[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: application whitelisting (was RE: Active Directory Question)
From:       "Kayne Ian (Softlab)" <Ian.Kayne () softlab ! co ! uk>
Date:       2004-01-15 10:56:11
Message-ID: CDD7435C5120D511870B00805F6FED1D037307FE () birexm01 ! uk ! softlab ! net
[Download RAW message or body]

Whitelisting is of course more secure than blacklisting (my
phrasing in that mail was a bit off - I meant UPX'ing will
defeat a blacklist easily), but it must have a weakness.

I can almost see a possibility to break this. How does ZoneAlarm
handle self-modifying executables? It's not just viruses that do
this, a lot of copy protection techniques do it too (a telltale
byte/dword modified every time the app is run, until the allowed
trial expires and the app is crippled). I would assume that
*if* this is handled, ZoneAlarm checksums the PE and some other
sections selectively rather than the entire app.

If you knew what was being checked, you would know exactly what
could be modified (I'm thinking a loader routine can be added
that kills ZoneAlarm hooks, and ZoneAlarm would let it run in
the first place because it slips past the whitelist check). 

Just some thoughts & guesses.

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company


> -----Original Message-----
> From: John LaCour [mailto:jlacour@zonelabs.com]
> Sent: 14 January 2004 17:15
> To: Kayne Ian (Softlab); focus-ms@securityfocus.com
> Subject: application whitelisting (was RE: Active Directory Question)
> 
> 
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> > From: Kayne Ian (Softlab) [mailto:Ian.Kayne@softlab.co.uk] 
> > 
> > A better way (for example) would be to write an app that 
> > hooks kernel calls to load a process, then compare a checksum 
> > of the process in question to a "whitelist" of allowed 
> > application checksums - if a match is found, the call is 
> > allowed. If not, the call is denied. Bear in mind that you 
> > need to checksum the loaded process, not the exe file on disk 
> > otherwise any packer (UPX etc) would effectively allow a bad 
> > app to slip by. That somewhat raises the skill required to bypass
> > it.  
> 
> This is generally what ZoneAlarm, ZoneAlarm Pro, and Integrity
> products do.  Other Endpoint Security/Desktop Firewall software
> do similar things as well.
> 
> An md5-like hash of the application is saved (in a protected file)
> along with the network access permissions associated with that
> application.
> 
> UPX cannot be used to defeat this*.  If you have a malicious program
> that has a hash not on your whitelist, UPX-ing it isn't going to
> chance that.
> 
> The most significant risk to this approach is people having bad
> policies 
> about what is whitelisted or what whitelisted programs are permitted
> to do.  
> 
> *Ok, there is some really small possibility of a hash collision.
> 
> - -John
> - --
> John LaCour
> Zone Labs Security Services
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2
> 
> iQA/AwUBQAV5IaeZbSyAsADEEQKvjgCgkTQQlKJfK6BgkTdmBIY9ENd87UYAn0s2
> R+sEGGThZ/GckW+VBAReHj3L
> =+GpG
> -----END PGP SIGNATURE-----
> 


******************************************************************** 
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. 

If you are not the intended recipient or the person responsible for 
delivering to the intended recipient, be advised that you have received 
this email in error and that any use of the information contained within 
this email or attachments is strictly prohibited. 

Internet communications are not secure and Softlab does not accept 
any legal responsibility for the content of this message. Any opinions 
expressed in the email are those of the individual and not necessarily 
those of the Company. 

If you have received this email in error, or if you are concerned with 
the content of this email please notify the IT helpdesk by telephone 
on +44 (0)121 788 5480. 

********************************************************************

---------------------------------------------------------------------------
---------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]