A perfect security system?

The perfect system for me would be a combination of Antivirus technology, Behavior blocker informed by central database and assisted by a expert system. In addition, limited use of virtualization and sandboxes in certain situations protects the user for unknown apps.

*System wide protection.

The main security system restricts programs in 2 areas, RESOURCES (access to files,folders,registry) and ACTIONS ( starting, spawning child processes,terminate processes,read proccesses, modify processes, hooking, install drivers,access physical memory).

Much like in prevx1, there are already several 'policies' which are usually related to actions, though they can be for resources (change to autostart registries, writing to c:\windows\system32 etc) set , and you can set each policy to different levels which are

1. Heuristics - Leaves it up to expert system
2. Warn only on unknown
3. Warn only on known
4. Always block

You can even set your own (combo) policies, for example if a program creates a file in c:\windows\system32 and then tries to conect outwards.

In addition there is a special policy you can set on/off called "Known app behavior violations" which alerts when specific known apps do something out of the ordinary.

For this to work the central databse would go beyond prevx just tagging a file as known good/unknown/ known bad, it would also have info rules (from central database) on what type of actions it typically does (memory injection, network access, hooking, install drivers etc), and what resources (files/ registry) it reads/modifies/create (see later) etc.

This rules will have priority over the general policies.

If any of these rules are broken - "known app behavior" is violated, the user is informed and allowed to block.

For example ,it wouldn't alert if an antivirus or security type program tried to do memory injection, but if a browser tried it, it would be flagged. Ditto for trying to read files, AVs would be given full access to read/modify/delete files without any problems.


For those who want to run in 'beginner' mode,

There is a powerful heurtistic and expert system that alerts you only to truly unusual activity (configurable) based on a combination of factors (actions,network activity,indenity known etc) and not just one citeria.

Application level protection

*Known applications

As mentioned above,Like in coreforce, Geswall, you can download application rules for well known applications, so that each is highly restricted and has access only to what it needs and nothing more.

These policies if violated will lead to a prompt. (See above).

*Known but dangerous applications

For certain risky apps, like browsers, email clients or basically anything with network access, these apps in additon to the above restrictions are also virtualized, which means that any child processes it spawns are equally restricted, and any changes to files/registry made is tracked and can be reversed (much like Bufferzone)

*unknown applications*

For Unknown applications you can

1. Create your own rules for it or use default unknown rules

2. Allow full acccess relying on system wide restricitions

3. Run it virtulized, tracking all changes so you can reverse changes

 

Hi,

This is an utopia.
There's no perfect security system: security is just a concept, not a reality.
As in the real world, security exists, yes, but in the cimetary (sorry for the black sense of humour).
Since a code is running in an environment, it can be defeated.
This is the case, for AVS, HIPS, IDS and so on.
And since an intruder has an access to a computer, there's no security anymore.

Regards

 

what's a cimetary?

And i DISAGREE in the STRONGEST possible way. Perfect security exists!!

 

I think devilish has laid out a very good template for discussion.

If every piece of kit we each have is flawless, and there are no vulnerabilities in Any of them, and they protect in every concievable way, then perfect security does exist. Leaving out stupid user interaction naturally !

But the Key word here is "concievable". It's the holes that we, or the software people don't know about as yet. It's not possible to design in the blocks to those, of which i imagine there are a great many.

We can only be as secure as it's possible to be at any one moment in time. And right know with all our different set ups, of which some will be much more secure than others, even with Identical systems and software, we are only as safe as we think we are, and indeed may actually be, in this moment !

There's nothing wrong in attempting 100% security, and putting in place all the measures required that we can think of or are able to, financial constraints included. If more people did then they wouldn't have as many, or any problems as some seem to do.

I think that the user should always have options to be informed and allowed to block, if they wish. Opt out/in on whatever they choose should be in there too.


StevieO

 

Hi,
There was a perfect security system.
DOS 3.0.
Mrk

 

You must be joking here...right? How can you ever possibly have perfect security while running the swiss cheese like OS known as Window$? Even with a so-called perfect security set up, you could still be compromised in a number of different ways. I don't care how good at security someone is there will always be some angle they overlook. Let's face it, there is no such thing as perfect security, end of story. Though it's good to strive to be the best you can be and that's about as good as it gets in this world. StevieO's post was right on target.

 

Ok, but what protects us from our own stupid mistakes? It's dangerous to go getting cocky and feeling confident. As soon as we start patting ourselves on our backs saying, "We're completely safe now", THAT'S when you get nailed.

Acadia

 

If a programmer can write a code, as good as it can be, then another programmer will eventually be able to defeat that code...so perfect security will never exist I think.

 

I'm sorry, if a program has no bugs at all how can you possibly exploit it? Perfecty security could exist, but the real problem is that the tasks that today's programs do are often very complex, and nobody (no matter how skilled) can write a very complex program that does these task without eventually making some mistake. Bug-free programs do exist, but they're usually only the ones that do very simple tasks.

 

Sorry, but this is an insult, there is NOTHING wrong with Swiss cheese ! (joke)

 

Nobody's perfect, and imperfect people program imperfect software.. as long as it's people writing the code, there will always be bugs and holes. I don't think it's unreasonable to think that we can have near perfect defense against drive-by infections at present, but you can't say anything about tomorrow, and you won't elminate the human factor.. especially when there's large amounts of money behind the motivation for the attacks.

 

Hi,
Possible perfect security:
OS that is READ-ONLY, like bootable disks. Sounds painful, but ...
OS comes preconfigured for the 99% average users with everything they can possibly dream of. And from that moment on, the user can only USE the OS, no tweaking. Only a single folder for user files.
Mrk

 

Really? How about if we think "We're completely safe at the moment". Is that when you get nailed?

As for Spanner's post, of course i agree, you have to be insane not to agree.

My solution to writing perfect code is simple, we get a program to do it! At first it won't be that good, but you can get it to improve it's own code! Then we can get the improved code writer program to improve itself again and so on.. Bootstrapping itself untill we have the perfect code!

I hear that's kind of like our compilers are built.

 

Many folks have.

Acadia

 

Darn.

I was thinking of taking a break from this computer security business, where i read about all the latest threats and 'cutting edge' security defenses....

But it seems if you are right, this is not possible.

 

Perfect Security comes close I think when you create a virtual environment.

I have Vmware installed on my winxp pro sp2. I'm trying to build this (I have to reformat to create this cause it came to my mind a couple of days ago - I don't think I can pattent this - and the main system was allready build with Internet Access and all security programs)

I install Windows xp again fully patched up (slipstreamed with latest updates/hotfixes) with Tiny2005, pg, appdefend, regdefend whatever program that does not have to update (this will come later on).
I'll Install NO DRIVERS FOR INTERNET cause I'll leave Internet and everything for the Vmware Session I will install.

Then I install Vmware and I create a new session. (Install a new version of Winxp again) - this session is separated from my main system.
Here I'll Install my Drivers for Internet.

I guess what I'm trying to say is if I leave the Internet for Vmware, my main system will be ok and remain OK, I guess?

I'm about to do this this weekend ... curious though but I think it is doable, and not that big of a hassle cause the vmware session is just an icon.

anyone has some ideas about this experiment?

Thanx

/edit: I do think it's possible to create a perfect security system but it all comes down what to do with this system. Safe Hex will remain the most important thing to practice for having a secure system ..

 

Who writes the program that writes the program (there is a chance that theres a critical flaw that will never get ironed out) ?

How will it improve it own code, will it randomly change the code, test itself for an exception etc, who determines the logic (and does that not invite a further avenue of potential error) ?

How does it handle the difference between flawed design and a simple flaw in the writing of the code, who produces the design/specs/rules to start this process ?

You simply cannot eliminate human error... the logical solution is to eliminate the human, like Skynet decides in Terminator (but maybe not quite as drastic )


What about eliminating the need for a security system by securing the OS as much as possible by configuration ?

Only install software you TRUST (eg test it (for security, stability, bugs) before letting it loose.

Minimal user rights (limited user account in windows), use admin only when needed. Don't even give the privilege to unwanted software to run/install/mess with the system.

If that could be done perfectly then we wouldn't even need a security suit or even an AV as viruses wouldn't be able to do much at all (obviously there will be exploits in bugs (as opposed to insure configuration), but you get that with ANY OS.

 

There is no perfect security system as far as human beings still exist. As you know, human beings are not perfect. They always make mistakes, in developing security system or using security system. They are always lazy - they always want other people to do things for them, even it is only an extra mouse button click. They are always greedy and curious - they will never miss a chance to exploit other people's bank accounts or computer accounts. As a human being, what can you expect?

 

Your perfect system starts already with the wrong technology.
AntiVirus scanners are based on blacklists. What is not blacklisted will infect your computer.
Blacklists are based on what the bad guys do, the most unreliable, unpredictable and uncontrollable source,you can imagine and those blacklists are used to protect the users. Do you call that a good strategy ?
That's not fighting against malware, that's collecting malware and kissing the bad guys for their "good" work.
It's not because everybody agrees with scanners, that I have to accept these scanners. I can think for myself.
Blacklist scanners are a necessary evil, because there is no Whitelist scanner.

 

Do you know the meaning of the word "combination" ? Unlike you, I see the pros and cons of every technology, shadowuser isn't the only game on the block, and
a combination of several methods will be better than any single one.

If antivirus technology can stop malware cold, why not as a first pass?

Thinking for yourself is good, but only if you are a good thinker.

 

Devilish,
Keep on dreaming about scanners, they have a great future.
One day, the employees will spend 4 hours on real work and 4 hours on scanning.
Their bosses will be happy. Good thinking.

 

that should do the trick if something isn't blacklisted

scanners will allways be important, but new technologies will be invented too, new and better heuristics, enhanced integrity control, programs/scanners will be coded better and better .. honestly I don't think it is appropriate to not have an antivirus scanner.

you can count on SU as much as you will, it sure has some drawbacks too...

anyway I don't understand this part actualy:

do you mean a preconfigured/written database like safensec has (whitelist)? or the learning mode which will put all the good services/programs in that list with checksums? all the rest potential danger?

have a great eve y'all

Inf.

 

this is done once a week , with an automatic scheduler which starts at friday around 6 when everybody starts their weekend...

it would be crazy not having an antivirus scanner at work.

what would you suggest then ErikAlbert?

There aren't many other possibilities in a professional work environment...employees answering on program popups would be simply not done, not everybody knows all this, something like SU is simply not done either ... even PrevX would be a hassle too I guess

 

I don't see your point. I use both Deep Freeze and VMWare at work, and it's not like I don't have anything to save. I've see antivirus applications fail so many times that I just see how it's possible to put all the trust into them. And I mean even the best ones (KAV and NOD32, obviously).

 

Which means that threats can do their evil job during one WEEK.
Scheduled AV scanners run one time per day, which means that threats can do their evil job during one DAY.
ShadowUser isn't any better because threats can do their evil job during TWO REBOOTS.

I always try to find security solutions for the less-knowledgeable users.
Scanners have too many disadvantages :
- based on blacklists
- several time gaps in updating of the definition database
- redundancy
- too many scanners needed
- false positives
- increasing scan time
HIPS softwares have annoying questions for the less-knowlegeable users. Too risky for these users.

What is left when you put all these blacklist softwares and HIPS aside ? Nothing except softwares like ShadowUser (SU) and similar softwares like VMware, DeepFreeze, ...
SU doesn't have any of the above mentioned disadvantages.
I don't say SU is THE solution, but there is nothing else with the same big advantages.
So I'm forced to use SU, if I want a solution for less-knowledgeable or even worse indifferent users.
A simple, quiet, time-saving, almost foolproof protection, that requires only a reboot and that's what my type of users want.
I don't see security through the eyes of a security expert, I see security through the eyes of an average user and even when I was a security expert, I still would think like an average user.

I guess you are also doing some experiments, not with SU, but with VMware.
Both work with a virtual environment and the rest are small differences.
So there isn't much difference between you and me.
Once I have my new computer, SU will be my security solution, just because I don't believe in the rest.