Greg Hoglund pokes holes in "Whitelisting" concept

I am not expert enough to comment on the veracity of this analysis, but, the war aint won yet...
Article:
http://fasthorizon.blogspot.com/2008/06/whitelisting-is-next-snake-oil.html

 

Maybe I´m little slow but...

Where does the injected code come from? How does it start? Doesnt it have to be executed (ie whitelisted before it can run) to do the injection.

How can the malware author inject subversive code into processes in RAM if the software that injects the code are not allowed to start in the first place? Is there malware out there that doesnt have to be executed?

 

Hello,
sukarof, I agree ...
And most of the article later on uses bomblastic words to frighten the readers.
Mrk

 

Do "exploits" and "bodyless malwares" ring you a bell?

 

Indeed Code Red, Slammer. I have my opinions and one is security solutions should be simple, robust and I do think av has to some extent gone down the wrong path, signatures are great for business, a never-ending cash flow .

Exactly what I do, dump the memory.

Check out HBGary - Hoglund.
HBGary : Responder, Fastdump, Flypaper.

 

They write this as they want users to continue with traditiona AV, AS etc etc...

After all it,s a matter of money. I will not be surprized if I come to know that these people are being paid by security companies.

 

I have a very different read of the piece.

To me it's a fairly straightforward comment that the next magic bullet (you name it - AV, HIPS, virtualization, whitelisting, and so on, there have been many and there will be many more) coming around the bend is not the panacea of a complete solution. There will be complexities and unintended secondary dependencies to deal with. Ignore the nuances and you're quickly back where you started, except that the precise origins of the problem have simply been recast. Attempt to understand the complexities, and you have a chance to make some progress.

Further, as with any measure, even though it may not be a magic be-all/end-all bullet, it may be very effective in specific situations.

Blue

 

Yes, it can never be magic bullet but it is far more effective than tradionional AV , AS etc.

 

If the whitelisting the author refers to is simply a listing of apps and processes that are allowed and this "whitelist" is the primary means of defense, then the article is at least partially true. If every whitelisted process can launch any other whitelisted process, it will not be a very effective security setup. For whitelisting to be effective, it has to go further than that. In addition to whitelisting the processes themselves, the activities of each should be individually whitelisted as well, especially in regards to what other processes each one can launch or access. It's the integration of apps with the OS and each other that makes most exploits as effective as they are. When the browser is part of the OS, a browser exploit is an OS exploit. When the media player, PDF reader, etc are allowed to launch/access that browser that's part of the OS, and exploit for one of them becomes an exploit for the entire OS. Removing or blocking that integration often prevents a compromised application from becoming a completely compromised system. Applications that handle internet and other external content should be as isolated from the OS as possible, not integrated into it, and not into each other. It may be convenient to play media files and read PDFs in your browser, but it also increases the number of points from which it can be attacked.

This won't stop all possible exploits. Nothing can, at least nothing that anyone would want to use. It will stop a lot of them and will also make many more much less effective by limiting what they can gain access to.

 

Even the bodiless malware begins with an executable. The fact it later runs in RAM is a different story.

As to exploits, unless the particular exploit results in a whitelisted application, like browser, directly accessing a system file, then yes. Most of the time, you will have a download, which initiates a secondary, so-called arbitrary piece of code < with whitelisting, this won't work.

Whitelisting is not a silver bullet, but it is several orders of magnitude more efficient than blacklisting. Default deny is better than default allow.

And the best example to how robust whitelisting is is our fellow member Rmus. He tests malware all the time and his approach kept him fairly safe so far.

Mrk

 

Yes, but that's not the point the executable can be run from another PC where whitelisting is not active. Remember Slammer? Just run the first dropper, then it spread as it want, without dropping any executable on the victim machine.

You've given the answer. Moreover, don't use the word "Most of the time", because the one you've shown it's simply one of the ways an exploit can hit.

 

Hello,

Some browsers do not have system access - Firefox, Opera.

Second, it may take a single machine to become infected, but it has always bee the Achilles' Heel of LAN - a single weak machine.

However, proper patches + firewall, Slammer is a non issue.

That said, show me one exploit where an exploit is executed directly on the system, through the browser, skipping the drive-by and secondary execution.

That said, show me one exploit where this works in non-IE browsers.

Mrk

 

Thanks Mrkvonic.

I´ve just been surfing around an hour reading in about how exploits and "bodyless malware" works to ask the questions you just did

 

Mh, maybe my english has not been so clear. Let me explain everything again.
What are you saying?

What do you mean with "system access"?

What does this sentence mean? You can even adapt multi layered defense and you'll have only few chances to get infected. That's not the point!
We're talking about whitelisting, and whitelisting by itself would not have have been able to stop Slammer by design. It could have been able to block only the starting dropper, yes.

 

Hello,

Maybe, my English was not clear.

For people at home, Slammer is a non-issue. You use whitelisting, you stop the initial execution, game over. Stopping the dropper is the whole thing.

System access - ability to read, write to root, in Windows case this being the Windows registry, folders etc. IE can do this via FSO, Firefox / Opera and other browsers cannot. Only if there's a vulnerability in the JS engine or similar, but you can also allow a file and defeat whitelisting yourself. Nothing will protect against the user.

And what's your point? People should use blacklisting products? Because of one worm that infected a few unpatched corporate machines in 2003 or so? And was gone with a reboot?

Give me another example. Furthermore, give me one example that will work for Opera or K-Meleon or Firefox.

Mrk