application whitelisting (was RE: Active Directory Question)

From: John LaCour (jlacour_at_zonelabs.com)
Date: 01/14/04

  • Next message: dlimanov_at_sct.com: "Re: application whitelisting (was RE: Active Directory Question)" 
    Date: Wed, 14 Jan 2004 09:15:14 -0800
To: "Kayne Ian (Softlab)" <Ian.Kayne@softlab.co.uk>, <focus-ms@securityfocus.com>

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > From: Kayne Ian (Softlab) [mailto:Ian.Kayne@softlab.co.uk]
    >
    > A better way (for example) would be to write an app that
    > hooks kernel calls to load a process, then compare a checksum
    > of the process in question to a "whitelist" of allowed
    > application checksums - if a match is found, the call is
    > allowed. If not, the call is denied. Bear in mind that you
    > need to checksum the loaded process, not the exe file on disk
    > otherwise any packer (UPX etc) would effectively allow a bad
    > app to slip by. That somewhat raises the skill required to bypass
    > it.

    This is generally what ZoneAlarm, ZoneAlarm Pro, and Integrity
    products do. Other Endpoint Security/Desktop Firewall software
    do similar things as well.

    An md5-like hash of the application is saved (in a protected file)
    along with the network access permissions associated with that
    application.

    UPX cannot be used to defeat this*. If you have a malicious program
    that has a hash not on your whitelist, UPX-ing it isn't going to
    chance that.

    The most significant risk to this approach is people having bad
    policies
    about what is whitelisted or what whitelisted programs are permitted
    to do.

    *Ok, there is some really small possibility of a hash collision.

    - -John
    - --
    John LaCour
    Zone Labs Security Services

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQA/AwUBQAV5IaeZbSyAsADEEQKvjgCgkTQQlKJfK6BgkTdmBIY9ENd87UYAn0s2
    R+sEGGThZ/GckW+VBAReHj3L
    =+GpG
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: dlimanov_at_sct.com: "Re: application whitelisting (was RE: Active Directory Question)"

    Relevant Pages

    • Re: application whitelisting (was RE: Active Directory Question)
      ... granular control of what user can and can not do. ... > hooks kernel calls to load a process, then compare a checksum ... An md5-like hash of the application is saved ... If you have a malicious program ...
      (Focus-Microsoft)
    • Re: About Hsiehs hash: initial value? 64 bit?
      ... when implementing Paul Hsieh's hash for incremental updates? ... Well if you just want to use it as a checksum, ... CRCs of course, have a much longer history as checksums. ...
      (comp.programming)
    • Re: Really fast checksum?
      ... Using JDBC, I select records from a table, roll through them, calculate a checksum on the text of all of the fields, and then check it against a stored checksum to see if the record has changed. ... In the past I've used CRC32, but that only operates on bytes and I'd rather not convert all the strings I'll get from JDBC into bytes. ... No hash function, of any kind, is capable of giving you that guarantee. ...
      (comp.lang.java.programmer)
    • Re: Hash indexes
      ... Wow Tibor, that's a mouthful. ... I kinda figured out that the CHECKSUM was just creating a value in a column ... that was then indexed with a b-tree. ... I.e., there's no CREATE command for bitmap index, hash ...
      (microsoft.public.sqlserver.server)
    • Re: Display Changed Records
      ... No hash system is 100% reliable (including HashBytes) and my comment was not meant to criticize you, but just to give a warning. ... CHECKSUM is less reliable for checking changes than many people think it is. ... declare @value1 int ...
      (microsoft.public.sqlserver.programming)