Saturday, February 23, 2008

what is application whitelisting?

application whitelisting is, as the name suggests, an example of whitelisting whereby only applications that are authorized get to be executed/interpreted/run...

in the case of application whitelisting the whitelist itself is the list of authorized programs (generally with some integrity information like a cryptographic hash to ensure that a given program is actually the same as the one on the list rather than just having the same name)...

if the whitelist itself is provided by a vendor then it will necessarily be very large (as they have to account for all good programs that anyone might use) and may not include everything a user needs... if, on the other hand, the whitelist is provided by the user him/herself then it will likely only contain the programs that are relevant to the user, but the user will have to decide for him/herself which programs are trustworthy enough to put on the list... either way, the whitelist would need to be updated at least as often as the user's set of authorized software changes...

the anti-malware applications of this technique rely on malware never getting on the whitelist... so long as the whitelist remains malware-free then (barring exotic execution) malware shouldn't be able to run... a second, lesser understood requirement is that the application whitelist be able to recognize everything that qualifies as a program, lest some program types get executed without whitelist-based oversight...

back to index

3 comments:

Scott Curin said...

These are problems that have already been solved. I am a firm believer that whitelisting is the future of endpoint control.

In a business you want a PC to run in a stable configuration with out deviation. That is where this technology really shines. Malware, viurses, rootkits, buffer overflow attacks, zero day exploits, all stopped. Couple that with the ability to make changes on the fly, and you have a winner.

I Currently offer this service to small business nation wide.

kurt wismer said...

well, at least you make it clear where your biases lie.

the problem of keeping malware off the whitelist is not a solved problem. it is, in essence, the problem of identifying a proposed addition to the whitelist as bad and then avoiding adding it to the whitelist. since there is no magically perfect way to identify that a given file is malware, keeping malware off of the whitelist remains a problem.

likewise, recognizing everything that qualifies as a program is not a solved problem. technically it's not even a solvable problem. anyone who says otherwise is trying to sell you snake-oil.

whitelists have problems, problems that are not solved and in some cases cannot be solved - but that doesn't mean that whitelists aren't still useful. i use application whitelisting alongside known-malware scanning (and sandboxing). i know that whitelisting will stop somethings, but i'm aware enough to know that it will not stop everything. in particular exploits are actually a problem for application whitelisting - while many exploits simply download/run other executables which will be stopped by a whitelist, there's nothing stopping the malicious code from being fully encapsulated in the exploit's code itself and would thus not be stopped by an application whitelist because no application whitelist recognizes data (where the exploit is) as program code.

Scott Curin said...

I will yield to your knowledge.

However, if you would like to evaluate the whitelisting technology I mentioned before, I can arrange it.