Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Whitelisting and Elegance

    By
    Larry Seltzer
    -
    September 5, 2007
    Share
    Facebook
    Twitter
    Linkedin

      The weaknesses of conventional anti-virus are well-known: Its mostly a reactive approach, looking for problems after theyve already been identified. Threats which havent already been found—”zero-day attacks”—either have to be identified through more generic threat detection techniques or slip through undetected.

      The generic detections, also known as heuristics, are prone to false positives. Kaspersky Anti-Virus, for example, frequently identifies real e-mails from Bank of America to me as Trojan-Spy.HTML.Fraud.gen. Ive seen false positives on real executable programs too, although its pretty rare from good AV.

      Respected kernel researcher Joanna Rutkowska recently blogged on the subject, saying that the signature/heuristics model was a strategic mistake.

      “This is an example of how the security industry took a wrong path, the path that never could lead to an effective and elegant solution,” she wrote.

      But every now and then I get a pitch from a vendor or a note from a reader proposing a whitelist approach. Securewaves “Positive Model” approach is a good example, as is Bit9 Parity. In both cases the idea is to specify which programs can run on the system and disallow anything else.

      This sure is a tempting approach, and at least some form of it is surely a good idea on all managed networks. Why should IT in a business allow anything other than approved programs to run on the system? But the idea that this will prevent malware from running on the system in all contexts is wishful thinking, and I think its impractical to implement such systems for homes and very small businesses where there is no experienced administrator with authority over system policies.

      /zimages/4/28571.gifF-Secures Internet Security 2008 offers greater detection and scanning capabilities.. Click here to read more.

      A related technology that does good in this regard, but falls short of perfection, is the digital signature. Microsoft recently took a lot of guff for blocking a device driver that allowed other drivers to elude their requirement on 64-bit Windows Vista that all drivers be digitally signed and that the signature be issued by a trusted certificate authority.

      Microsoft wasnt the first to require digital signatures, although it often seems that way from the claims of those with a “blame Microsoft first” attitude. Java applets, for example, need to be signed in order to perform operations outside of the sandbox, to interact with the file system for instance,. For a good example of this behavior, try the Secunia Software Inspector, an applet that traverses your file system reporting old and vulnerable applications.

      Next page: Is there a solution?

      Is there a solution


      ?”>

      Such signatures arent really a whitelist, but they are meant to enforce accountability, which is related. For instance, one could set a rule whitelisting certain vendors and thereby allow any code signed with their keys. And as Rutkowska says, one class of largely obsolete malware, file infectors, are defeated by a well-implemented system of code signatures. A whitelist system could also be implemented by having the administrator use a company key to sign only approved programs. Im sure this is basically how some of the commercial approaches work.

      /zimages/4/28571.gifPopular Web sites are being used in a new attack thats targeting eBay accounts. Click here to read more.

      Theres so much software out there how can anyone know whats trustworthy? We currently employ the AV companies to make these decisions for us with their reactive approach, but how about taking a page out of the world of e-mail protection (admittedly, not the most successful bunch of technologists, but stick with me for a moment) and implement a reputation system.

      Heres how it could work: All code has to be signed, or at least it needs to be in order to be trusted. Third party reputation systems keep databases of companies and their code signing public keys. They do a double-check on the checks supposedly performed by certificate authorities and take reports of abuse, feeding them back into the reputation report. When a program is installed, the public key is checked for reputation. If the signer of a new program being installed has no reputation or the program is not signed it is deserving of a high level of suspicion; perhaps this is when you turn on the heuristic scanner with the paranoia level set to “Maximum.”

      Periodically, the system could also check for changes in the reputations of signers of installed software and report these to the user or administrator. This is the kind of system that existing AV vendors could be in a position to implement. The real problem is the infrequent use of digital signatures in the programming community.

      Whitelists and signatures cant stop a buffer overflow in an approved program from executing malware passed to it. That system is just as compromised. And while it would be trickier for that attack to persist on the system, its hardly impossible. So Im skeptical of the broad brush Rutkowska uses to paint signature-based AV as a historic mistake. It was expedient at a time when elegant solutions were unavailable. In fact, they still are.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      /zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×