Detecting - PowerPoint PPT Presentation
1 / 16
Title: Detecting
1
Detecting PreventingMisuse of Privilege
- Bob Balzer (Teknowledge)
- Howie Shrobe (MIT)
2
Harmful Operator Action
Benign Operator Action
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
3
Harmful Operator Action
Benign Operator Action
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
MIT Teknowledge
4
Harmful Operator Action
Benign Operator Action
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
MIT Teknowledge
5
What are we trying to do?
Harmful Operator Action
Benign Operator Action
- Block Harmful Operations
- Differentiate
- Operator Error
- Malicious Intent
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
6
Applying Security toApplication Layer
- MAF DemVal component
- Builds Air Transport Plans
- Publishes completely built Air Transport Plans
- Edits partially built Air Transport Plans
- Saves Restores partially built Air Transport
Plans - Creating application specific rule framework for
defining harm - Harm expressed orthogonally from OS objects
- For MAF DemVal component
- Harm publishing semantically malformed Air
Transport Plan - What semantic knowledge and data is required to
determine malformedness - Finding points in application to apply it
- For MAF DemVal component
- Commit Publish Air Transport Plan
7
How will you show success?
Harmful Operator Action
Benign Operator Action
- Block Harmful Operations
- Differentiate
- Operator Error
- Malicious Intent
- Red-TeamExperiment
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
8
Red Team Experiment
- Force experiment to determine ability to thwart
insider attack - Three Flags
- Harm application using only application
GUI(SaveAs/Open GUI excluded)Using jointly
defined subset of application semantics - Harm application using only SaveAs/Open GUI
- Harm application using OS GUI (Explorer
process)(running other programs excluded)
9
Defined Application Semantics
- Planes have types which have a maximum Range
before the plane must land or be refueled
(refueling resets the starting point to the
refueling point - i.e. assumes the plane has been
fully refueled). - Planes have types which have a minimum required
runway length for takeoffs and landings - Planes can not land or takeoff in
restricted-access zones (defined as rectangles
aligned with the lat/long axis). - Planes have types which can not go to certain
destinations - Each airport has a minimum turn around time and a
plane landing at that airport must not takeoff
before that minimum turnaround time has expired - Each mission has a objective for that mission's
plane and that plane must reach the destination
specified in that objective by the time specified
in that objective. This objective is associated
with the type of the plane. - Refueling (defined by the MAF to occur at a
point) can only occur in rectangularly defined
refueling-areas (aligned with the lat/long axis). - Each leg in a mission must get the plane closer
to its destination. Offload events (which have
end points equal to their start points) don't
count as a leg for this rule. - A plane's weight (determined by its plane type)
cannot exceed the weight-handling maximum for
each runway it lands on or takes off from. - A plane can only land or take off from a runway
at night (1800 to 0600 local time) if that runway
is equipped with night lighting. - The duration of a leg must exceed the time needed
to fly that leg (i.e. the distance between its
start and end locations) at the plane's maximum
speed - Offloads must occur at the same place as the
landing that preceded them. - Offloads must have a minimum duration based on
the type of airplane - All missions must start with a takeoff and end
with a landing or offload (i.e. no suicide
missions). - All takeoffs (other than the initial takeoff)
must be immediately preceded by a landing or
offload. - All landings must be immediately preceded by a
takeoff, waypoint, or refueling. - All refuelings must be immediately preceded by a
takeoff, waypoint, or refueling. - All waypoints must be immediately preceded by a
takeoff, waypoint, or refueling. - All offloads must be immediately preceded by a
landing.
10
PMOP RedTeam Experiment Configuration
Harmful Operator Action
Benign Operator Action
Normal
Behavior Authorizer
Intent Assessment
M
JavaWrap
Wrapper
Safe Family
Demval MAF
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Wrapper
Operational System Model
M
Predicted State
Behavior Monitor
JavaWrap intercepts published plan
for harm assessment
Operator Action
Legend
SafeFamily intercepts file/registry/comm
actions for harm assessment
Not Present
11
Red Team Experiment Results
- Force experiment to determine ability to thwart
insider attack - Three Flags
- Harm application using only application
GUI(SaveAs/Open GUI excluded)Using jointly
defined subset of application semantics - Harm application using only SaveAs/Open GUI
- Harm application using OS GUI (Explorer
process)(running other programs excluded)
0 Harm 1 False Positive
0 Harm 0 False Positive
1 Harm 0 False Positive
12
Red Team ExperimentLessons Learned
- Force experiment to determine ability to thwart
insider attack - Three Flags
- Harm application using only application
GUI(SaveAs/Open GUI excluded)Using jointly
defined subset of application semantics - Harm application using only SaveAs/Open GUI
- Harm application using OS GUI (Explorer
process)(running other programs excluded)
- Careful Choice of Flags
- Covered Space
- Focused attacks
13
What are implications of success?
Harmful Operator Action
Benign Operator Action
- Systems can be protected
- from insider attacks
- from operator error
- from zero-day attacks
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
14
What is technical approach?
Harmful Operator Action
Benign Operator Action
- Observe effect of operatoraction in system model
- Match harmful actions against
- Errorful Operator Plans
- Attack Plans
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
15
What is new?
Harmful Operator Action
Benign Operator Action
- Observe effect of operatoraction in system model
- Match harmful actions against
- Errorful Operator Plans
- Attack Plans
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
16
What is hard?
Harmful Operator Action
Benign Operator Action
- Modeling Systemto predict effect
- Modeling Operatorto differentiate
- Operator Error
- Malicious Intent
Normal
Behavior Authorizer
Intent Assessment
M
Mediation
Cocoon
Legacy App
M
M
GUI
Operator Error
Malicious Insider
Harm Assessment
Operational System Model
M
Predicted State
Behavior Monitor
Operator Action
