Whitelisting and Elegance

By Larry Seltzer  |  Posted 2007-09-05 Print this article Print

Opinion: Did the security software industry make a historic blunder with their reactive approach? I think it's much easier to criticize them than it is to come up with better alternatives.

The weaknesses of conventional anti-virus are well-known: Its mostly a reactive approach, looking for problems after theyve already been identified. Threats which havent already been found—"zero-day attacks"—either have to be identified through more generic threat detection techniques or slip through undetected. The generic detections, also known as heuristics, are prone to false positives. Kaspersky Anti-Virus, for example, frequently identifies real e-mails from Bank of America to me as Trojan-Spy.HTML.Fraud.gen. Ive seen false positives on real executable programs too, although its pretty rare from good AV. Respected kernel researcher Joanna Rutkowska recently blogged on the subject, saying that the signature/heuristics model was a strategic mistake.
"This is an example of how the security industry took a wrong path, the path that never could lead to an effective and elegant solution," she wrote.
But every now and then I get a pitch from a vendor or a note from a reader proposing a whitelist approach. Securewaves "Positive Model" approach is a good example, as is Bit9 Parity. In both cases the idea is to specify which programs can run on the system and disallow anything else. This sure is a tempting approach, and at least some form of it is surely a good idea on all managed networks. Why should IT in a business allow anything other than approved programs to run on the system? But the idea that this will prevent malware from running on the system in all contexts is wishful thinking, and I think its impractical to implement such systems for homes and very small businesses where there is no experienced administrator with authority over system policies. F-Secures Internet Security 2008 offers greater detection and scanning capabilities.. Click here to read more. A related technology that does good in this regard, but falls short of perfection, is the digital signature. Microsoft recently took a lot of guff for blocking a device driver that allowed other drivers to elude their requirement on 64-bit Windows Vista that all drivers be digitally signed and that the signature be issued by a trusted certificate authority. Microsoft wasnt the first to require digital signatures, although it often seems that way from the claims of those with a "blame Microsoft first" attitude. Java applets, for example, need to be signed in order to perform operations outside of the sandbox, to interact with the file system for instance,. For a good example of this behavior, try the Secunia Software Inspector, an applet that traverses your file system reporting old and vulnerable applications. Next page: Is there a solution?

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel