Application whitelisting is a viable option when you can leverage software signing

Thirty years ago IBM launched the XT5160 -- the first hard drive DOS-based PC. But the computer virus, nowadays so seemingly tied to the PC, actually appeared almost a decade earlier. It took until 1986 for these two threads to come together and the first PC virus, Brain, was born. By 2000, networks we spreading and so were worms like ILOVEYOU which was considered one of the most damaging.

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Thirty years ago IBM launched the XT5160 -- the first hard drive DOS-based PC. But the computer virus, nowadays so seemingly tied to the PC, actually appeared almost a decade earlier. It took until 1986 for these two threads to come together and the first PC virus, Brain, was born. By 2000, networks we spreading and so were worms like ILOVEYOU, which was considered one of the most damaging.

Today we still fight viruses and worms, but the scale of the problem has changed (some efforts are backed by nation-states) and many attacks are now targeted at specific companies, machines, types of infrastructure or geography. Luckily application whitelisting tools that leverage software signing can help contend with the evolved threat.

MORE: Whitelisting pushing out antivirus at some security-minded retailers

ROUNDTABLE DISCUSSION: See it, protect it, control it

While virtually all companies today use antivirus programs, these tools rely on a snapshot of the signatures of the bad stuff, so they don't know what they don't know. When there is a new threat with no known signature, it will be allowed to run. This is why some targeted attacks are so successful.

Application whitelisting tools, on the other hand, have two parts. Firstly a snapshot of the computer is made which will contain signatures for all the programs, operating system elements, drivers, etc. Second, an agent is installed which checks everything just before it runs to make sure it was in the original snapshot. Even though this technique still uses signatures, it has the major advantage of being able to block unknown code and prevent what is now know as "zero-day threats."

Application whitelisting

So why so we still have to put up with antivirus tools when we have application whitelisting? Both techniques use signatures (in part) and signatures need to be generated and managed, a fact that has gotten increasingly onerous.

The amount of bad stuff grows daily, and some antivirus signature files today contain in the region of 20 million signatures. And when it comes to taking a snapshot of a PC for whitelisting, a signature file for a standard operating system such as Windows XP Professional will contain something like 50,000 signatures.

By solving the problem of signature management, so that systems can be controlled by an organization's own signature files and those of trusted third parties, much of the administrative overhead is removed and we solve the problem of why application whitelisting is not as widely adopted as logic would suggest it should be.

Most companies hope they never see any bad stuff and have no expertise in the dark science of understanding them. So it is sensible that both the generation and updating of antivirus signatures be "outsourced" to the experts, and that is how the industry has developed.

Application whitelisting appears to require the opposite approach. Because PCs are unique to every organization, then the organization itself would be required to both generate and update the signatures of the good stuff. This might take quite a lot of time and effort -- and appears counter to the current trend of increasing amounts of IT outsourcing. There is also the issue of diversity to handle as well. With antivirus the same signature file can be applied to every machine, but with application whitelisting the worst-case scenario might be that the signature file of every PC is different.

Luckily, whitelisting tools can leverage the concept of software signing, which is becoming commonplace. These signatures contain metadata such as the software author, a checksum to verify that the object has not been altered and versioning information.

Signing involves a process using a pair of keys, similar to SSL or SSH sessions. The private key used to sign the code is unique to a developer or company. These keys can be sel-generated or obtained from a trusted certificate authority (CA). When the public key used to authenticate the code signature can be traced back to a trusted root authority CA using secure public key infrastructure (PKI), then you know that the code is genuine.

TECH ARGUMENT: SSL certificate authorities vs. ???

We see this most commonly today in environments where the source of a given piece of code may not be immediately evident -- for example a Java Web Start application accessed from your browser.

In the context of application whitelisting, the most interesting use of signed code is to provide updates and patches for software. Most OS manufacturers now provide signed updates to ensure that bad stuff cannot be distributed via the patching system.

This same signing process can now be used by application whitelisting solutions. The agent which checks everything just before it runs clearly trusts the signatures generated for that PC in the first place (especially if they have been signed in a way similar to the above). But the trust model can be extended to include other signing authorities.

This means it would now be possible to have a Windows PC which has the trust model extended to include, say, Microsoft, Adobe and a whitelisting supplier, so it can now self-update without any need to manage the signatures in-house. Effectively the management of the signatures of the good stuff has now been outsourced in much the same way as for antivirus.

With certificate-based application whitelisting we have a way of replacing antivirus without imposing a significant time/management overhead.

The Cryptzone Group is a technology innovator of proactive controls to mitigate IT security risk. We bring together the people, processes and technology to mitigate information security risks identified in the key areas of Policy Compliance, Content Security, Secure Access and Endpoint Security. Headquartered in Sweden, the company has offices in the UK, USA and Poland, as well as an extensive partner network with more than 150 global partners. For more information about the company and its solutions, visit www.cryptzone.com.

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies