are mediating (MS Word
and PowerPoint) are very complex. The large number of commands
they contain (Word has over a thousand commands) makes it infeasible
to create separate modification recorders for each command. Instead,
the commands must be aggregated into groups and generic recorders
built for each group. Much of the project effort has been devoted to
creating a generic framework for such group recorders, defining the
aggregation groups, and developing generic recorders for those groups.
Logged in user is not auditing framework user: This can occur in
several ways: the logged in user walks away from their machine and an
attacker uses it without having to log-in; an attacker knows, guesses or
brute-force determines an authorized user’s password; a known OS
exploit is used by an attacker to log in as an authorized user.
Once an attacker is operating under the account of an authorized user,
our auditing framework will accept all the attacker’s modifications as
authorized changes to the document (rather than as a corruption to it).
Moreover, these modifications will be attributed to the logged-in user
(rather than the attacker).
The recorded modification history is corrupted: Documents cannot
be repaired without this history. If an attacker were able to delete this
history then it would no longer be possible to determine whether a
document had been corrupted (the cryptographic hashes are contained
within the history). An attacker could also modify the history so that a
corrupted document was accepted as uncorrupted (i.e. mask the
corruption of a document) or force an uncorrupted document to be
rebuilt from a (corrupted) history.
The executable code for the auditing framework or the COTS
document editors can be corrupted without being detected: An
attacker could modify (corrupt) the executables to not detect corrupted
documents, to incorporate unauthorized modifications into documents,
to omit authorized modifications from the recorded history and/or the
2
document, or to attribute modifications to someone other than the
logged-in user.
Attackers can construct a modified document with the same
cryptographic hash as the unmodified document: Attackers would
then be able to corrupt a document without that corruption being
detected.
It is known that computationally intensive tools exist for generating such
corrupted documents with a given cryptographic hash, but these tools
have a high work factor. Furthermore, that work factor can be
exponentially increased by requiring a match of several hashes
produced by different cryptographic algorithms.
3 Vulnerabilities and Attacks
TAV-3.1: Vulnerability in Host operating system allows remote attacker
to modify integrity-protected document
TAV-3.2: Vulnerability in account passwords allows remote attacker to
login and modify integrity-protected document.
TAV-3.3: Vulnerability in physical security of host allows attacker to
reboot host to an alternative operating system, log in, and modify an
integrity-protected document.
TAV-3.4: Vulnerability in physical security of host allows attacker to use
logged-in user’s account to modify an integrity-protected document
(outside of auditing framework).
TAV-3.5: Vulnerability in physical security of host allows attacker to use
logged-in user’s account to modify an integrity-protected document
(through auditing framework).
4 Information Assurance and Survivability Attributes
Integrity: The auditing framework directly supports the integrity of
documents by detecting any corruption to documents as they are loaded
and rebuilding them if they are corrupted.
Non-Repudiation: The auditing framework directly supports nonrepudiation by recording the originator and time of each modification so
that that user cannot later deny making those changes at the recorded
time
5 Comparison with Other Systems (Optional)
6 Information Assurance and Survivability Mechanisms
M1: Fault Detection: Cryptographic hashes are used to detect
modifications to documents made outside the auditing framework. Any
such modifications are treated as a corruption of the document. These
3
cryptographic hashes are computed and saved whenever a new version
of the document is stored. They are checked whenever the document is
loaded (opened).
M2: Repair: When a corrupted document is detected, the corruption is
repaired by rebuilding the document from the recorded history of
modifications made to the document. These recorded modifications are
“replayed” in the document editor (i.e. submitted on behalf of the user as
if they were entered through the document editor’s user interface) so
that the document editor recreates the (uncorrupted) document.
This modification history is silently recorded, as the document is being
created or changed, by mediating the document editor’s graphic user
interface to detect user actions that modify the document. The
document editor’s COM interface is used to determine the detailed
nature of the change and to express it in a form that the document editor
will later accept as a command to perform the same change during any
required “replay” to repair a corrupted document.
M3: Attribution: An attribution tool uses the recorded modification
history to enable a user to determine who made particular changes and
when they did so by selecting a portion of the document and
manipulating a time lever to move backward or forward through the
subset of changes in the modification history that affected the selected
portion and identify the specific change to be attributed.
7 Rationale
Operation
AV
I
TAV-3.1
M11,M2
TAV-3.2
M11,M2
TAV-3.3
M11,M2
TAV-3.4
M11,M2
TAV-3.5
C
AU
NR
M32
Notes:
1
2
4
Independent of the mechanism used by an attacker to modify an
integrity-protected document, the modification is detected as a
document corruption (M1) when that document is next loaded
(opened) in the auditing framework. It is then repaired (M2) by
replaying the recorded modification history.
By subverting an authorized account and modifying an integrityprotected document through the auditing framework, an attacker can
bypass the corruption detection (M1) and repair (M2) mechanisms
(because the auditing framework treats them as changes being made
by an authorized user (the logged-in user). Nevertheless, the
attribution mechanism (M3) still records when and who (attributed to
the logged-in user) made those modifications so that it can
subsequently be forensically determined when those changes were
made and who was logged-in then
8 Cost and Benefit Analysis
8.1 Cost Metrics
8.1.1 Performance Degradation:
Detecting Corrupted Documents: Imperceptible (Windows 2000
performs a similar cryptographic hash check to detect corrupted system
executables when they are loaded).
Repairing Corrupted Documents: Dependent on the size of the
document and the length of its modification history. Estimated to be on
the order of a few seconds per page (this estimate will be replaced by a
measured value once a few large modification histories have been
collected). Performance cost only occurs when corrupted document is
repaired.
8.1.2 Storage Costs:
Detecting Corrupted Documents: Minimal. For each document being
integrity-protected, a table entry containing the document’s file path and
its cryptographic hash is required (~500 bytes per integrity-protected
document).
Repairing Corrupted Documents: Dependent on the length of the
modification history, but should rarely exceed 50% of size of document
being integrity protected.
8.2 Benefit Metrics
8.2.1 Probability of Surviving an Attack (TAV-3.1 to TAV-3.4) :
If Attacker doesn’t have access to tools for generating corrupted
documents with a given cryptographic hash: Nearly 100%.
Cryptographic algorithms are chosen because of the extremely low
probability of being able to create modified documents with the same
cryptographic hash as the original.
If Attacker has access to tools for generating corrupted documents
with a given cryptographic hash (and knows which cryptographic
algorithm(s) are being used): 0%.
Given enough time, an attacker with access to tools for generating
corrupted documents with a given cryptographic hash can manufacture
an undetectable corrupted document. However, these tools are
computationally intensive so the attacker must expend a high work
factor. Moreover, by using multiple cryptographic algorithms, the
attacker’s work factor can be exponentially increased.
5
Related documents
Choose a film in which a character is corrupted by the society that
Choose a film in which a character is corrupted by the society that
Final Exam Review
Final Exam Review
M206 - Software Modification Document Template
M206 - Software Modification Document Template
Document Security System
Document Security System
Concerns for College Students - Sexual Assault Response Services
Concerns for College Students - Sexual Assault Response Services
the new formal method calculus for cryptographic protocols
the new formal method calculus for cryptographic protocols
Download
advertisement