RE: application whitelisting (was RE: Active Directory Question)

From: Kayne Ian (Softlab) (Ian.Kayne_at_softlab.co.uk)
Date: 01/15/04

  • Next message: Mike Lyman: "Re: SMTP Service in private DMZ OK?" 
    To: John LaCour <jlacour@zonelabs.com>, focus-ms@securityfocus.com
Date: Thu, 15 Jan 2004 10:56:11 -0000

    Whitelisting is of course more secure than blacklisting (my
    phrasing in that mail was a bit off - I meant UPX'ing will
    defeat a blacklist easily), but it must have a weakness.

    I can almost see a possibility to break this. How does ZoneAlarm
    handle self-modifying executables? It's not just viruses that do
    this, a lot of copy protection techniques do it too (a telltale
    byte/dword modified every time the app is run, until the allowed
    trial expires and the app is crippled). I would assume that
    *if* this is handled, ZoneAlarm checksums the PE and some other
    sections selectively rather than the entire app.

    If you knew what was being checked, you would know exactly what
    could be modified (I'm thinking a loader routine can be added
    that kills ZoneAlarm hooks, and ZoneAlarm would let it run in
    the first place because it slips past the whitelist check).

    Just some thoughts & guesses.

    Ian Kayne
    Technical Specialist - IT Solutions
    Softlab Ltd - A BMW Company

    > -----Original Message-----
    > From: John LaCour [mailto:jlacour@zonelabs.com]
    > Sent: 14 January 2004 17:15
    > To: Kayne Ian (Softlab); focus-ms@securityfocus.com
    > Subject: application whitelisting (was RE: Active Directory Question)
    >
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    > > From: Kayne Ian (Softlab) [mailto:Ian.Kayne@softlab.co.uk]
    > >
    > > A better way (for example) would be to write an app that
    > > hooks kernel calls to load a process, then compare a checksum
    > > of the process in question to a "whitelist" of allowed
    > > application checksums - if a match is found, the call is
    > > allowed. If not, the call is denied. Bear in mind that you
    > > need to checksum the loaded process, not the exe file on disk
    > > otherwise any packer (UPX etc) would effectively allow a bad
    > > app to slip by. That somewhat raises the skill required to bypass
    > > it.
    >
    > This is generally what ZoneAlarm, ZoneAlarm Pro, and Integrity
    > products do. Other Endpoint Security/Desktop Firewall software
    > do similar things as well.
    >
    > An md5-like hash of the application is saved (in a protected file)
    > along with the network access permissions associated with that
    > application.
    >
    > UPX cannot be used to defeat this*. If you have a malicious program
    > that has a hash not on your whitelist, UPX-ing it isn't going to
    > chance that.
    >
    > The most significant risk to this approach is people having bad
    > policies
    > about what is whitelisted or what whitelisted programs are permitted
    > to do.
    >
    > *Ok, there is some really small possibility of a hash collision.
    >
    > - -John
    > - --
    > John LaCour
    > Zone Labs Security Services
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 8.0.2
    >
    > iQA/AwUBQAV5IaeZbSyAsADEEQKvjgCgkTQQlKJfK6BgkTdmBIY9ENd87UYAn0s2
    > R+sEGGThZ/GckW+VBAReHj3L
    > =+GpG
    > -----END PGP SIGNATURE-----
    >

    ********************************************************************
    This email and any files transmitted with it are confidential and
    intended solely for the use of the individual or entity to whom
    they are addressed.

    If you are not the intended recipient or the person responsible for
    delivering to the intended recipient, be advised that you have received
    this email in error and that any use of the information contained within
    this email or attachments is strictly prohibited.

    Internet communications are not secure and Softlab does not accept
    any legal responsibility for the content of this message. Any opinions
    expressed in the email are those of the individual and not necessarily
    those of the Company.

    If you have received this email in error, or if you are concerned with
    the content of this email please notify the IT helpdesk by telephone
    on +44 (0)121 788 5480.

    ********************************************************************

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Mike Lyman: "Re: SMTP Service in private DMZ OK?"