One of the real leaders in programming and technical IT believes that whitelisting has a big role to play in security. I wish I could be as enthusiastic.
Windows IT people everywhere owe thanks to Dr. Mark Russinovich, now a technical fellow at Microsoft
and his less-famous partner Bryce Cogswell. Russinovich is famous both as an author, making the technical details of Windows accessible to the rest of us who dare to think we are technical, and as a programmer, writing utilities that give us better command of Windows and teach us about it at the same time.
Russinovich and Cogswell formed the company Winternals and wrote the free Windows Sysinternals tools
. Microsoft bought the company two years ago. Some of the Winternals products have been relaunched as Microsoft products and others haven't. But the Sysinternals site remains pretty much as Russinovich and Cogswell ran it, as they still do, in their spare time, believe it or not. It's just on microsoft.com now.
A recent video interview with Russinovich
spent quite a bit of time talking about security. I don't necessarily agree with everything he has to say, which has me re-examining my beliefs, since I have so much respect for what he has to say. The interview is 42:39 long, so I'll relate the security-related parts here, but I certainly recommend watching it yourself (or just listening as there isn't much in terms of visual action).
Russinovich has been extensively quoted discussing Vista's UAC (User Access Control), pointing out that it is not a "security barrier." When he says this it comes across as criticism to many, but there's an important distinction: A security boundary, like ACLs in the file system, prevents access to unauthorized users. UAC is merely informative. Russinovich argues that UAC is really meant for ISVs, not users: It's a way to get ISVs to write their software correctly, to save their users from having to deal with UAC.
What is the motivation behind UAC? Users run things they shouldn't and it would be good if you could protect the system from the consequences of that. In the end, Russinovich thinks that any effort to enforce such protection will lead to confusing interventions that users won't understand and won't appreciate. You can't just wall off apps from the rest of the system, at least not in the current Windows architecture. There are research projects that move in that direction, which he also discusses; I loved the section, about 30 minutes into the interview, about the limitations of state management in Windows and what might be done about it. But any attempt to isolate apps this way in today's Windows will cause application compatibility problems and degrade the user experience. He doesn't claim that Microsoft did a bad job with UAC, but that the sorts of disruptions it has caused were inevitable if the real problem, which is in the applications, were to be addressed.
In the longer term, Russinovich looks in a different direction for more security progress. He signaled that years ago with a Winternals product called Protection Manager, one that Microsoft has so far declined to productize. Protection Manager was a tool to enforce software whitelisting on corporate networks; eWEEK thought highly of it in a review
. I've always been a fan of whitelisting, in principle
, but I'm leery of how successful it can really be.
An enterprise network is one thing. For Russinovich and I to say that IT should maintain a list of what is permitted to run on computers and enforce that is a tautological exercise. There are no really good arguments against it, but we all know that when the new iPhone comes out some vice president will insist on running it and some agent on his notebook to support it and the new version of iTunes. Whitelists are a lot of work.
And because your expectations of whitelists need to be reasonable, you should know that there are limitations to them: vulnerabilities in software that lead to arbitrary code execution, such as the typical buffer overflow, would lead to malicious code running despite a whitelist. The way overflows work, the system thinks that it's the vulnerable program running the code, not some outside program, even though the code came in on an HTTP request or inside a word processing document or some other uninvited channel.
Defeatist-sounding talk like the last paragraph isn't like me, and Russinovich stresses that he thinks whitelists need to be bolstered by other technologies Microsoft is pushing, such as ASLR and DEP, which limit the damage software vulnerabilities can do. Basically we're in agreement about all of this, but I guess he's more optimistic about whitelists than I am.
Incidentally, he also says that the next version of Microsoft's Forefront Client Security will have whitelisting features, so it sounds like he's had an influence on that line of the business. The enterprise version of Forefront is already a pretty impressive product (certainly when compared with their consumer offerings), so that could be worth watching. He also says more work is being put into software restriction policies in the OS, which is a related approach, also for managed networks.
But what about consumers? This is where I think whitelists are pie in the sky. Russinovich speculates that for a consumer the whitelist could consist of only getting their applications from one trusted source. I think it's much more likely, as I speculated in my whitelisting column
, that digital signatures could allow one trusted source (perhaps the user's anti-malware vendor) to act as a reputation manager for software.
But I can't even see this working. It's just too easy for users to run into circumstances ("install plugin to view content") where they will lose patience with it all. I have no sympathy with the corporate client who wants to install unapproved software and only slightly more for the consumer, but the fact is you can tell corporate users what the rules are (most of them anyway) and you can't tell consumers. They will quickly conclude that the reputation manager is wrong or that their sole software source is letting them down by not offering what they need.
About this too, Russinovich and I are largely in agreement. But another point he makes-a staple of intelligent security analysis-drives security arguments further in the direction of whitelisting. The point is that the only way to win against malware is to prevent it from running on the system. Once it runs, you have to presume that you've lost, and that nothing on the system is trustworthy anymore. If that's the case, and if tricks such as UAC can't do the job, then whitelisting is the only answer.
I buy the argument, but I'm still not optimistic. I truly look forward to writing about how Russinovich proved me wrong and how whitelisting is finally getting the malware problem under control. Maybe I'll get started on the column in anticipation. I don't think I'll ever get to run it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack