application whitelisting (was RE: Active Directory Question)

From: John LaCour (jlacour_at_zonelabs.com)
Date: 01/14/04

  • Next message: dlimanov_at_sct.com: "Re: application whitelisting (was RE: Active Directory Question)"
    Date: Wed, 14 Jan 2004 09:15:14 -0800
    To: "Kayne Ian (Softlab)" <Ian.Kayne@softlab.co.uk>, <focus-ms@securityfocus.com>
    
    

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > From: Kayne Ian (Softlab) [mailto:Ian.Kayne@softlab.co.uk]
    >
    > A better way (for example) would be to write an app that
    > hooks kernel calls to load a process, then compare a checksum
    > of the process in question to a "whitelist" of allowed
    > application checksums - if a match is found, the call is
    > allowed. If not, the call is denied. Bear in mind that you
    > need to checksum the loaded process, not the exe file on disk
    > otherwise any packer (UPX etc) would effectively allow a bad
    > app to slip by. That somewhat raises the skill required to bypass
    > it.

    This is generally what ZoneAlarm, ZoneAlarm Pro, and Integrity
    products do. Other Endpoint Security/Desktop Firewall software
    do similar things as well.

    An md5-like hash of the application is saved (in a protected file)
    along with the network access permissions associated with that
    application.

    UPX cannot be used to defeat this*. If you have a malicious program
    that has a hash not on your whitelist, UPX-ing it isn't going to
    chance that.

    The most significant risk to this approach is people having bad
    policies
    about what is whitelisted or what whitelisted programs are permitted
    to do.

    *Ok, there is some really small possibility of a hash collision.

    - -John
    - --
    John LaCour
    Zone Labs Security Services

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQA/AwUBQAV5IaeZbSyAsADEEQKvjgCgkTQQlKJfK6BgkTdmBIY9ENd87UYAn0s2
    R+sEGGThZ/GckW+VBAReHj3L
    =+GpG
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: dlimanov_at_sct.com: "Re: application whitelisting (was RE: Active Directory Question)"