framing the 3 preventative paradigms
in the ideal case:
- a blacklist blocks access to a protected resource for things/actions that are bad
- a whitelist blocks access to a protected resource for those things/actions that are not good
- a sandbox blocks access to a protected resource unconditionally, offering a comparable low-value alternative resource as a surrogate
balancing the 3 preventative paradigms
the world is not an ideal place, however, and those cases cannot be implemented perfectly:
- the halting problem prevents us from implementing a perfect blacklist and limits us to only blocking things/actions that are known to be bad, thus leading to the so-called reactive nature of blacklists
- while the halting problem does affect whitelists in the same way, whitelists actually benefit in a way from being limited to only known things/actions. however the generality of interpretation prevents us from implementing perfect whitelists (as the security world is bound to discover when whitelisting finally crosses the chasm) because we will only ever be able to apply application whitelisting to known program types and thus will have to react whenever we discover a new program type being abused.
- while the generality of interpretation may make it difficult to know when a sandbox needs to be used, what prevents sandboxes from being perfect when they are used (baring implementation failures that lead to unaided sandbox escape) is the need to share data (across the barrier erected by the sandbox) that is inherent to the division of labour, not to mention a variety of other useful and interesting things we do with computers.